Home Page American Government Reference Desk Shopping Special Collections About Us Contribute



Escort, Inc.






GM Icons
By accessing/using The Crittenden Automotive Library/CarsAndRacingStuff.com, you signify your agreement with the Terms of Use on our Legal Information page. Our Privacy Policy is also available there.

Framework for Automated Driving System Safety


American Government

Framework for Automated Driving System Safety

James C. Owens
National Highway Traffic Safety Administration
3 December 2020


[Federal Register Volume 85, Number 233 (Thursday, December 3, 2020)]
[Proposed Rules]
[Pages 78058-78075]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2020-25930]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF TRANSPORTATION

National Highway Traffic Safety Administration

49 CFR Part 571

[Docket No. NHTSA-2020-0106]
RIN 2127-AM15


Framework for Automated Driving System Safety

AGENCY: National Highway Traffic Safety Administration (NHTSA), 
Department of Transportation (DOT).

ACTION: Advance notice of proposed rulemaking (ANPRM).

-----------------------------------------------------------------------

SUMMARY: NHTSA is requesting comment on the development of a framework 
for Automated Driving System (ADS) safety. The framework would 
objectively define, assess, and manage the safety of ADS performance 
while ensuring the needed flexibility to enable further innovation. The 
Agency is seeking to draw upon existing Federal and non-Federal 
foundational efforts and tools in structuring the framework as ADS 
continue to develop. NHTSA seeks specific feedback on key components 
that can meet the need for motor vehicle safety while enabling 
innovative designs, in a manner consistent with agency authorities.

DATES: Written comments are due no later than February 1, 2021.

ADDRESSES: Comments must refer to the docket number above and be 
submitted by one of the following methods:
     Federal eRulemaking Portal: Go to http://www.regulations.gov. Follow the online instructions for submitting 
comments.
     Mail: Docket Management Facility, M-30, U.S. Department of 
Transportation, West Building, Ground Floor, Room W12-140, 1200 New 
Jersey Avenue SE, Washington, DC 20590.
     Hand Delivery or Courier: U.S. Department of 
Transportation, West Building, Ground Floor, Room W12-140, 1200 New 
Jersey Avenue SE, Washington, DC, between 9 a.m. and 5 p.m. Eastern 
time, Monday through Friday, except Federal holidays. To be sure 
someone is there to help you, please call (202) 366-9322 before coming.
     Fax: 202-493-2251.
    Regardless of how you submit your comments, you must include the 
docket number identified in the heading of this document.
    Note that all comments received, including any personal information 
provided, will be posted without change to http://www.regulations.gov. 
Please see the ``Privacy Act'' heading below.
    You may call the Docket Management Facility at 202-366-9322. For 
access to the docket to read background documents or comments received, 
go to http://www.regulations.gov or the street address listed above. To 
be sure someone is there to help you, please call (202) 366-9322 before 
coming. We will continue to file relevant information in the Docket as 
it becomes available.
    Privacy Act: In accordance with 5 U.S.C. 553(c), DOT solicits 
comments from the public to inform its decision-making process. DOT 
posts these comments, without edit, including any personal information 
the commenter provides, to http://www.regulations.gov, as described in 
the system of records notice (DOT/ALL-14 FDMS), which can be reviewed 
at https://www.transportation.gov/privacy. Anyone can search the 
electronic form of all comments received into any of our dockets by the 
name of the individual submitting the comment (or signing the comment, 
if submitted on behalf of an association, business, labor union, etc.).

FOR FURTHER INFORMATION CONTACT: 
    For legal issues, Sara R. Bennett, Attorney-Advisor, Vehicle 
Rulemaking and Harmonization, Office of Chief Counsel, 202-366-2992, 
email Sara.Bennett@dot.gov.
    For research issues, Lori Summers, Director, Office of Vehicle 
Crash Avoidance and Electronic Controls Research, telephone: 202-366-
4917, email Lori.Summers@dot.gov.
    For rulemaking issues, Tim J. Johnson, Acting Director, Office of 
Crash Avoidance Standards, telephone 202-366-1810, email 
Tim.Johnson@dot.gov.

SUPPLEMENTARY INFORMATION:

Table of Contents

I. Executive Summary
II. Introduction
    A. Development of ADS
    B. Potential Benefits of ADS
    C. NHTSA Regulatory Activity To Remove Unintentional and 
Unnecessary Barriers to the Development and Deployment of ADS 
Vehicles
    D. Need for a Safety Framework, Including Implementation and 
Oversight Mechanisms, for Federal Efforts To Address ADS Performance
III. Safety Framework--Core Elements, Potential Approaches, and 
Current Activities
    A. Engineering Measures--Core Elements of ADS Safety Performance
    1. Core ADS Safety Functions
    2. Other Safety Functions
    3. Federal Engineering Measure Development Efforts
    4. Other Notable Efforts Under Consideration as Engineering 
Measures
    B. Process Measures--Safety Risk Minimization in the Design, 
Development, and Refinement of ADS
    1. Functional Safety
    2. Safety of the Intended Functionality
    3. UL 4600
IV. Safety Framework--Administrative Mechanisms for Implementation 
and Oversight
    A. Voluntary Mechanisms
    1. Safety Self-Assessment and Other Disclosure/Reporting
    2. New Car Assessment Program (NCAP)
    3. Operational Guidance
    B. Regulatory Mechanisms
    1. Mandatory Reporting and/or Disclosure
    2. NHTSA's FMVSS Setting Authority
    3. Applying the Established FMVSS Framework to ADS Safety 
Principles
    4. Reforming How NHTSA Drafts New FMVSS To Keep Pace With 
Rapidly Evolving Technology
    5. Examples of Regulatory Approaches
    D. Timing and Phasing of FMVSS Development and Implementation
    E. Critical Factors Considered in Designing, Assessing, and 
Selecting Administrative Mechanisms
V. Questions and Requests
VI. Preparation and Submission of Written Comments
VII. Regulatory Notices

I. Executive Summary

    Over the past several years, NHTSA has published numerous research 
reports, guidance documents, advance notices of proposed rulemakings, 
and, on March 30, 2020 (85 FR 17624), a notice of proposed rulemaking 
relating to the development of vehicles equipped with Automated Driving 
Systems (ADS).\1\ An ADS is the

[[Page 78059]]

hardware and software that are, collectively, capable of performing the 
entire dynamic driving task on a sustained basis, regardless of whether 
it is limited to a specific operational design domain (ODD).\2\ In less 
technical terms, an ADS maintains the control and driving functions 
within the situations that the system is designed to operate in.
---------------------------------------------------------------------------

    \1\ ADS, as defined by SAE International and as used in this 
document, refers to driving automation Levels 3-5. SAE International 
J3016_201806 Taxonomy and Definitions for Terms Related to Driving 
Automation Systems for On Road Motor Vehicles. Previous notices 
issued by NHTSA focused on driving automation Levels 4 and 5, due to 
the unique vehicle designs expected for vehicles intended to operate 
without necessary human intervention, and thus, potentially designed 
without traditional manual controls.
    This document does not focus on any particular vehicle type, but 
rather, on the ADS itself. NHTSA recognizes that the vehicle type 
for which the ADS is developed to operate may impact the resulting 
ADS performance, but the Agency is not delving into this level of 
specificity at this time.
    Finally, the major notices that NHTSA has published in the past 
several years are: Removing Regulatory Barriers for Vehicles With 
Automated Driving Systems Request for Comment, 83 FR 2607 (Jan. 18, 
2018); Removing Regulatory Barriers for Vehicles With Automated 
Driving Systems Advance Notice of Proposed Rulemaking, 84 FR 24433 
(May 28, 2019); Occupant Protection for Automated Driving Systems 
Notice of Proposed Rulemaking, 85 FR 17624 (Mar. 20, 2020).
    \2\ SAE International J3016_201806 Taxonomy and Definitions for 
Terms Related to Driving Automation Systems for On-Road Motor 
Vehicles.
---------------------------------------------------------------------------

    In general, the Agency's ADS-related publications issued so far 
address the challenges involved in determining which requirements of 
the existing Federal Motor Vehicle Safety Standards (FMVSS) are 
relevant to the safety needs of ADS-equipped vehicles without 
traditional manual controls, and then adapting or developing the 
requirements and the associated test procedures so that the 
requirements can effectively be applied to the novel vehicle designs 
that may accompany such vehicles without adversely affecting safety. 
Thus, those notices, particularly the Agency's regulatory notices, have 
focused more on the design of the vehicles that may be equipped with an 
ADS--not necessarily on the performance of the ADS itself. NHTSA has 
also published recommendations to ADS developers, including automakers 
and technology companies, most prominently in Automated Driving Systems 
2.0: A Vision for Safety. The Agency has also proposed in a notice-and-
comment rulemaking to remove unintended and unnecessary regulatory 
barriers (e.g., proposing to remove the requirement for installation of 
advanced air bag systems in delivery trucks with no occupant 
compartment) or other impediments to the development or deployment of 
vehicles with ADS. This approach has been appropriate as a means to 
pave the way for the safe development and eventual deployment of ADS 
technology, particularly because the Agency understands that ADS-
equipped vehicles are likely to remain in the pre-deployment testing 
and development stage for at least the next several years. Further, as 
small-scale deployments start to appear in the coming years, NHTSA will 
address unreasonable safety risks that may arise using its defect 
investigation and remediation authority.
    Though wide-scale deployment still may be several years away, many 
companies are actively developing and testing ADS technology throughout 
the United States. This development process for ADS is complex and 
iterative. Accordingly, it may be premature for NHTSA to develop and 
promulgate a specialized set of FMVSS or other performance standards 
for ADS competency. NHTSA's existing FMVSS set minimum performance 
requirements for vehicles and equipment, and they follow an approach 
that is performance-based, objective, practicable, and established with 
precise and repeatable test procedures.\3\
---------------------------------------------------------------------------

    \3\ See 49 U.S.C. 30111(a); Chrysler Corp. v. Dep't of Transp., 
472 F.2d 659 (6th Cir. 1972); Nat'l Tire Dealers & Retreaders Ass'n, 
Inc. v. Brinegar, 491 F.2d 31 (D.C. Cir. 1974); Paccar, Inc. v. 
Nat'l Highway Traffic Safety Admin., 573 F.2d 632 (9th Cir. 1978).
---------------------------------------------------------------------------

    The development of an FMVSS typically requires significant 
engineering research, the development of an objective metric (i.e., 
knowing what aspect or aspects of performance to measure), and the 
establishment of an appropriate standard based upon that metric (i.e., 
specifying the minimum required level of performance). Premature 
establishment of an FMVSS without the appropriate knowledge base could 
result in unintended consequences. For example, a premature standard 
might focus on the wrong metric, potentially placing constraints on the 
wrong performance factors, while missing other critical safety factors. 
Such a standard could inadvertently provide an unreliable sense of 
security, potentially lead to negative safety results, or potentially 
hinder the development of new ADS technology.

Safety Framework

    Although the establishment of an FMVSS for ADS may be premature, it 
is appropriate to begin to consider how NHTSA may properly use its 
regulatory authority to encourage a focus on safety as ADS technology 
continues to develop. This document, thus, marks a significant 
departure from the regulatory notices NHTSA has previously issued on 
ADS because NHTSA is looking beyond the existing FMVSS and their 
application to novel vehicle designs and is considering the creation of 
a governmental safety framework specifically tailored to ADS.
    Rather than elaborating and prescribing by rule specific design 
characteristics or other technical requirements for ADS, NHTSA 
envisions that a framework approach to safety for ADS developers would 
use performance-oriented approaches and metrics that would accommodate 
the design flexibility needed to ensure that manufacturers can pursue 
safety innovations and novel designs in these new technologies. This 
framework could involve a range of actions by NHTSA, including guidance 
documents addressing best industry practices, providing information to 
consumers, and describing different approaches to research and 
summarizing the results of research, as well as more formal regulation, 
from rules requiring reporting and disclosure of information to the 
adoption of ADS-specific FMVSS. These different approaches would likely 
build off the three primary ADS guidance documents issued in recent 
years by DOT (i.e., ADS 2.0, Preparing for the Future of 
Transportation: Automated Vehicles 3.0 (AV 3.0), and Ensuring American 
Leadership in Automated Vehicle Technologies: Automated Vehicles 4.0 
(AV 4.0)). As described in this document, NHTSA seeks comment on the 
appropriate role of the Agency in facilitating ADS risk management 
through guidance and/or regulation.
    This document focuses on ways the Agency could approach the 
performance evaluation of ADS through a safety framework, containing a 
variety of approaches and mechanisms that, together, would allow NHTSA 
to identify and manage safety risks related to ADS in an appropriate 
manner. NHTSA anticipates focusing this framework on the functions of 
an ADS that are most critical for safe operation.
    At this stage, NHTSA believes there are four primary functions of 
the ADS that should be the focus of the Agency's attention. First, how 
the ADS receives information about its environment through sensors 
(``sensing''). Second, how the ADS detects and categorizes other road 
users (vehicles, motorcyclists, pedestrians, etc.), infrastructure 
(traffic signs, signals, etc.), and conditions (weather events, road 
construction, etc.) (``perception''). Third, how the ADS analyzes the 
situation, plans the route it will take on the way to its intended 
destination, and makes decisions on how to respond

[[Page 78060]]

appropriately to the road users, infrastructure, and conditions 
detected and categorized (``planning''). Fourth, how the ADS executes 
the driving functions necessary to carry out that plan (``control'') 
through interaction with other parts of the vehicle. While other 
elements of ADS safety are discussed throughout this document, these 
four primary functions serve as the core elements NHTSA is considering.
    The Agency anticipates that the safety framework would include both 
process and engineering measures to manage risks. The process measures 
(e.g., general practices for analyzing, classifying by severity level 
and frequency, and reducing potential sources of risks during the 
vehicle design process) would likely include robust safety assurance 
and functional safety programs. The engineering measures (e.g., 
performance metrics, thresholds, and test procedures) would seek to 
provide ways of demonstrating that ADS perform their sensing, 
perception, planning, and control (i.e., execution) of intended 
functions with a high level of proficiency.

Administration of a Framework

    NHTSA is seeking comment on the manner in which the framework can 
and should be administered (e.g., guidance, consumer information, or 
regulation) to support agency oversight of ADS-related aspects. Since 
some of the mechanisms described in this document (e.g., guidance) 
could be implemented more quickly than others (e.g., FMVSS), the 
mechanisms could be adopted, when and as needed, in a phased manner, 
and implementation of some types of mechanisms might end up not being 
necessary. This document will go into greater detail on the various 
types of administrative mechanisms upon which the Agency is seeking 
comment in later sections.

Future of ADS Regulation

    Eventually, non-regulatory aspects of the framework, combined with 
information learned from research and the continued development of ADS, 
could serve as the basis for development of FMVSS governing the 
competence of ADS. The sub-elements of the sensing, perception, 
planning, and control functions could evolve into new FMVSS focused 
entirely on ADS competence. A new generation of FMVSS should give the 
manufacturers of vehicles, sensors, software, and other technologies 
needed for ADS sufficient flexibility to change and improve without the 
need for frequent modifications to the regulations. If new FMVSS were 
developed and adopted, they could be applied on an ``if-equipped'' 
basis to existing traditional classes of vehicles (e.g., passenger 
cars, multipurpose passenger vehicles, buses, and trucks). By an ``if-
equipped'' FMVSS, NHTSA means an FMVSS that would not mandate the 
installation of ADS in motor vehicles, but would instead specify 
performance requirements for those vehicles equipped with ADS. 
Similarly, a new FMVSS could be applied to the entire vehicle of new 
classes of vehicles, i.e., subclasses of vehicles equipped with ADS. In 
making this choice, the administrative feasibility of creating, 
updating, and implementing requirements for multiple subclasses would 
need to be carefully considered.

Comments Requested

    NHTSA seeks comments on how to select and design the structure and 
key elements of a framework and the appropriate administrative 
mechanisms to achieve the goals of improving safety, mitigating risk, 
and enabling the development and introduction of new safety 
innovations. To aid interested persons in forming their views and 
preparing their comments, this document surveys ongoing efforts in the 
private and public sectors to create a safety framework.
    In their written submissions, commenters should discuss, for 
example, what engineering and process measures should be included, and 
what aspects of ADS performance are suitable for potential safety 
performance standard setting (i.e., what aspects of ADS performance 
should manufacturers be required to certify that their system possess? 
Of the many aspects of sensing, perception, planning, and control that 
manufacturers will need to prove for their own purposes, the Agency 
wishes to know which aspects would be so important that they should be 
subject to separate Federal regulations. The Agency also wishes to hear 
from the public on whether ADS-specific regulations are appropriate or 
necessary prior to the broad commercial deployment of the technology, 
and, if so, how regulations could be developed consistent with the 
Agency's legal obligations without being based upon the existence of 
commercially available ADS technology from which to measure required 
performance. The Agency also seeks comment on how the need for and 
benefits of issuing regulations can be assessed before ADS become 
available to allow testing and validation of the assumptions supporting 
those needs and benefits. In addition, the Agency seeks comment on 
which type or types of administrative mechanisms would be most 
appropriate for constructing the framework, either in general or for 
its component parts, and ensuring its effective and efficient 
implementation.

II. Introduction

A. Development of ADS

    The development of ADS \4\ continues and is well under way. 
Developers are testing components and systems through simulation and 
modeling, controlled track testing, and limited on-road testing with 
test vehicle operators and monitors, and, in some cases, limited on-
road deployments. The Agency believes these activities will continue to 
increase.\5\
---------------------------------------------------------------------------

    \4\ The term ``ADS'' specifically refers to SAE Level 3, 4, or 5 
driving automation systems as described in SAE International 
J3016_201806 Taxonomy and Definitions for Terms Related to Driving 
Automation Systems for On Road Motor Vehicles.
    \5\ Some examples of companies planning on the ride-sharing or 
delivery business models include Cruise, Waymo, Argo AI, Uber, Lyft, 
Nuro.
---------------------------------------------------------------------------

    In July 2020, NHTSA identified on-road testing and development 
activities in 40 States and the District of Columbia.\6\ At the same 
time, 66 companies in California, one of the main hubs of testing 
activity in the world, had valid State permits to test ADS-equipped 
vehicles with safety drivers on public roadways.\7\ Two of those 
companies also received permits allowing for driverless testing in 
California.\8\ One of those companies received permission from 
California in July 2019 to carry passengers in its ADS-equipped 
vehicles while a safety driver is present.\9\ In the Phoenix area, one 
company is even providing limited rideshare services to participants in 
its testing program without an in-vehicle safety driver. This same 
company recently announced that it is expanding these rideshare 
services.\10\ One manufacturer of small, low-speed, occupant-less 
delivery vehicles, received a temporary exemption from NHTSA to deploy 
up to 2,500 vehicles per year for two years.\11\ That same company has 
also received a permit

[[Page 78061]]

from California to perform driverless testing.\12\
---------------------------------------------------------------------------

    \6\ NHTSA notes that the State count includes active (ongoing), 
planned, and inactive (completed) projects.
    \7\ https://www.dmv.ca.gov/portal/dmv/detail/vr/autonomous/permit.
    \8\ https://www.dmv.ca.gov/portal/dmv/detail/vr/autonomous/driverlesstestingpermits.
    \9\ Other companies have received permission to carry passengers 
in their ADS-equipped vehicles while a safety driver is present, and 
they are listed here: https://www.cpuc.ca.gov/avcissued/.
    \10\ https://blog.waymo.com/2020/10/waymo-is-opening-its-fully-driverless.html.
    \11\ 85 FR 7826 (Feb. 11, 2020).
    \12\ https://www.dmv.ca.gov/portal/dmv/detail/vr/autonomous/driverlesstestingpermits.
---------------------------------------------------------------------------

    As described in AV 3.0, ADS development does not start with public, 
on-road testing. Rather, much of the very early testing of prototype 
ADS by developers is conducted in simulation and/or closed-course 
(i.e., track) testing environments.\13\ Public road testing of a 
prototype ADS typically begins after significant engineering and safety 
analysis are performed by developers to understand safety risks and 
mitigation strategies are put in place to address those risks. It is 
important to note that the development process is generally both 
iterative and cyclical. A developer does not ``graduate'' from 
simulation to track test, and then to on-road testing, and then 
deployment. Instead, developers will generally continue simulation 
testing throughout the development process to gain additional 
experience with various scenarios that may be encountered rarely in the 
real world. Similarly, track testing designed to resemble scenarios 
that may be encountered rarely or that would be dangerous to attempt on 
public roads until later stages of readiness will occur throughout the 
process, even as on-road testing is occurring. Further, experiences 
gained from on-road testing will often lead to simulation and/or test 
track replication of situations encountered on public roads to improve 
the ADS. In other words, the fact that a vehicle is being tested on 
public roads does not mean that the vehicle or ADS is nearing 
deployment readiness and, conversely, the fact that a vehicle is still 
undergoing simulation or track testing does not mean is it not safe to 
be tested on public roads.
---------------------------------------------------------------------------

    \13\ https://www.transportation.gov/av/3.
---------------------------------------------------------------------------

    NHTSA's understanding is that there are generally different stages 
of safety risk management during the on-road testing of prototype 
ADS.\14\ First is the development and early stage road testing, which 
is often comprised of the characteristics such as safety drivers 
serving key safety risk mitigation roles, rapid updating of ADS 
software to incorporate lessons learned, and focus on validating the 
performance of the ADS from the simulation and close-course testing 
environments. Second, once development progresses, companies may expand 
ADS road testing and focus on building confidence in the ADS within the 
locations and situations in which the system is designed to function 
(i.e., operational design domain).\15\ The primary purpose of this 
stage of testing is to build statistical confidence in matured software 
and hardware within the intended operational environment and observe 
system failures, safety driver subjective feedback, and execution of 
fail-safe/fail-operational system behaviors. Third, and finally, ADS 
developers may progress to deployment of ADS, in either limited or full 
capacity.
---------------------------------------------------------------------------

    \14\ https://www.transportation.gov/sites/dot.gov/files/docs/policy-initiatives/automated-vehicles/320711/preparing-future-transportation-automated-vehicle-30.pdf.
    \15\ Operational design domain (ODD) is the operating conditions 
under which a given driving automation system or feature thereof is 
specifically designed to function, including, but not limited to, 
environmental, geographical, and time-of-day restrictions, and/or 
the requisite presence or absence of certain traffic or roadway 
characteristics. SAE International J3016_201806 Taxonomy and 
Definitions for Terms Related to Driving Automation Systems for On 
Road Motor Vehicles.
---------------------------------------------------------------------------

    As stated in AV 3.0, NHTSA believes that on-road testing is 
essential for the development of ADS-equipped vehicles that will be 
able to operate safely on public roads. Most of the ADS testing 
activity in the United States is in the early stages of on-road 
testing. Safety drivers oversee the ADS during testing for most 
companies, though some companies have progressed to the later stages of 
on-road testing. Despite this development and all the progress the 
industry has made over the past several years, no vehicle equipped with 
an ADS is available for purchase in the United States or deployed 
across the United States.\16\
---------------------------------------------------------------------------

    \16\ While Nuro was granted an exemption allowing for deployment 
of their low-speed, occupantless delivery vehicle, the terms of the 
exemption provide that Nuro must maintain ownership and operational 
control over the R2Xs that are built pursuant to the exemption for 
the life of the vehicles. See Nuro, Inc.; Grant of Temporary 
Exemption for a Low-Speed Vehicle With an Automated Driving System, 
85 FR 7826 (Feb. 11, 2020), available at https://www.federalregister.gov/documents/2020/02/11/2020-02668/nuro-inc-grant-of-temporary-exemption-for-a-low-speed-vehicle-with-an-automated-driving-system.
---------------------------------------------------------------------------

    NHTSA recognizes the critical role that State and local governments 
play in traffic safety, including our shared oversight of on-road 
testing of vehicles with ADS. Their roles in the active on-road testing 
and development throughout the country is part of why NHTSA recently 
launched its Automated Vehicles Transparency and Engagement for Safe 
Testing (AV TEST) Initiative to facilitate further dialogue and 
transparency of the state of ADS development. This initiative features 
a series of meetings and workshops where State and local governments 
discuss their activities, lessons learned, and best practices for 
oversight of on-road testing, and NHTSA discusses its research and 
rulemaking activities. The initiative also involves automakers and ADS 
developers, and provides a forum to promote public engagement and 
knowledge-sharing about safety in the development and testing of ADS-
equipped vehicles. The AV TEST Initiative will also provide an online, 
public-facing platform for sharing ADS road testing activities and 
other relevant information at the local, State, and national levels. It 
will feature an online mapping tool that will show road testing 
locations, as well as testing activity data such as dates, frequency, 
vehicle counts, and routes.

B. Potential Benefits of ADS

    NHTSA's mission is to save lives, prevent injuries, and reduce 
economic costs due to road traffic crashes, through education, 
research, guidance, safety standards, and enforcement activity. If 
developed and deployed safely, ADS can aid in achieving that mission, 
given their potential to prevent, reduce, or mitigate crashes involving 
human error or poor choices. This potential stems from the substantial 
role that human factors (distraction, impairment, fatigue, errors in 
judgment, and decisions not to obey traffic laws) play in contributing 
to crashes.\17\ In addition, they have the potential to enhance 
accessibility (e.g., through allowing personal transportation to people 
with disabilities or people incapable of driving), and improve 
productivity (e.g., by allowing people to work while being transported 
and allowing platooning or entirely automated operation of commercial 
trucks). Accordingly, NHTSA is placing a priority on the safe 
development and testing of ADS that factors safety into every step 
toward eventual deployment.
---------------------------------------------------------------------------

    \17\ See Critical Reasons for Crashes Investigated in the 
National Motor Vehicle Crash Causation Survey (Feb. 2015), available 
at https://crashstats.nhtsa.dot.gov/Api/Public/ViewPublication/812115.
---------------------------------------------------------------------------

C. NHTSA Regulatory Activity To Remove Unintentional and Unnecessary 
Barriers to the Development and Deployment of ADS Vehicles

    To date, NHTSA's regulatory notices have focused on ADS-equipped 
vehicles without traditional manual controls by assessing the 
modifications to existing FMVSS that may be necessary to address the 
designs and any unique safety needs of those vehicles.\18\ For example, 
while vehicles that cannot be driven by human drivers and vehicles that 
can be driven by human drivers both need brakes that stop them 
effectively, each set of vehicles may have different safety needs. 
Traditional

[[Page 78062]]

vehicles rely on human drivers, while the ADS-equipped vehicles rely on 
an ADS to acquire information about the location and movement of other 
roadway users, weather conditions, and vehicle operating status--all 
while making driving decisions. These differing safety needs may mean 
that the installation of some features currently required by the FMVSS 
(e.g., mirrors, dashboard controls, some displays) into vehicles 
without traditional manual driving controls may no longer meet a need 
for safety. Further, while steering machines and other equipment can be 
made to simulate human drivers in conducting the track testing of 
vehicles with manual controls, having NHTSA instruct the ADS of a 
vehicle that lacks manual controls how to perform the same testing may 
be more challenging.
---------------------------------------------------------------------------

    \18\ See 84 FR 24433 (May 28, 2019) and 85 FR 17624 (Mar. 30, 
2020).
---------------------------------------------------------------------------

D. Need for a Safety Framework, Including Implementation and Oversight 
Mechanisms, for Federal Efforts To Address ADS Performance

    The National Traffic and Motor Vehicle Safety Act of 1966, as 
amended (``Safety Act'') tasks NHTSA with reducing traffic accidents, 
deaths, and injuries resulting from traffic accidents through issuing 
motor vehicle safety standards for motor vehicles and motor vehicle 
equipment and carrying out needed safety research and development.\19\ 
The FMVSS established by NHTSA must: Meet the need for motor vehicle 
safety; be practicable, both technologically and economically; and be 
stated in objective terms. The final requirement means that they are 
capable of producing identical results when test conditions are exactly 
duplicated and determinations of compliance must be based on scientific 
measurements, not subjective opinion.\20\ In addition, in issuing an 
FMVSS, the Agency must consider whether the standard is reasonable, 
practicable, and appropriate for the types of motor vehicles or motor 
vehicle equipment for which it is prescribed.\21\
---------------------------------------------------------------------------

    \19\ 49 U.S.C. 30101.
    \20\ 49 U.S.C. 30111(a), Chrysler Corp. v. Dep't of Transp., 472 
F.2d 659 (6th Cir. 1972).
    \21\ 49 U.S.C. 30111(b)(3).
---------------------------------------------------------------------------

    NHTSA typically begins the process of promulgating a FMVSS by 
identifying the aspect of performance that may need regulation (i.e., 
the safety need \22\). NHTSA analyzes real-world crash data and other 
available information in order to identify safety issues and quantify 
the size of the safety problems, researches potential solutions or 
countermeasures to the safety issues that have been identified, and 
then develops practicable performance or related requirements intended 
to either resolve or mitigate the crash risk identified. Manufacturers 
are then required to self-certify, by whatever reasonable means they 
choose, that their vehicles or equipment meet the performance 
requirements. Finally, NHTSA assesses vehicle or equipment compliance 
with those established requirements through the validated test 
procedures that it has developed.
---------------------------------------------------------------------------

    \22\ ``The Safety Act's mandate is not, however, categorical. 
Not all risks of accident or injury are to be eliminated, but only 
those that are ``unreasonable.'' Ctr. for Auto Safety v. Peck, 751 
F.2d 1336, 1343 (D.C. Cir. 1985).
---------------------------------------------------------------------------

    Based on the current state of ADS development, it is probably too 
soon to make any decisions about the extent to which new FMVSS might be 
needed to address particular aspects of the safety performance of these 
systems. ADS are, generally, in the development stages, and market-
ready, mature ADS do not yet exist. Accordingly, there do not exist 
meaningful data about the on-road experience of these systems that can 
be analyzed to determine the safety need that potentially should be 
addressed, e.g., which aspects of performance are in need of 
regulation, what would be reasonable, practicable, or appropriate for 
regulation, or the minimum thresholds for performance, much less how to 
regulate such performance. Likewise, there are no vehicles equipped 
with mature ADS that can be purchased by the Agency and tested to 
validate the effectiveness of a contemplated standard in addressing the 
safety needs of those vehicles.
    NHTSA has no desire to issue regulations that would needlessly 
prevent the deployment of any ADS-equipped vehicle, as this could 
inhibit the development of a promising technology that has the 
potential to result in an unprecedented increase in safety. Any 
regulatory approach must have well-founded supporting data indicating 
safety needs. An ill-conceived standard may fail to meet the need for 
motor vehicle safety and needlessly stifle innovation. Worse yet, 
issuing premature regulations could even increase safety risk with 
unintended consequences. Pursuing a ``precautionary'' FMVSS may, in 
fact, be prohibited by the Safety Act itself, as sufficient information 
does not yet exist to establish a standard that is practicable, meets 
the need for motor vehicle safety, and can be stated in objective 
terms.
    It is not too soon, however, for the Agency, with input from 
stakeholders, to begin identifying and developing the elements of a 
framework that meets the need for motor vehicle safety and assesses the 
degree of success in manufacturers' efforts to ensure safety, while 
also providing sufficient flexibility for new and more effective safety 
innovations. In addition, NHTSA seeks to explore the adoption of 
alternative or complementary mechanisms for implementing potential 
engineering and process measures, as described below, to manage risks 
and facilitate agency safety oversight.
    NHTSA seeks to develop a safety framework of standards and/or 
guidance that manufacturers of ADS would (or, in the case of guidance, 
could) follow to evaluate and demonstrate the safety of their new 
systems, as produced and, at least in some cases, throughout the 
lifetime of those systems. The framework would rest on the elements 
described below in section III of this document.
    In addition, the Agency seeks to identify the best administrative 
mechanisms for establishing and implementing engineering and process 
measures and facilitating agency safety oversight. Potential mechanisms 
are described in section IV of this document.

III. Safety Framework--Core Elements, Potential Approaches, and Current 
Activities

    Safety assurance generally refers to the broad array of proactive 
approaches a company can take proactively to identify and manage 
potential safety risks associated with a system, such as the ADS of a 
vehicle. Safety assurance, as contemplated in many of the documents 
discussed in this section, is typically a process controlled and 
conducted by the manufacturer that is designing a vehicle and 
certifying that vehicle's compliance. Many of these process and 
engineering measures are used by manufacturers in the development of 
their products, and NHTSA intends to explore how the Agency might 
harness these same processes in the development of a new regulatory or 
sub-regulatory approach to evaluate the safety of ADS.
    The Department's guidance documents on vehicles equipped with ADS, 
ADS 2.0 \23\ and Preparing for the Future of Transportation: Automated 
Vehicles 3.0,\24\ generally describe these aspects of safety assurance 
and how the Department envisions its role in safety risk management and 
oversight during the development and deployment of ADS.
---------------------------------------------------------------------------

    \23\ Pages 5-16. Available at https://www.nhtsa.gov/sites/nhtsa.dot.gov/files/documents/13069a-ads2.0_090617_v9a_tag.pdf.
    \24\ See table on page 50. Available at https://www.transportation.gov/av/3.

---------------------------------------------------------------------------

[[Page 78063]]

    This section elaborates on the core elements of ADS safety 
performance and the documents behind the various elements of the safety 
framework for ADS that NHTSA is currently considering. This section 
also describes some of the many private and public activities related 
to evaluating ADS safety performance.

A. Engineering Measures--Core Elements of ADS Safety Performance

    Engineering measures are those aspects that can be readily 
determined through the testing of a finished motor vehicle or system 
and establish the level of safety performance. Engineering measures 
could be used to assess safety performance of the ADS, such as 
successful crash avoidance (i.e., whether the ADS-equipped vehicle is 
capable of completing certain maneuvers without loss of control), but 
how exactly to design these measures is highly complicated. While a 
mature ADS may avoid many of the human driver errors and poor choices 
that lead to the majority of crashes today, an ADS may still find 
itself in crash-imminent scenarios that may warrant emergency 
maneuvers. Successful crash avoidance would depend on a vehicle's 
mechanical abilities (e.g., abilities to stop quickly and to maintain 
or regain directional stability and control). ADS-equipped vehicles, 
though, are unique in that the vehicle's system must also be able to 
perform appropriately the following safety relevant functions that are 
inherent to the adequate functionality of an ADS-equipped vehicle:
     Sensing;
     Perception;
     Planning; and
     Control.
1. Core ADS Safety Functions
    ``Sensing'' refers to the ability of the ADS to receive adequate 
information from the vehicle's internal and external environment 
through connected sensors. Sensors on an ADS-equipped vehicle might 
include cameras, radar, LiDAR, Global Positioning Satellite (GPS), 
vehicle-to-vehicle (V2V) and/or vehicle-to-everything (V2X) devices, 
among other technologies. Sensing also involves scanning the driving 
environment with emphasis on the direction of travel in which the ADS 
intends to head. The sensing functionality serves as the ``eyes'' of 
the ADS.
    ``Perception'' refers to the ability of an ADS to interpret 
information about its environment obtained through its sensors. This 
involves an ADS determining the location of the vehicle in relation to 
the driving environment and its ODD, including whether it is operating 
within any geolocational limitations in the ODD. Perception includes 
detection and identification of relevant static features and objects 
(e.g., road edges, lane markings, and traffic signs) and dynamic 
objects (e.g., vehicles, cyclists, and pedestrians) detected by sensors 
within proximity of the vehicle. Through perception, the ADS is 
provided with information necessary to predict the future behavior 
(e.g., speed and path) of relevant static and dynamic objects (i.e., 
those whose speed and path may create the risk of a collision with the 
vehicle). Thus, while sensing serves as the ``eyes'' of the ADS, 
perception performs the associated cognitive recognition of information 
detected through the sensor's ``eyes.'' Perception provides necessary 
interpreted information to the system so that it can conduct other key 
functions for successful completion of the driving task.
    ``Planning'' refers to the ability of an ADS to establish and 
navigate the route it will take on the way to its intended destination. 
The planning function of an ADS builds from the sensing and perception 
functions by using the information collected through sensing and 
interpreted through perception, and predicts the future state of static 
and dynamic objects to create a path that mitigates crash risks, 
follows rules of the road,\25\ and safely reaches its intended 
destination. If the perception function is akin to the part of the 
brain of an ADS responsible for cognitive interpretation, the planning 
function is equivalent to that part of the brain of the ADS responsible 
for decision-making.
---------------------------------------------------------------------------

    \25\ NHTSA notes that, while compliance with many rules of the 
road can be readily and objectively determined, compliance with 
others cannot. The rule to obey posted speed limits is an example of 
the former. If a vehicle has mapped or can read posted speed limit 
signs, it can readily compare its speed with the posted speed and 
modulate its speed accordingly to avoid exceeding the limit. 
However, achieving compliance with situational or judgmental rules, 
such as those prohibiting driving too fast for conditions or driving 
recklessly, is much less readily determinable by a vehicle. See., 
e.g., Formalising and Monitoring Traffic Rules for Autonomous 
Vehicles in Isabelle/HOL, Albert Rizaldi, Jonas Keinholz, Monika 
Huber, Jochen Feldle, Fabian Immler, Matthias Althoff, Eric 
Hilgendorf, and Tobias Nipkow. https://www21.in.tum.de/~nipkow/pubs/
ifm17.pdf. Substantial compliance by a vehicle with the rule against 
driving recklessly might be indirectly achievable through 
programming the vehicle to drive defensively. One aspect of that 
programming would be to ensure that the vehicle always maintains a 
safe driving distance between itself and the vehicle immediately 
ahead, including any vehicle that cuts into the vehicle's lane. This 
notion of a safe space could also be made to vary according to 
whether the vehicle detects conditions such as darkness, rain, or 
loss of traction. See., e.g., On a Formal Model of Safe and Scalable 
Self-driving Cars, Shai Shalev-Shwartz, Shaked Shammah, Amnon 
Shashua, Mobileye, 2017. https://arxiv.org/pdf/1708.06374.pdf. The 
amount of space needed by the vehicle would vary according to the 
vehicle's speed.
---------------------------------------------------------------------------

    Finally, the ``control'' function of an ADS refers to the ability 
of the system to execute the driving functions necessary to carry out 
the continuously updated driving plan. Control includes implementing 
the driving plan by delivering appropriate control inputs--such as 
steering, propulsion, and braking--to follow the planned path while 
adjusting the plan when and as necessary based on the continuous 
acquisition and processing of new data concerning the state of the 
vehicle and surrounding environment. The control function, carried out 
through actuators and their associated control systems that facilitate 
execution of the driving plan, are analogous to the ``arms'' and 
``legs'' of the ADS in driving the vehicle.
    NHTSA requests comment on these four core functions, including 
whether commenters agree that these are the core functions, views on 
NHTSA's description of these functions, and whether and how NHTSA 
should prioritize its research as it develops a safety framework.
2. Other Safety Functions
    While the four functions described above are necessary for an ADS, 
they are not necessarily sufficient to ensure ADS safety, which will 
also depend on a wide array of other functions and capabilities of the 
system and how that system interacts with the humans both inside and 
surrounding the ADS-equipped vehicle.
    For example, one safety-related aspect not encompassed within the 
four functions would be the vehicle's ability to communicate with 
vehicle occupants \26\ and other vehicles and people in the driving 
environment, especially vulnerable road users.\27\ The human-machine 
interaction is expected to have an impact not only on the operational 
safety of an ADS-equipped vehicle, but also on the public acceptance of 
such systems. ADS capability to detect the malfunction of its own 
system or other systems in the

[[Page 78064]]

vehicle accurately and reliably, while also ensuring safe transitions 
between operational modes developed to respond to any detected issues 
or malfunctions (e.g., fail safe or limp home modes), is another 
important consideration that could impact expected performance by an 
ADS.
---------------------------------------------------------------------------

    \26\ For instance, if a vehicle stops, passengers have in 
interest in knowing the vehicle's status. Did it stop because it 
reached its destination, to avoid an obstacle, or because of a 
malfunction? Should passengers remain in the vehicle or is it safe 
to exit?
    \27\ A driver's eye contact, hand gestures, and even his/her 
mere presence means something to others outside the vehicle. An 
empty vehicle, especially an electric ADS-equipped vehicle without 
traditional manual driving controls, may appear to be parked and in 
the off position when in fact it is ready to move. Someone 
approaching the vehicle (passenger, law enforcement, rescuers, tow 
truck operators, etc.) has an interest in knowing whether it is 
about to move and how to safely interact with the vehicle.
---------------------------------------------------------------------------

    Other aspects that could impact the ability of an ADS to carry out 
its intended plans in a safe and reliable manner include: (1) 
Identifying reduced system performance and/or ODD in the presence of 
failure; (2) operating in a degraded mode within reduced system 
constraints; \28\ (3) performing the essential task of transporting 
occupants or goods from starting point to the chosen destination; (4) 
recognizing and reacting appropriately to communications from first 
responders, including fire, EMS, and law enforcement; \29\ (5) 
receiving, loading, and following over-the-air software updates; \30\ 
(6) performing system maintenance and calibration; (7) addressing 
safety-related cybersecurity risks; and (8) system redundancies. NHTSA 
notes that its authorities under the Safety Act are limited to motor 
vehicle safety and, thus, do not authorize the Agency to regulate areas 
such as general privacy and cybersecurity unrelated to safety.\31\ That 
said, NHTSA will analyze relevant aspects of these issues during the 
rulemaking process to the extent required under the Safety Act and when 
otherwise required by applicable laws, such as the E-Government Act of 
2002.
---------------------------------------------------------------------------

    \28\ See Matthew Wood et al., Safety First for Automated Driving 
(2019), pp. 37-46, available at https://www.aptiv.com/docs/default-source/white-papers/safety-first-for-automated-driving-aptiv-white-paper.pdf. The above listing omits ``ensure controllability for the 
vehicle operator'' since a vehicle without traditional manual 
driving controls would not have a human operator.
    \29\ In an emergency or unusual situation, a vehicle should be 
able to respond/react to orders or requests from outside its own ADS 
perceive/plan/execute process. This could be law enforcement, 
pedestrians, other drivers, or passengers.
    \30\ Prior to transmitting any software update, care should be 
taken to evaluate the safety of the updates and the functions they 
enable or control not only in isolation, but also in combination 
with existing software and hardware and the functions they enable or 
control.
    \31\ The Federal Trade Commission is the Federal agency that 
primarily oversees privacy policy and enforcement, including 
privacy-related cybersecurity matter. See https://www.ftc.gov/news-events/media-resources/protecting-consumer-privacy-security.
---------------------------------------------------------------------------

    NHTSA requests comment on which of these aspects the Agency should 
prioritize as it continues the research necessary to develop a safety 
framework. NHTSA also seeks comment on whether it has an appropriate 
role to play with any or all of these elements outside of research. If 
so, which element(s)? For each such element, should NHTSA's role be 
regulatory or sub-regulatory, and in what manner?
3. Federal Engineering Measure Development Efforts
    NHTSA, as part of the Department's broader efforts, has begun the 
research to explore potential ways the Agency can assess the safety of 
ADS. As described in AV 4.0, NHTSA maintains a comprehensive ADS 
research program evaluating and researching a wide array of aspects 
related to ADS performance.\32\ One of NHTSA's key research tracks 
focuses on ADS safety performance, and seeks to identify the methods, 
metrics, and tools to assess how well the ADS-equipped vehicle performs 
both normal driving tasks as well crash avoidance capabilities. Such 
assessments include system performance and behavior relative to the 
system's stated ODD and object and event detection and response (OEDR) 
capabilities, as well as fail-safe capabilities if/when it is 
confronted with conditions outside its ODD. A second high-level 
research focus is on functional safety and ADS subsystem performance. A 
third research area relevant to this document relates to the 
cybersecurity of vehicles and systems, including ADS. Finally, NHTSA is 
also researching human factors issues that may accompany vehicles 
equipped with ADS.
---------------------------------------------------------------------------

    \32\ https://www.transportation.gov/av/4.
---------------------------------------------------------------------------

    One key example of NHTSA's efforts to develop safety performance 
models and metrics is the Instantaneous Safety Metric (ISM)--a research 
document published in 2017.\33\ The ISM calculates physically possible 
trajectories that a subject vehicle and other roadway users in the 
surrounding traffic could take given a set of possible actions (e.g., 
steering wheel angles, brake/throttle) within a preset, finite period 
of time in the future and calculates which trajectory combinations 
could result in a potential multi-actor crash. A metric determined by 
the number and/or proportion of trajectories (and severity/probability 
of the action that leads to that trajectory) that may lead to a crash 
could serve as a proxy for the estimated safety risk associated with 
the given snapshot of the driving state.
---------------------------------------------------------------------------

    \33\ ``A Novel Method to Evaluate the Safety of Highly Automated 
Vehicles'' Joshua L. Every, Frank Barickman, John Martin Sughosh, 
Rao Scott Schnelle, Bowen Weng, Paper Number 17-0076; 25th 
International Technical Conference on the Enhanced Safety of 
Vehicles (ESV), available at http://indexsmart.mirasmart.com/25esv/PDFfiles/25ESV000076.pdf.
---------------------------------------------------------------------------

    An updated approach, referred to as the Model Predictive 
Instantaneous Safety Metric (MPrISM), builds upon the ISM concept and 
modifies its assessment method.\34\ MPrISM considers the subject 
vehicle's range of fully controllable actions and calculates crash 
implications under the scenario of best response choices by the subject 
vehicle and worst choices by other actors in the scene.
---------------------------------------------------------------------------

    \34\ ``Model Predictive Instantaneous Safety Metric for 
Evaluation of Automated Driving Systems''. Bowen Weng, Sughosh J. 
Rao, Eeshan Deosthale, Scott Schnelle, Frank Barickman, available 
at: https://arxiv.org/pdf/2005.09999v1.
---------------------------------------------------------------------------

    One of the benefits of ISM and MPrISM is their relatable logical 
reasoning and straight-forward analytical construction. However, ISM is 
not without its challenges in administering in real-world applications. 
One of those challenges is the significant computational complexity 
required for effective utilization. MPrISM attempts to address this 
computational complexity and can be run using real time data at 
reasonable processing rates. Through new metric development efforts 
such as MPrISM, NHTSA will continue researching ways to reduce 
complexity while also evaluating private sector approaches with a goal 
of facilitating the advancement of candidate safety performance models 
and metrics.
4. Other Notable Efforts Under Consideration as Engineering Measures
    Various companies and organizations have begun efforts to develop a 
framework or at least portions of one. For example, in 2018, RAND 
Corporation issued a report proposing a partial framework for measuring 
safety in ADS-equipped vehicles.\35\ In developing that framework, RAND 
considered how to define ADS safety, how to measure ADS safety, and how 
to communicate what is learned or understood about ADS. The RAND report 
purports to present a framework to discuss how safety can be measured 
in a technology- and company-neutral way.
---------------------------------------------------------------------------

    \35\ Laura Fraade-Blanar, Marjory S. Blumenthal, James M. 
Anderson, Nidhi Kalra, Measuring Automated Vehicle Safety--Forging a 
Framework, Rand, 2018, available at https://www.rand.org/content/dam/rand/pubs/research_reports/RR2600/RR2662/RAND_RR2662.pdf.
---------------------------------------------------------------------------

    Another effort is led by NVIDIA, which published a document 
proposing a framework called the Safety Force Field \36\ that is 
articulated as a

[[Page 78065]]

computational method to assess through simulation whether an ADS is 
monitoring its surrounding environment successfully and not taking 
unacceptable actions. The stated goal behind the Safety Force Field is 
avoiding crashes, and it seeks to accomplish this through setting a 
driving policy that analyzes the surrounding environment and predicts 
actions by other road users. Based upon this analysis, the system would 
then seek to determine potential actions that avoid creating or 
contributing to unsafe conditions that could lead to a crash.
---------------------------------------------------------------------------

    \36\ David Nist[eacute]r, Hon-Leung Lee, Julia Ng, and Yizhou 
Wang, An Introduction to the Safety Force Field, Nvidia. Available 
at https://www.nvidia.com/content/dam/en-zz/Solutions/self-driving-cars/safety-force-field/an-introduction-to-the-safety-force-field-updated.pdf. See also David Nist[eacute]r, Hon-Leung Lee, Julia Ng, 
and Yizhou Wang, Safety Force Field, Nvidia. Available at https://www.nvidia.com/content/dam/en-zz/Solutions/self-driving-cars/safety-force-field/the-safety-force-field.pdf.
---------------------------------------------------------------------------

    In early July 2019, 11 companies,\37\ collectively referred to as 
``Safety First for Automated Driving,'' released a paper describing 
safety by design, and verification and validation (V&V) methods for 
ADS.\38\ This paper states that it aims to address L3 and higher levels 
of automation, and can serve as a useful starting point for examining 
V&V methods appropriate for ADS. To guide safety efforts, the paper 
identifies principles (12 in all) towards addressing safe operation; 
safety layer; ODD; behavior in traffic; user responsibility; vehicle-
initiated handover; driver-initiated handover; effects of automation; 
safety assessment; data recording; security; and passive safety. These 
principles are expressed to be relevant to ADS, and most of them, 
except those relating to handover to a human operator, are indicated to 
be relevant to L4 and above.
---------------------------------------------------------------------------

    \37\ The 11 companies that comprise Safety First for Automated 
Driving are: Audi, BMW, Aptiv, Baidu, Continental, Daimler, Fiat 
Chrysler Automobiles, Here, Infineon, Intel and Volkswagen.
    \38\ ``Safety First for Automated Driving,'' available at 
https://newsroom.intel.com/wp-content/uploads/sites/11/2019/07/Intel-Safety-First-for-Automated-Driving.pdf.
---------------------------------------------------------------------------

    Finally, several other companies and organizations have published 
or are developing either documents to guide the safe testing and 
deployment of ADS or technical approaches to programming ADS in order 
to reduce the likelihood of facing crash-imminent situations. For 
example, Intel's Mobileye published a document proposing a framework 
called Responsibility Sensitive Safety \39\ (RSS), intended to address 
issues with multi-agent safety (defined by them as safe operation and 
interaction with multiple independent road users in a given 
environment). RSS is a mathematical model for multi-agent safety that 
incorporates common-sense rules of driving while interacting with other 
road users in a way that minimizes the chance of causing a crash, all 
while operating within normal behavioral expectations. The method is 
constructed with respect to ``right-of-way'' rules, occluded objects 
avoidance, and safe distance maintenance, both longitudinally and 
laterally. Mobileye also claims that special traffic conditions are 
covered in the discussion including intersection with traffic lights, 
unstructured roads, and collisions involving pedestrians (or other road 
users).\40\
---------------------------------------------------------------------------

    \39\ Shai Shalev-Shwartz, Shaked Shammah, and Amnon Shashua, On 
a Formal Model of Safe and Scalable Self-driving Cars, Mobileye, 
2017. Summary available at https://newsroom.intel.com/newsroom/wp-content/uploads/sites/11/2017/10/autonomous-vehicle-safety-strategy.pdf and https://newsroom.intel.com/editorials/paving-way-toward-safer-roads-all/#gs.8qhmve. Full paper available at https://arxiv.org/pdf/1708.06374.pdf.
    \40\ Mobileye, Implementing the RSS Model on NHTSA Pre-Crash 
Scenarios, p. 3. Available at https://www.mobileye.com/responsibility-sensitive-safety/rss_on_nhtsa.pdf.
---------------------------------------------------------------------------

    NHTSA is paying close attention to the efforts of other 
organizations to develop documents related to ADS safety that might be 
useful from a Federal regulatory perspective. While this document 
describes some of those efforts, it does not include all. NHTSA is also 
considering how it might harness process measures as part of a safety 
framework.

B. Process Measures--Safety Risk Minimization in the Design, 
Development, and Refinement of ADS

    Vehicle process measures help an organization manage and minimize 
safety risk by identifying and mitigating sources of risk during the 
design, development, and refinement of new motor vehicles and motor 
vehicle equipment. Unlike engineering measures, process measures 
address safety issues that cannot be efficiently or thoroughly 
addressed through the FMVSS approach to testing, since process 
standards help to ensure reliability and robustness of designs over the 
life of the vehicle, and in ``edge'' cases--both of which are difficult 
or impossible to verify through one-time testing a finished vehicle. 
Careful adherence to process standards can enhance the safety of 
finished motor vehicles substantially.\41\ While some of the standards 
described below are not specific to ADS, the principles underlying such 
standards can prove useful in ADS development.
---------------------------------------------------------------------------

    \41\ Transportation Research Board Special Report 308, The 
Safety Promise and Challenge of Automotive Electronics: Insights 
from Unintended Acceleration, 2012. The Board is part of the 
National Research Council, which is, in turn, part of the National 
Academies of Sciences, Engineering, and Medicine. At pages 87-88, 
this report describes the role that process measures could play in 
meeting the challenges presented by electronic systems and their 
``hardware components'' and ``software components.'' The report is 
available on a number of online sites, including http://onlinepubs.trb.org/onlinepubs/sr/sr308.pdf and https://www.nap.edu/catalog/13342/trb-special-report-308-the-safety-challenge-and-promise-of-automotive-electronics and http://www.omg.org/hot-topics/documents/Safety-Promise-and-Challenge-of-Automotive-Electronics-TRB-2012.pdf.
---------------------------------------------------------------------------

1. Functional Safety
    ISO 26262 describes a documentation of a process for the evaluation 
of functional safety \42\ to assist in the development of safety-
related electrical and/or electronic (E/E) systems.\43\ This framework 
is intended to be used by manufacturers to integrate functional safety 
concepts into a company-specific development framework. Some 
requirements have a clear technical focus to implement functional 
safety into a product; others address the development process itself 
and can therefore be seen as process requirements in order to 
demonstrate an organization's capability with respect to functional 
safety.
---------------------------------------------------------------------------

    \42\ Functional safety is the absence of risk caused by a system 
malfunction typically involving an electronic control system.
    \43\ See https://www.iso.org/standard/68383.html.
---------------------------------------------------------------------------

    ISO 26262 addresses identified, unreasonable safety risks arising 
from electrical and electronic failures. The framework is intended to 
be applied to safety-related systems that include one or more E/E 
systems that are installed in production road vehicles, excluding 
mopeds. ISO 26262 seeks to avoid failures associated with electronics 
systems--including those related to software programming, intermittent 
electronic hardware faults, and electromagnetic disturbances--and 
mitigate the impact of potential equipment faults during operation.\44\ 
In addition to addressing fault conditions, it contains hazard analysis 
and risk assessment provisions, design, verification and validation 
(V&V) requirements, and safety management guidance.
---------------------------------------------------------------------------

    \44\ Van Eikema Hommes, Q.D. (2016, June). Assessment of safety 
standards for automotive electronic control systems. (Report No. DOT 
HS 812 285). Washington, DC: National Highway Traffic Safety 
Administration, available at https://www.nhtsa.gov/sites/nhtsa.dot.gov/files/812285_electronicsreliabilityreport.pdf.
---------------------------------------------------------------------------

    ISO 26262 seeks to ensure systems have the capability to mitigate 
failure risk sufficiently for identified hazards. The needed amount of 
mitigation depends upon the severity of a potential loss event, 
operational exposure to hazards, and human driver controllability of 
the system when failure occurs. These factors combine into an 
Automotive Safety Integrity Level (ASIL) per a predetermined risk

[[Page 78066]]

table. The assigned ASIL for a function determines which technical and 
process mitigations should be applied, including specified design and 
analysis tasks that must be performed.\45\
---------------------------------------------------------------------------

    \45\ Id.
---------------------------------------------------------------------------

2. Safety of the Intended Functionality
    The safety of ADS is also linked to other factors such as 
conceivable human misuse of the function, performance limitations of 
sensors or systems, and unanticipated changes in the vehicle's 
environment.\46\
---------------------------------------------------------------------------

    \46\ Peters Els, Rethinking Autonomous Vehicle Functional Safety 
Standards: An Analysis of SOTIF and ISO 26262, March 25, 2019, 
available at https://www.automotive-iq.com/autonomous-drive/articles/rethinking-autonomous-vehicle-functional-safety-standards-an-analysis-of-sotif-and-iso-26262.
---------------------------------------------------------------------------

    Safety of the Intended Functionality (SOTIF) attempts to prevent 
insufficiencies of the intended functionality or reasonably foreseeable 
misuse by persons. ISO 21448 is a safety standard for driver assistance 
functions that could fail to operate properly even if no equipment 
fault is present. SOTIF does not apply to faults covered by the ISO 
26262 series or to hazards directly caused by the system technology 
(e.g., eye damage from a laser sensor). Rather, SOTIF works in tandem 
with ISO 26262 to help a manufacturer assess and mitigate a variety of 
risks during the development process, with ISO 26262 focusing on 
mitigating failure risk and ISO 21448 mitigating foreseeable system 
misuse.
    ISO 21448 is intended to be applied to intended functionality where 
proper situational awareness is critical to safety, and where that 
situational awareness is derived from complex sensors and processing 
algorithms; especially emergency intervention systems (e.g., active 
safety braking systems) and Advanced Driver Assistance Systems (ADAS) 
with SAE driving automation Levels 1 and 2 on the SAE standard J3016 
automation scales. Per SAE International, the standard can be 
considered for higher levels of automation, though additional measures 
might be necessary.\47\
---------------------------------------------------------------------------

    \47\ See https://www.iso.org/standard/70939.html.
---------------------------------------------------------------------------

    ISO 21448 primarily considers mitigating risks due to unexpected 
operating conditions (the intended function might not always work in 
such conditions due to limitations of sensors and algorithms) and gaps 
in requirements (lack of complete description about the actual intended 
function). Highlights of this standard include covering:
     Insufficient situational awareness;
     Foreseeable misuse and human-machine interaction issues;
     Issues arising from operational environment (weather, 
infrastructure, etc.);
     Identifying and filling requirement gaps (removing 
``unknowns''); and
     Enumerating operational scenarios.\48\
---------------------------------------------------------------------------

    \48\ Philip Koopman, et al, A Safety Standard Approach for Fully 
Autonomous Vehicles.
---------------------------------------------------------------------------

3. UL 4600
    UL has developed ``UL 4600: Standard for Safety for the Evaluation 
of Autonomous Products,'' a draft voluntary industry standard that 
states to take a safety case approach to ensuring the safety of 
ADS.\49\ The published safety case approach includes three primary 
elements: Goals, argumentation, and evidence; each of which is stated 
to support the previous element to build an overarching safety case. 
The expressed goals are stated to be the same as ADS-related safety 
goals that an organization would be trying to achieve. The 
argumentation is claimed to describe the organization's analysis for 
why it thinks the system has met that goal. Finally, evidence is what 
the organization would consider to be sufficient to show that its 
arguments are reasonable and support the organization's assertion that 
it has met its safety goal.\50\ Preliminary versions of the document 
were released in 2019, and UL released its most recent version of UL 
4600 on April 1, 2020.\51\ Like ISO 26262 and 21448, UL 4600 is a 
process-focused standard that is intended for use by the manufacturers 
in developing ADS. However, unlike those ISO standards, UL 4600 was 
developed primarily for ADS.\52\
---------------------------------------------------------------------------

    \49\ See https://edge-case-research.com/ul4600/.
    \50\ Philip Koopman, An Overview of Draft UL 4600: ``Standard 
for Safety for the Evaluation of Autonomous Products,'' June 20, 
2019, available at https://medium.com/@pr_97195/an-overview-of-draft-ul-4600-standard-for-safety-for-the-evaluation-of-autonomous-products-a50083762591.
    \51\ See https://www.shopulstandards.com/ProductDetail.aspx?productid=UL4600.
    \52\ See https://www.eetimes.com/safe-autonomy-ul-4600-and-how-it-grew/#.
---------------------------------------------------------------------------

    With the descriptions of Functional Safety, SOTIF, and UL 4600 as 
background, NHTSA is considering how it might make use of these process 
standards in the context of developing a new framework concerning ADS, 
based either in regulation or providing guidance. Traditional FMVSS may 
not be suitable for addressing certain critical safety issues relating 
to aspects of the core safety functions of perception, planning, and 
control. NHTSA requests comment on the specific ways in which 
Functional Safety, SOTIF, and/or UL 4600 could be adopted, either 
modified or as-is, into a mechanism that NHTSA could use to consider 
the minimum performance of an ADS or a minimum risk threshold an ADS 
must meet within the context of Vehicle Safety Act requirements.

IV. Safety Framework--Administrative Mechanisms for Implementation and 
Oversight

    This section describes a variety of mechanisms that could be used, 
singularly or in combination, to implement the elements of a safety 
framework.\53\ The possibility that multiple mechanisms might 
ultimately be used does not mean that they could or would need to be 
implemented in the same timeframe. While some mechanisms could be 
implemented in the near term, others would need to be developed through 
additional research and then validated before they could be 
implemented. Thus, the mechanisms could be adopted and implemented, if 
and when needed, in a prioritized and phased manner.\54\ Implementation 
of some types of mechanisms might rarely be necessary, while others may 
be temporary until different mechanisms would take their place.
---------------------------------------------------------------------------

    \53\ The Agency notes that while some of the mechanisms 
described in this document could be implemented through rulemaking 
pursuant to the Vehicle Safety Act, others are more suited to take 
the form of guidance.
    \54\ A phased approach is how the Agency is also modernizing the 
FMVSS for ADS-equipped vehicles without traditional manual controls, 
and may be the more expedient way to make progress while continuing 
necessary research and other work in the background.
---------------------------------------------------------------------------

    The array of available mechanisms roughly falls into either of two 
categories: (1) Voluntary mechanisms for monitoring, influencing and/or 
encouraging greater care; and (2) regulatory mechanisms. The former 
group includes voluntary disclosure, the New Car Assessment Program, 
and guidance. The latter group includes FMVSS and any other compulsory 
requirements.

A. Voluntary Mechanisms

    NHTSA can establish various mechanisms to gather or generate 
information about:
     How developers are analyzing the safety of their ADS;
     how developers are identifying potential safety risks of 
those systems; and
     what methods developers are choosing to mitigate those 
risks.
    This information could: (1) Enable the Agency to take proactive 
actions to encourage the development of innovative technologies in a 
manner that allows them to reach their full safety potential; (2) help 
the Agency

[[Page 78067]]

avoid taking action that hampers safety innovation or otherwise 
adversely affect safety; and (3) support the Agency's existing programs 
by helping the Agency become more responsive to new technologies. To 
the extent ADS developers make such information available to the Agency 
and the public, competing developers may be encouraged to place greater 
emphasis on safety and improve transparency on their efforts in that 
regard.
1. Safety Self-Assessment and Other Disclosure/Reporting
    Demonstrating the safety of ADS is critical for facilitating public 
confidence and acceptance, which may lead to increased adoption of the 
technology. Entities involved in the development and deployment of 
automation technology have an important role in their responsibilities 
for safety assurance of ADS-equipped vehicles and in providing 
transparency about their systems are achieving safety.
    ADS 2.0 provided guidance to stakeholders regarding the safe 
design, testing, and deployment of ADS. This document identified 12 
safety elements that ADS developers should consider when developing and 
testing their technologies.\55\ ADS 2.0 also introduced the concept of 
a Voluntary Safety Self-Assessment (VSSA), which is intended to 
encourage developers to demonstrate to the public that they are: 
Considering the safety aspects of an ADS; communicating and 
collaborating with the U.S. DOT; encouraging the self-establishment of 
industry safety norms; and building public trust, acceptance, and 
confidence through transparent testing and deployment of ADS.\56\ 
Entities were encouraged to demonstrate how they address the safety 
elements contained in A Vision for Safety by publishing a VSSA on their 
websites. NHTSA believes that VSSAs are an important tool for companies 
to showcase their approach to safety without needing to reveal 
proprietary intellectual property. The Agency hopes that VSSAs show the 
public that how these companies are addressing safety and how safety 
considerations are built into the design and manufacture of ADS-
equipped vehicles that are tested on public roadways. As of June 2020, 
23 developers and automakers have published VSSAs, which represents a 
significant portion of the industry.
---------------------------------------------------------------------------

    \55\ Id., pp. 5-15.
    \56\ Id., p. 16
---------------------------------------------------------------------------

    Another voluntary reporting mechanism aimed at transparency is 
NHTSA's AV TEST Initiative, which involves both a series of events 
throughout the country where NHTSA, State and local governments, 
automakers, and ADS developers share information about activities. AV 
TEST is also expected to result in a website for companies to share 
information with the public about their vehicles, including details of 
on-road testing.
    One type of administrative mechanism under consideration is to use 
guidance to encourage the development of a safety case by 
manufacturers. As used in this document, a safety case is ``a 
structured argument, supported by a body of evidence that provides a 
compelling, comprehensible, and valid case that a system is safe for a 
given application in a given operating environment.'' \57\ For NHTSA's 
purposes, ``valid'' as used in this context means ``verifiable.'' Such 
an administrative mechanism might be implementable more quickly than 
other mechanisms and could allow vehicle and equipment manufacturers 
flexibility in documenting the competence of their ADS in performing 
sensing, perception, planning, and control of its intended functions. 
It may be possible, within the limits of administrative feasibility, to 
tailor some aspects of these demonstrations to a vehicle's design 
purpose and intended scope of operation. Another, more extensive, means 
of increasing transparency of how a company developed its ADS would be 
for the developer to disclose (e.g., to NHTSA and/or the public) some 
or all its safety case. This disclosure would provide the results of 
applying the company's own stated performance metrics, metric 
thresholds, and test procedures, and how those results justify its 
belief that its vehicle is functionally and operationally capable of 
performing each of the core elements of ADS safety performance.\58\
---------------------------------------------------------------------------

    \57\ As used in this document, the term ``safety case'' has the 
same meaning as that term is used by Philip Koopman, Aaron Kane, and 
Jen Black in their paper, Credible Autonomy Safety Argumentation, 
2019. The article is available at https://users.ece.cmu.edu/
~koopman/pubs/Koopman19_SSS_CredibleSafetyArgumentation .pdf. See 
also Philip Koopman, ``How to keep self-driving cars safe when no 
one is watching for dashboard warning lights,'' The Hill, June 30, 
2018, available at https://thehill.com/opinion/technology/394945-how-to-keep-self-driving-cars-safe-when-no-one-is-watching-for-dashboard.
    \58\ See, e.g., Koopman, Philip, ``How to keep self-driving cars 
safe when no one is watching for dashboard warning lights,'' June 
30, 2018. Available at https://thehill.com/opinion/technology/394945-how-to-keep-self-driving-cars-safe-when-no-one-is-watching-for-dashboard. See also Bryant Walker Smith, Regulation and the Risk 
of Inaction in Autonomous Driving: Technical Legal and Social 
Aspects, at 571-587, (Markus Maurer, J. Christian Gerdes, Barbara 
Lenz, and Hermann Winner, editors, 2016), available at https://link.springer.com/content/pdf/10.1007%2F978-3-662-48847-8.pdf.
---------------------------------------------------------------------------

2. New Car Assessment Program (NCAP)
    Short of setting a safety standard, an ADS competency evaluation 
could be added in NCAP. While an FMVSS obstacle-course performance 
test, standing alone, would likely be inadequate to evaluate ADS 
competence, such a test might form a useful foundation for consumer 
information under the NCAP program. This evaluation could be developed 
and used to measure the relative performance of an ADS in navigating a 
variable environment (within established operational ranges) and 
complex set of interactions with stimulus road users (e.g., dummy 
vehicles, pedestrians, and cyclists) on a course, with note made of 
variances in the manner in which the course was completed. All ADS-
equipped vehicles could be expected to avoid collisions (including 
avoiding causing collisions), while adhering to a driving model that 
minimizes the risks of getting into crash-imminent situations and 
observing operational limitations, such as limits on rates of 
acceleration and deceleration and limits on absolute speed. 
Additionally, operational data relating to crash avoidance performance, 
as well as ``nominal'' driving behaviors (e.g., lane-keeping ability), 
could be collected during ``on-road driving'' and could be used to 
contribute to an overall safety performance assessment method. 
Relatedly, an NCAP program could provide comparative data on the 
occupant protection afforded by ADS vehicles.
    The information NCAP provides empowers consumers to compare the 
relative safety of new vehicles and to make informed vehicle-purchasing 
decisions. This information has encouraged automakers to compete based 
upon improving safety--encouraging safety advancements and swift 
adoption of performance improvements that improve the safety of motor 
vehicles. For example, with the inclusion of static and dynamic 
rollover prevention tests into the NCAP program in 2001 and 2003, NHTSA 
encouraged the advancement and further deployment of safety improving 
technologies--notably electronic stability control--to prevent rollover 
crashes. This deployment took place more than 10 years before a FMVSS 
for electronic stability control went into effect.\59\ In part because 
of the market demand triggered by that encouragement, 29 percent of MY 
2006 vehicles already had ESC voluntarily

[[Page 78068]]

installed. NCAP's power to provide safety-relevant information to 
consumers, thus driving consumer demand for safety improvements in the 
market, could similarly be harnessed and applied to ADS performance.
---------------------------------------------------------------------------

    \59\ While the NPRM for the creation of FMVSS No. 126 was issued 
in 2006, the new standard did not apply until MY 2012.
---------------------------------------------------------------------------

3. Operational Guidance
    At the current stage in the development of the technologies needed 
for wide-scale deployment of ADS, the specific areas for which 
regulatory intervention might be most needed remain uncertain and the 
appropriate regulatory performance metrics and safety thresholds remain 
unknown. The Department has therefore sought to enhance safety through 
voluntary guidance, instead of mandatory requirements. The Agency is 
requesting comment on whether developing further guidance on 
engineering and process measures remains the most appropriate 
approach.\60\
---------------------------------------------------------------------------

    \60\ This approach has been recognized by WP 29. See https://www.unece.org/fileadmin/DAM/trans/doc/2019/wp29/ECE-TRANS-WP29-2019-34-rev.1e.pdf. With respect to engineering measures, the development 
of guidance is often based upon much of the same work that would 
lead to the development of industry standards, i.e., the development 
and validation of performance metrics, performance thresholds, and 
test procedures.
---------------------------------------------------------------------------

    To ensure due process and appropriate consideration of views of 
stakeholders and the general public in the development of guidance, 
certain guidance documents are subject to public comment--in accordance 
with Department of Transportation Regulations on Guidance Documents 
\61\ and Executive Order 13891.\62\ That said, guidance documents, as 
they simply recommend rather than require actions by regulated 
entities, are more appropriate at this early stage in the development 
of ADS and ADS-equipped vehicles, reserving mandatory requirements for 
when the technology is sufficiently mature and actual safety needs have 
been more clearly identified. Guidance documents also provide the 
agency greater flexibility in making recommendations, as they do not 
need to meet the strict requirements that FMVSS must meet and are 
generally easier to adopt and modify than mandatory requirements issued 
in a FMVSS. The Agency, therefore, would likely be able to develop and 
update these guidance documents more quickly, and design them to be 
more reflective of consensus industry standards and practices as they 
continue to develop.
---------------------------------------------------------------------------

    \61\ 49 CFR 5.25, et seq.
    \62\ Executive Order 13891, ``Promoting the Rule of Law Through 
Improved Agency Guidance Documents'' Oct. 9, 2019.
---------------------------------------------------------------------------

    Issuing guidance, working with States and developers to deepen 
communications, identifying for manufacturers critical safety aspects 
generally applicable to ADS, and exercising safety oversight using 
NHTSA's existing broad enforcement authorities \63\ have, for the most 
part, been NHTSA's approaches to the development of ADS thus far. NHTSA 
expects that these will continue to be the Agency's approaches to ADS 
for the foreseeable future while it conducts the research necessary to 
develop meaningful performance tests and metrics and while it closely 
monitors changes occurring in the private development of ADS and 
business models that surround the technology.
---------------------------------------------------------------------------

    \63\ NHTSA has broad investigatory and enforcement authority 
relating to motor vehicle safety. While NHTSA can order a recall for 
FMVSS non-compliance, it can also order a recall when it learns of a 
defect in the design, construction, or performance of a vehicle or 
item of equipment that poses an unreasonable risk to motor vehicle 
safety that increases the likelihood of a crash occurring or 
increases the likelihood of injury or death should a crash occur. In 
fact, the vast majority of recalls are issued for safety related 
defects that having nothing to do with FMVSS.
---------------------------------------------------------------------------

B. Regulatory Mechanisms

    That said, the Agency believes that, at some point, regulation of 
the ADS will likely be necessary and is exploring ways it could 
appropriately regulate ADS, being mindful of the need to avoid creating 
unnecessary barriers to innovation or unintended safety risks. As 
discussed above, many stakeholders are already exploring a variety of 
approaches to assessing ADS performance and measuring ADS safety. The 
following explores what regulatory mechanisms the Agency is currently 
using and how future approaches might be incorporated into the FMVSS, 
either separately or together and in conjunction with non-regulatory 
mechanisms.
1. Mandatory Reporting and/or Disclosure
    In addition to the voluntary reporting/disclosure activities 
discussed in the previous section, NHTSA has also taken steps to 
require the disclosure and reporting of certain information in the 
context of exemptions. NHTSA recently conditioned the Agency's grant of 
a petition for temporary exemption on a set of terms that include 
mandatory reporting of information on the operation of the vehicles 
equipped with ADS.\64\ The petition for exemption was from Nuro, Inc. 
for a low-speed (25 mph maximum), electric-powered occupantless 
delivery vehicle that will be operated by an ADS.\65\ In NHTSA's notice 
granting the petition for exemption, the Agency stated: ``NHTSA has 
determined that it is in the public interest to establish a number of 
reporting and other terms of deployment of the vehicles that will apply 
throughout the useful life of these vehicles--violation of which can 
result in the termination of this exemption.'' \66\ The terms include 
post-crash reporting, periodic reporting, cybersecurity, and other 
general requirements.\67\
---------------------------------------------------------------------------

    \64\ 85 FR 7826 (Feb. 11, 2020), available at https://www.federalregister.gov/documents/2020/02/11/2020-02668/nuro-inc-grant-of-temporary-exemption-for-a-low-speed-vehicle-with-an-automated-driving-system.
    \65\ Id.
    \66\ Id., p. 7827.
    \67\ Id., p., 7840.
---------------------------------------------------------------------------

    NHTSA also maintains a process for the temporary importation of 
noncompliant vehicles into the Unites States for research, 
demonstration, testing, and other purposes.\68\ For entities other than 
manufacturers of certified motor vehicles, approval of a temporary 
exemption comes in the form of written permission from NHTSA that the 
importer may import the noncompliant vehicle.\69\ When NHTSA began 
receiving requests for exemptions to import ADS-equipped vehicles for 
research and demonstration purposes, NHTSA determined that additional 
requirements were necessary to exercise oversight and monitor the 
safety of the exempt vehicles' operations. NHTSA may condition approval 
for importation of a noncompliant vehicle on specific terms and 
conditions.\70\ Similar to the terms that accompany a grant of a 
petition for exemption, the terms that importers are required to meet 
depend upon the information included in the petition, and are generally 
established to mitigate risks. Many of the terms required of Nuro have 
also been required for importers who have received permission to import 
a non-compliant ADS-equipped vehicle. Some examples of additional terms 
and conditions added to permission letters for vehicles equipped with 
ADS include: requiring that the noncompliant vehicle be used only in 
the ways described in the application; annual reporting on the status 
of all vehicles granted temporary exemptions; disengagement reporting; 
and reporting incidents of near misses, situations in which the trained 
operator acted to avoid an imminent crash, deviations

[[Page 78069]]

from the prescribed route, and unexpected lane departures.
---------------------------------------------------------------------------

    \68\ 49 U.S.C. 30114; 49 CFR part 591.
    \69\ 49 U.S.C. 30114; 49 CFR part 591.
    \70\ 49 CFR 591.6(f)(2).
---------------------------------------------------------------------------

2. NHTSA's FMVSS Setting Authority
    NHTSA has broad jurisdiction over motor vehicle safety pursuant to 
the Safety Act (49 U.S.C. Chapter 301), the purpose of which is ``to 
reduce traffic accidents and deaths and injuries resulting from traffic 
accidents.'' The Safety Act defines ``motor vehicle safety'' as 
inclusive of both operational and nonoperational safety. Specifically, 
```motor vehicle safety' means the performance of a motor vehicle or 
motor vehicle equipment in a way that protects the public against 
unreasonable risk of accidents occurring because of the design, 
construction, or performance of a motor vehicle, and against 
unreasonable risk of death or injury in an accident, and includes 
nonoperational safety of a motor vehicle.'' \71\
---------------------------------------------------------------------------

    \71\ 49 U.S.C. 30102(a)(9).
---------------------------------------------------------------------------

    The Safety Act authorizes the issuance of FMVSS for motor vehicles 
and motor vehicle equipment and the recall and remedy of motor vehicles 
and equipment failing to comply with a FMVSS or containing a defect 
that poses an unreasonable risk to safety. The FMVSS are intended to be 
uniform national standards so that compliant vehicles can be sold 
throughout the United States.\72\
---------------------------------------------------------------------------

    \72\ Truck Safety Equipment Institute vs. Kane, 466 F. Supp. 
1242, 1250 (M.D.Pa.1979).
---------------------------------------------------------------------------

    Among the products that fall within the scope of this authority are 
all vehicle systems and their parts and components. Modern computer-
controlled electronic systems, like object detection and identification 
systems needed to protect vulnerable road users, automatic emergency 
braking systems, and air bag systems, are composed of hardware and 
software components, both of which are necessary to the functioning of 
those systems. Without their software components, computer-controlled 
electronic systems are merely non-functional assemblages of hardware 
components, incapable of protecting anyone. NHTSA has used its 
authority to specify how and when the hardware components of complex 
electronic systems, such as advanced air bags and anti-lock braking 
systems, must activate and perform. This performance-oriented approach 
gives manufacturers freedom to develop the software components needed 
to control the performance of each system's hardware components. NHTSA 
has also repeatedly exercised its authority over software when the 
software components of the computerized electronic systems of motor 
vehicles have been determined to contain a safety defect and thus 
become the subject of a recall campaign.\73\
---------------------------------------------------------------------------

    \73\ See Addendum B for a list of examples of software-related 
recalls.
---------------------------------------------------------------------------

    The Safety Act defines ``motor vehicle safety standard'' as ``a 
minimum standard for motor vehicle or motor vehicle equipment 
performance.'' \74\ This definition contemplates that each FMVSS (1) 
regulates one or more identified aspects of vehicle or equipment 
performance, and (2) specifies a minimum threshold for each of those 
aspects of performance (i.e., a required level of that aspect of 
performance that regulated products must at least equal to protect 
against unreasonable risk of crashes or unreasonable risk of death or 
injury in a crash). Such a threshold serves as a clear separation of 
compliant from noncompliant products. In the event of noncompliance, 
the threshold also aids NHTSA in determining the nature and extent of 
the needed remedy and in determining the seriousness of the 
noncompliance, which, in turn, is relevant in determining the 
appropriate amount of any civil penalty. Specifying minimum levels of 
safety performance in a standard also enables the Agency to estimate 
the benefits and the costs of complying with a standard and determine 
what level of stringency maximizes net benefits, as contemplated by 
Executive Order 12866 \75\ and Department of Transportation 
regulations.\76\
---------------------------------------------------------------------------

    \74\ 49 U.S.C. 30102(a)(9) (emphasis added).
    \75\ Available at https://www.archives.gov/files/federal-register/executive-orders/pdf/12866.pdf.
    \76\ 49 CFR 5.5. This regulation requires the following when 
developing or issuing regulations, including regulations to 
establish FMVSS:
    (a) There should be no more regulations than necessary. In 
considering whether to propose a new regulation, policy makers 
should consider whether the specific problem to be addressed 
requires agency action, whether existing rules (including standards 
incorporated by reference) have created or contributed to the 
problem and should be revised or eliminated, and whether any other 
reasonable alternatives exist that obviate the need for a new 
regulation.
    (b) All regulations must be supported by statutory authority and 
consistent with the Constitution.
    (c) Where they rest on scientific, technical, economic, or other 
specialized factual information, regulations should be supported by 
the best available evidence and data.
    (d) Regulations should be written in plain English, should be 
straightforward, and should be clear.
    (e) Regulations should be technologically neutral, and, to the 
extent feasible, they should specify performance objectives, rather 
than prescribing specific conduct that regulated entities must 
adopt.
    (f) Regulations should be designed to minimize burdens and 
reduce barriers to market entry whenever possible, consistent with 
the effective promotion of safety. Where they impose burdens, 
regulations should be narrowly tailored to address identified market 
failures or specific statutory mandates.
    (g) Unless required by law or compelling safety need, 
regulations should not be issued unless their benefits are expected 
to exceed their costs. For each new significant regulation issued, 
agencies must identify at least two existing regulatory burdens to 
be revoked.
    (h) Once issued, regulations and other agency actions should be 
reviewed periodically and revised to ensure that they continue to 
meet the needs they were designed to address and remain cost-
effective and cost-justified.
    (i) Full public participation should be encouraged in rulemaking 
actions, primarily through written comment and engagement in public 
meetings. Public participation in the rulemaking process should be 
conducted and documented, as appropriate, to ensure that the public 
is given adequate knowledge of substantive information relied upon 
in the rulemaking process.
    (j) The process for issuing a rule should be sensitive to the 
economic impact of the rule; thus, the promulgation of rules that 
are expected to impose greater economic costs should be accompanied 
by additional procedural protections and avenues for public 
participation.
---------------------------------------------------------------------------

    In addition, each FMVSS must be objective and practicable.\77\ The 
Sixth Circuit has held that the FMVSS objectivity requirement means 
that compliance with an FMVSS standard must be susceptible to objective 
measurements, which are capable of repetition.\78\ Each FMVSS must also 
be reasonable, practicable, and appropriate for each type of vehicle to 
which it applies.\79\ In the interest of transparency, and as a matter 
of due process, each FMVSS must also give reasonable notice of what 
performance is required and how compliance will be determined.\80\
---------------------------------------------------------------------------

    \77\ 49 U.S.C. 30111(a).
    \78\ See Chrysler Corp. v. Dep't of Transp., 472 F.2d 659, 675-
76 (6th Cir. 1972) (citing House Report 1776, 89th Cong. 2d 
Sess.1966, p. 16).
    \79\ 49 U.S.C. 30111(b)(3).
    \80\ See United States v. Chrysler Corp. 158 F.3d 1350, 1354 
(D.C. Cir. 1972).
---------------------------------------------------------------------------

    NHTSA has broad authority to issue FMVSS. ``[T]he Agency is 
empowered to issue safety standards which require improvements in 
existing technology or which require the development of new technology, 
and it is not limited to issuing standards based solely on devices 
already fully developed.'' \81\ However, NHTSA has learned from 
previous experiences that establishing FMVSS prior to technology 
readiness can lead to adverse safety consequences. Motor vehicles are 
extraordinarily complicated machines that are massive and move at very 
high speeds. When setting a performance standard not appropriately 
grounded in the capabilities of technologies employed to meet the 
standard, unexpected consequences can result. For instance, one of the 
foundational court decisions regarding FMVSS involved the Agency's

[[Page 78070]]

establishment of braking standards for air brake-equipped trucks, 
tractor-trailers, and buses--mandating stopping distances far shorter 
than achieved in large trucks that were built at the time.\82\ The 
stopping distance requirements required the entire industry to design 
completely new braking systems. The Agency was aware that the shorter 
stopping distances would increase the likelihood of wheel lock-up, so 
the standard also required that the stops be made without wheel lock-
up--which effectively (although not explicitly) required manufacturers 
to develop and install antilock computers on each axle. These antilock 
devices proved unreliable,\83\ and, combined with the more-powerful 
newly designed braking systems, resulted in increased risk of loss of 
control resulting from wheel lock-up. Further, the susceptibility of 
early sensors to outside interferences resulted in circumstances where 
some trucks lost the use of brakes entirely. In invalidating 
requirements under the standard, the Court of Appeals for the Ninth 
Circuit found that ``because of unforeseen problems in the development 
of the new braking systems, the Standard was neither reasonable nor 
practicable at the time it was put into effect.'' \84\ The Court also 
explained that NHTSA must ``ascertain, with all reasonable probability, 
that its safety regulations do not produce a more dangerous highway 
environment than that which existed prior to governmental 
intervention.'' \85\
---------------------------------------------------------------------------

    \81\ Chrysler Corp. v. Dep't of Transp., 472 F.2d 659, 673 (6th 
Cir. 1972).
    \82\ Paccar, Inc. v. Nat'l Highway Traffic Safety Admin., 573 
F.2d 632 (9th Cir. 1978)
    \83\ Failure rates well over 50% were reported. Id. at 642
    \84\ Id. at 640.
    \85\ Id. at 643.
---------------------------------------------------------------------------

    Given the rapidly evolving state of ADS technology, NHTSA is taking 
care that its actions do not result in unforeseen problems in the 
development or deployment of ADS. Establishing FMVSS prior to 
technology readiness hampers safety-improving innovation by diverting 
developmental resources toward meeting a specific standard. Such a 
regulatory approach could unnecessarily result in the Agency 
establishing metrics and standards without a complete understanding of 
the technology or safety implications and result in unintended 
consequences, including loss of potential benefits that could have been 
attained absent government intervention, a false sense of security, or 
even inadvertently creating additional risk by mandating an approach 
whose effects had not been known because regulation halted the 
technology at too early a stage in its development.
    NHTSA has typically used its FMVSS authority either to mandate the 
installation of a proven technology by way of performance standards to 
address a safety need and subject the technology to minimum performance 
requirements, or to regulate voluntarily installed technology by 
subjecting the technology to minimum performance safety requirements. 
In most instances, when NHTSA has mandated the installation of a 
technology by way of performance standards, it has not done so until 
the technology is fully developed and mature, so that all buyers of new 
vehicles have the protection of that technology. An example of this 
practice is Electronic Stability Control (ESC). ESC development for 
passenger cars began in the late 1980s, and three manufacturers 
voluntarily installed the systems on some of their vehicles by 
1995.\86\ After NHTSA evaluated real word data and realized the 
beneficial effect of ESC in preventing crashes, NHTSA undertook a 
rulemaking to establish FMVSS No. 126, ``Electronic stability control 
systems for light vehicles.'' By the time a proposal was issued for 
FMVSS No. 126, 29 percent of MY 2006 vehicles sold in the U.S. were 
already voluntarily equipped with ESC.\87\ Given the profound benefits 
of ESC, NHTSA's rulemaking impelled the expedited installation of ESC 
in the vehicle fleet. While this has been a common practice, of 
establishing performance standards and mandating that certain vehicles 
be equipped with a system that meets those performance requirements, it 
is too soon to tell if this will be the best path forward for ADS.
---------------------------------------------------------------------------

    \86\ http://knowhow.napaonline.com/electronic-stability-control-a-short-history/.
    \87\ Id.
---------------------------------------------------------------------------

    Furthermore, there are notable instances in which NHTSA has 
regulated voluntarily installed technologies by simply establishing 
minimum safety performance requirements, as opposed to mandating the 
installation of a technology, include when the Agency anticipated the 
introduction of electric and compressed natural gas vehicles and fuel 
systems, and issued standards to guard against risks of electric shock 
and explosion.
    Also, existing classes of vehicles (e.g., passenger cars, trucks, 
buses, motorcycles, and low speed vehicles) subject to the existing 
FMVSS are based largely on observable physical features (e.g., number 
of designated seating positions) or objectively measurable 
specifications (e.g., gross vehicle weight rating) or performance 
(e.g., top speed).\88\ As a result, determining which class a vehicle 
falls into involves a relatively simple, quick, and objective process.
    Developers of ADS are taking a variety of approaches to the 
vehicles that utilize their systems. Some are testing their systems in 
fully FMVSS-compliant vehicles, others are exploring alternative 
vehicle designs that would not comply with some or even all of the 
current FMVSS, and even others are simply developing the ADS without a 
particular vehicle type in mind--something that could be retrofit into 
an existing vehicle, or a system that could be sold to automakers. 
NHTSA expects that existing vehicle classes will remain relevant for 
many purposes. Yet, new classes of vehicles may emerge as companies 
begin to consider all the possible uses and business models available 
for their systems. The need to define any new class in the context of 
the FMVSS has not been determined.
3. Applying the Established FMVSS Framework to ADS Safety Principles
    NHTSA believes that the critical relationship between the safety of 
an ADS's design and the vehicle's decision-making system makes it 
necessary to evaluate the safety of ADS performance considering 
appropriate and well-defined ODD (for any system below Level 5). For 
example, if an ADS is capable of only operating at speeds below 30 
miles per hour (mph), it is reasonable and necessary to assess the 
system at speeds below 30 mph. NHTSA might also consider whether it 
would be appropriate to require that the vehicle be designed so that it 
cannot operate automatically at speeds of 30 mph or more unless and 
until it acquires the capability (e.g., through software updates) of 
safely operating automatically above that speed. Similarly, if a 
vehicle would become incapable of operating safely if one or more of 
its sensors became non-functional, NHTSA might consider whether it 
would be appropriate to require that the vehicle be designed so that it 
can detect those problems and either cease to operate automatically in 
a safe manner in those circumstances (in the case of a vehicle designed 
to operate either manually or automatically) or operate automatically 
in a reduced or ``limp home'' manner only.
    State and local authorities also play critical roles in roadway 
safety. Through establishing and enforcing their rules of the road, 
these authorities have traditionally controlled such operational 
matters as the speed at which vehicles may be driven and the condition 
of certain types of safety equipment, such

[[Page 78071]]

as headlamps and taillamps. In the future, it is reasonable to expect 
that such authorities may establish new rules of the road to address 
ADS-equipped vehicles specifically. NHTSA could require that ADS be 
designed such that they must follow all applicable traffic laws in the 
areas of operation, thereby supporting State and local efforts to 
ensure their traffic laws are observed. That said, NHTSA expects that 
the States and localities would enforce those rules if broken, just as 
they would today.
4. Reforming How NHTSA Drafts New FMVSS To Keep Pace With Rapidly 
Evolving Technology
    As the functions and capabilities of modern motor vehicles are 
increasingly defined and controlled by software, vehicles will likely 
continue to change and improve through software updates that occur 
during the lifetime of the vehicle. Likewise, the more quickly vehicle 
systems can change, the greater the risk that the current regulatory 
requirements may unnecessarily interfere with innovation, and that the 
slow pace of the regulatory process to address unnecessary barriers may 
delay the introduction of new safety improvements.
    The nature and requirements of the rulemaking process may challenge 
the Agency's efforts to amend existing FMVSS and develop, validate, and 
establish new FMVSS quickly enough to enable the Agency to keep pace 
with the expected rapid rate of technological change. Some aspects of 
the process are inherent and, thus, unavoidable, such as the often 
lengthy period needed for preparatory research to develop and validate 
performance metrics and test procedures and for the rulemaking process 
to propose, take and consider comment, and eventually adopt the metrics 
and procedures.
    There are, however, other aspects of the process that are not only 
amenable to reform, but that are also likely needed to change for 
expedient application to future technologies. Some portions of the 
existing FMVSS might be seen as overly specific, and insufficiently 
technologically neutral. If a new generation of safety standards and 
other safety regulations is determined to be needed for ADS, they might 
be written, to the extent allowed by the law, so that they do not have 
the effect of inadvertently locking future ADS into today's hardware 
and software technologies. A new generation of performance requirements 
and test procedures for ADS could be drafted with a greater eye to 
enabling continuing technological innovation to ensure that the new 
requirements do not become unintended obstacles to the use of new 
technologies. In other words, the Agency should take care not to assume 
that the specific technologies used in today's vehicles will be used in 
future vehicle designs. Future standards--particularly those that 
mandate vehicles be equipped with a certain technology--may be better 
approached by focusing on objective vehicular functionality as opposed 
to the performance of a specific discrete system. A new generation of 
FMVSS should give the manufacturers of vehicles, sensors, software, and 
other technologies needed for ADS sufficient flexibility to change and 
improve without the need for frequent modifications to the regulations. 
Such an approach may also benefit the safety of future vehicles through 
more flexible standards that focus more on the safety outcome, rather 
the performance of any specific technology.\89\
---------------------------------------------------------------------------

    \89\ NHTSA has always sought to draft the FMVSS requirements 
broadly enough to permit use of both current technologies and 
possible future systems, but the rapid pace of development of ADS 
and other advanced technologies makes this objective more critical 
than ever.
---------------------------------------------------------------------------

    What may be needed, then, is a new approach to structuring and 
drafting standards that places greater reliance on more general, but 
still objective, specifications of the types and required levels of 
performance.\90\
---------------------------------------------------------------------------

    \90\ This effort to initiate reform in the vehicle safety 
program is at least comparable in scope to the effort launched by 
the Agency in 2003 when it issued an ANPRM to reform the Automobile 
Fuel Economy Standards Program, 68 FR 74908 (Dec. 29, 2003).
---------------------------------------------------------------------------

5. Examples of Regulatory Approaches
    Below NHTSA provides some examples of potential regulatory 
approaches that the Agency could consider including in a safety 
framework. These examples are not intended to propose any particular 
approach. Instead, they highlight some of the future approaches on 
which NHTSA would like feedback.
a. FMVSS Requiring Obstacle Course-Based Validation in Variable 
Scenarios and Conditions
    A performance-oriented, outcome-based FMVSS could be developed 
along one or more of the lines stated in ``AV 3.0'':

    Performance-based safety standards could require manufacturers 
to use test methods, such as sophisticated obstacle-course-based 
test regimes, sufficient to validate that their ADS-equipped 
vehicles can reliably handle the normal range of everyday driving 
scenarios as well as unusual and unpredictable scenarios. Standards 
could be designed to account for factors such as variations in 
weather, traffic, and roadway conditions within a given system's 
ODD, as well as sudden and unpredictable actions by other road 
users. Test procedures could also be developed to ensure that an ADS 
does not operate outside of the ODD established by the manufacturer. 
Standards could provide for a range of potential behaviors--e.g., 
speed, distance, angles, and size--for surrogate vehicles, 
pedestrians, and other obstacles that ADS-equipped vehicles would 
need to detect and avoid.91 92
---------------------------------------------------------------------------

    \91\ Page 7. Available at https://www.transportation.gov/sites/dot.gov/files/docs/policy-initiatives/automated-vehicles/320711/preparing-future-transportation-automated-vehicle-30.pdf.
    \92\ For an example of requirements that might be expressed as 
mathematical functions, see the discussion of Mobileye's RSS in 
section IV.C of this document.

    However, physical testing of ADS functions through an obstacle 
course with a wide range of potential scenarios and conditions would 
not be without its own limitations. While physical obstacle course 
testing may be appropriate and even necessary as part of a future FMVSS 
regulating ADS competency, such a test is likely not sufficient to meet 
the need for safety in and of itself. Testing an ADS is expected to be 
different from the physical testing considered sufficient for today's 
vehicles. No physical obstacle course would come close to replicating 
the infinite number of driving scenarios an ADS would be expected to 
navigate safely, nor the complexity of the driving situations that ADS 
might encounter on the roads.
    The level of ADS competency required to handle such diversity and 
complexity is partly why ADSs are developed using a variety of 
verification and validation tools when exposing the ADS to different 
scenarios during development. ADS developers generally use an iterative 
process that includes simulations, closed-course testing, and on-road 
testing during development and demonstration to expose the ADS to as 
many variables as reasonably possible, while also transferring 
information from each of those methods of testing back to the others to 
help ensure each method includes as many variables as possible. 
Situations that occur during on-road testing are important information 
for developers to include in the simulations used on ADS, and vice 
versa, with scenarios from the simulations being important to validate 
in the physical world through on-road testing. Though this iterative 
testing is normal for the development process, it may also indicate how 
challenging it might be for an obstacle-course test administered by a 
third party to include an adequate number and type of scenarios to test 
ADS competency, while also ensuring

[[Page 78072]]

that such a course would be objective and practicable. While a standard 
obstacle course test may provide a baseline of performance, analogous 
to current FMVSS that perform a subset of specific crash tests, it 
cannot expose a vehicle to the entire spectrum of field crash 
scenarios.
b. FMVSS Requiring Vehicles To Be Programmed To Drive Defensively in a 
Risk-Minimizing Manner in Any Scenario Within Their ODD
    An FMVSS might also require that the planning and control functions 
of an ADS be programmed to adhere to a defensive driving model so as to 
minimize the likelihood of getting into a crash-imminent situation 
under any scenario within its ODD--similar to the driving policies and 
metrics described in Mobileye's RSS, NVIDIA's Safety Force Field, and 
NHTSA's MPrISM described previously. This could be accompanied by an 
additional requirement that the vehicle be capable of automated 
operation within its ODD only. The FMVSS could be complemented by a 
requirement that each vehicle manufacturer state in the owner's manual 
for each of its vehicles equipped with ADS that it would be unsafe for 
the vehicle to operate in automated mode outside its ODD and that the 
vehicle has therefore been designed so that it cannot do so. Such a 
statement could also include a description of what behavior the vehicle 
owner could expect in the circumstance that an ADS exceeds the limits 
of its ODD, such as the vehicle will pull over in a safe location.\93\
---------------------------------------------------------------------------

    \93\ Importantly, even without standards in place to regulate 
these aspects, NHTSA may consider the ability of an ODD-constrained 
vehicle to operate outside of its ODD as strong evidence of a 
safety-related defect.
---------------------------------------------------------------------------

    While programming an ADS to adhere to defensive driving models may 
help lower the risk of crash, there are additional ADS performance 
aspects that NHTSA would need to consider. Adherence to a defensive 
driving model would be one potential requirement that could mitigate 
some, but not all, safety risks. Much would also depend on the 
implementation of that defensive driving model, and the efficacy of 
that implementation.
c. FMVSS Drafted in a Highly Performance-Oriented Manner
    The traditional approach to standard drafting is one where NHTSA 
specifies the desired performance in great detail, and may also include 
requirements to lessen the likelihood and mitigate the consequences of 
failure. For instance, FMVSS No. 135 ``Light vehicle brake systems,'' 
establishes performance requirements for braking systems functioning 
normally, and separate requirements for when brake power assist units 
are inoperative or depleted of reserve capability. Applying this 
approach to the myriad unique combinations of technologies that may be 
developed to perform the four critical functions of an ADS could prove 
quite challenging. For instance, the sensing function of an ADS may be 
performed by one or a combination of technologies such as LiDAR, radar, 
cameras, GPS, and V2X radios/antennae units. If the available 
technologies that might be used for sensing fail in distinctly 
different ways, the approach the Agency took in regulating light duty 
braking might mean that any sensing standard must include different 
requirements for different technologies.\94\ The degree of specificity 
required for such an approach would necessitate successive rulemaking 
proceedings to amend or remove regulatory provisions as they are 
obsoleted by technological change.
---------------------------------------------------------------------------

    \94\ It should be noted that if an FMVSS were to include such 
requirements, the amount of time needed to develop and adopt the 
standard would likely be greater. Likewise, the need for periodic 
rulemakings to keep the standard up-to-date and avoid potentially 
adverse effects on the ability to introduce new hardware and 
software would also likely be greater.
---------------------------------------------------------------------------

    To avoid this problem, any FMVSS that might be developed for ADS 
could be drafted in a manner that minimizes the chances of creating new 
barriers to innovation. As the Department stated in ``AV 3.0'':

    Future motor vehicle safety standards will need to be more 
flexible and responsive, technology-neutral, and performance-
oriented to accommodate rapid technological innovation. They may 
incorporate simpler and more general requirements designed to 
validate that an ADS can safely navigate the real-world roadway 
environment, including unpredictable hazards, obstacles, and 
interactions with other vehicles and pedestrians who may not always 
adhere to the traffic laws or follow expected patterns of behavior. 
Existing standards assume that a vehicle may be driven anywhere, but 
future standards will need to take into account that the operational 
design domain (ODD) for a particular ADS within a vehicle is likely 
to be limited in some ways that may be unique to that system.\95\
---------------------------------------------------------------------------

    \95\ Page 7. Available at https://www.transportation.gov/sites/dot.gov/files/docs/policy-initiatives/automated-vehicles/320711/preparing-future-transportation-automated-vehicle-30.pdf.

    The likelihood of different ADS having entirely different sensors, 
systems, and even ODDs that are limited in entirely different ways 
introduces additional challenges to NHTSA's traditional approach to 
standard drafting. Generally, NHTSA establishes standards meeting the 
need for safety in applicable circumstances. When one ADS can operate 
only in a discrete set of conditions that varies almost entirely from 
the discrete set of conditions in which another ADS is capable of 
operating, establishing objective standards meeting the need for motor 
vehicle safety for all ADS becomes that much more challenging. 
Application of one specific or one series of prescriptive tests may not 
be feasible or practical for that wide an array of technology and 
operating limitations. Compounding this difficulty is the fact that a 
given ADS is likely to be updated over time--and ODD limitations that 
apply to a vehicle's ADS at the time of certification could be entirely 
different from the same vehicle's upgraded ODD limitations years later.

D. Timing and Phasing of FMVSS Development and Implementation

    As described above, issuing performance standards for ADS 
competency has been and remains premature because of the lack of 
technological maturity and the development work necessary to support 
developing performance standards. Since widespread deployment of ADS 
vehicles appears to be years away, NHTSA has the opportunity to decide 
carefully and strategically which aspects of ADS safety performance may 
require the most attention. By taking this deliberate approach, the 
Agency can perform the research and validation necessary to ensure that 
any standards developed to regulate those aspects of performance 
achieve their purpose without limiting the ability of manufacturers to 
develop and introduce further safety improvements and capabilities 
unnecessarily.
    Also important to this discussion of timing are the many challenges 
and aspects that NHTSA must overcome to implement some of the 
mechanisms described in this document. First, it has been NHTSA's 
practice to purchase vehicles independently to assess baseline and/or 
countermeasure performance when developing an FMVSS. Given the lack of 
ADS-equipped vehicles available for testing or any other purposes, the 
Agency would have difficulty verifying that a new standard would 
achieve its intended purpose without systems and vehicles to test.\96\ 
In recognition of and

[[Page 78073]]

in response to the difficulty, the Agency would be required to explore 
alternative avenues to validate the appropriateness of a proposed test 
procedure.
---------------------------------------------------------------------------

    \96\ NHTSA notes that the issue of unavailability for NHTSA 
testing could arise in other circumstances with traditional vehicles 
that may not be sold to the public. NHTSA independently and 
anonymously purchases vehicles for testing and cannot do so if those 
vehicles are not being sold to the public.
---------------------------------------------------------------------------

    Next, NHTSA expects a phased approach to regulation of those 
aspects of safety performance that may necessitate regulation, given 
limited agency resources and the constantly evolving technology and 
business models involved in ADS development. NHTSA would need to phase 
its responses in several ways. To avoid implementing ineffective or 
counterproductive measures, the Agency would need to set priorities and 
allocate its resources accordingly. NHTSA has already begun the process 
of providing oversight and guidance (including encouraging disclosure 
and highlighting key safety aspects the Agency finds relevant for all 
ADS developers), as described in previous sections. Further, where 
appropriate, the Agency has granted, and will continue to consider 
granting, exemptions from FMVSS to allow for limited deployment or 
research of in a manner that mitigates safety risk and advances agency 
technical knowledge. However, the question remains as to what the 
Agency should prioritize next in its goals of advancing the safety of 
ADS. Certain mechanisms would permit more expedited implementation, 
while others would require much research. Most of the mechanisms would 
face some of the practical hurdles related to the unavailability of ADS 
to test.
    NHTSA seeks comment on what next steps the Agency should take in 
the regulation of ADS, the timing of those steps, and whether any of 
the abovementioned steps are required for the development of an ADS-
specific FMVSS regime that achieves appropriate standards for highway 
safety while preserving incentives for innovation and accommodating 
improvements in technology.

E. Critical Factors Considered in Designing, Assessing, and Selecting 
Administrative Mechanisms

    To aid commenters in providing useful information to the Agency on 
the array of administrative mechanisms described above, NHTSA has set 
forth below a variety of critical factors that the Agency will weigh in 
exploring the strengths and weaknesses of those mechanisms.
     Consistent and Reliable Assurance of Safety--To the extent 
that the mechanisms provide flexibility in how manufacturers 
demonstrate safety, there should be criteria for assessing objectively 
whether the methods of each manufacturer should meet a common 
standardized level of rigor, including documentation, and a common 
standardized minimum level of safety.
     Technology Neutrality/Performance-Based--The Agency wants 
to ensure that any mechanism it uses does not pick winners and losers 
among available and anticipated technologies. By being highly 
performance or outcome oriented, the mechanisms will allow for 
innovation and minimize the necessity of having to be amended to permit 
the introduction of new technologies. Any new standards and regulations 
should be drafted, to the extent possible, in performance-oriented 
terms to give manufacturers broad choices among available technologies 
and flexibility to develop and introduce new technologies without the 
need first to seek amendments to those standards or exemptions.
     Predictability--In developing vehicles and ADS, 
manufacturers should be able to anticipate what types of performance 
outcomes they will need to make to demonstrate the safety of their 
products so that they can design their products accordingly.
     Transparency--To build public confidence and acceptance, 
the methods used by manufacturers to demonstrate the safety of their 
products should be made known and explained to the public.
     Efficiency--Given that there is neither enough time nor 
resources for the Agency to develop physical test procedures for all 
conceivable driving scenarios, an effort should be made to determine 
which physical tests have the greatest likelihood to minimize safety 
risk in an effective manner.
     Equity--All manufacturers should be treated fairly and 
equally in the Agency's assessing of the sufficiency of their safety 
showings. To that end, the mechanism(s) chosen by the Agency should 
provide some means to validate that each manufacturer's demonstration 
of safety meets or exceeds a common level of rigor and 
comprehensiveness and that each vehicle meets or exceeds a common 
minimum level of safety.
     Consistent with Market-Based Innovation--To ensure that 
innovation is recognized and valued, governmental actions should be 
consistent with market-based innovation, and ensure the Agency's 
actions facilitate and do not unnecessarily inhibit innovation to the 
extent possible.
     Resource Requirements--Return (measured in added safety) 
on investment (e.g., efficient use of available resources) is 
especially important in choosing mechanisms and in deciding which of 
the core elements of ADS safety performance the Agency should 
prioritize in exercising its safety oversight responsibilities.

V. Questions and Requests

A. Questions About a Safety Framework

     Question 1. Describe your conception of a Federal safety 
framework for ADS that encompasses the process and engineering measures 
described in this document and explain your rationale for its design.
     Question 2. In consideration of optimum use of NHTSA's 
resources, on which aspects of a manufacturer's comprehensive 
demonstration of the safety of its ADS should the Agency place a 
priority and focus its monitoring and safety oversight efforts and why?
     Question 3. How would your conception of such a framework 
ensure that manufacturers assess and assure each core element of safety 
effectively?
     Question 4. How would your framework assist NHTSA in 
engaging with ADS development in a manner that helps address safety, 
but without unnecessarily hampering innovation?
     Question 5. How could the Agency best assess whether each 
manufacturer had adequately demonstrated the extent of its ADS' ability 
to meet each prioritized element of safety?
     Question 6. Do you agree or disagree with the core 
elements (i.e., ``sensing,'' ``perception,'' ``planning'' and 
``control'') described in this document? Please explain why.
     Question 7. Can you suggest any other core element(s) that 
NHTSA should consider in developing a safety framework for ADS? Please 
provide the basis of your suggestion.
     Question 8. At this early point in the development of ADS, 
how should NHTSA determine whether regulation is actually needed versus 
theoretically desirable? Can it be done effectively at this early stage 
and would it yield a safety outcome outweighing the associated risk of 
delaying or distorting paths of technological development in ways that 
might result in forgone safety benefits and/or increased costs?
     Question 9. If NHTSA were to develop standards before an 
ADS-equipped vehicle or an ADS that the Agency could test is widely 
available, how could NHTSA validate the appropriateness of its 
standards? How would such a standard impact future ADS development and 
design? How would such standards be consistent with NHTSA's legal 
obligations?
     Question 10. Which safety standards would be considered 
the most

[[Page 78074]]

effective as improving safety and consumer confidence and should 
therefore be given priority over other possible standards? What about 
other administrative mechanisms available to NHTSA?
     Question 11. What rule-based and statistical methodologies 
are best suited for assessing the extent to which an ADS meets the core 
functions of ADS safety performance? Please explain the basis for your 
answers. Rule-based assessment involves the definition of a 
comprehensive set of rules that define precisely what it means to 
function safely, and which vehicles can be empirically tested against. 
Statistical approaches track the performance of vehicles over millions 
of miles of real-world operation and calculate their probability of 
safe operation as an extrapolation of their observed frequency of 
safety violations. If there are other types of methodologies that would 
be suitable, please identify and discuss them. Please explain the basis 
for your answers.
     Question 12. What types and quanta of evidence would be 
necessary for reliable demonstrations of the level of performance 
achieved for the core elements of ADS safety performance?
     Question 13. What types and amount of argumentation would 
be necessary for reliable and persuasive demonstrations of the level of 
performance achieved for the core functions of ADS safety performance?

B. Question About NHTSA Research

     Question 14. What additional research would best support 
the creation of a safety framework? In what sequence should the 
additional research be conducted and why? What tools are necessary to 
perform such research?

C. Questions About Administrative Mechanisms

     Question 15. Discuss the administrative mechanisms 
described in this document in terms of how well they meet the selection 
criteria in this document.
     Question 16. Of the administrative mechanisms described in 
this document, which single mechanism or combination of mechanisms 
would best enable the Agency to carry out its safety mission, and why? 
If you believe that any of the mechanisms described in this document 
should not be considered, please explain why.
     Question 17. Which mechanisms could be implemented in the 
near term or are the easiest and quickest to implement, and why?
     Question 18. Which mechanisms might not be implementable 
until the mid or long term but might be a logical next step to those 
mechanisms that could be implemented in the near term, and why?
     Question 19. What additional mechanisms should be 
considered, and why?
     Question 20. What are the pros and cons of incorporating 
the elements of the framework in new FMVSS or alternative compliance 
pathways?
     Question 21. Should NHTSA consider an alternative 
regulatory path, with a parallel path for compliance verification 
testing, that could allow for flexible demonstrations of competence 
with respect to the core functions of ADS safety performance? If so, 
what are the pros and cons of such alternative regulatory path? What 
are the pros and cons of an alternative pathway that would allow a 
vehicle to comply with either applicable FMVSS or with novel 
demonstrations, or a combination of both, as is appropriate for the 
vehicle design and its intended operation? Under what authority could 
such an approach be developed?

D. Questions About Statutory Authority

     Question 22. Discuss how each element of the framework 
would interact with NHTSA's rulemaking, enforcement, and other 
authority under the Vehicle Safety Act.
     Question 23. Discuss how each element of the framework 
would interact with Department of Transportation Rules concerning 
rulemaking, enforcement, and guidance.
     Question 25. If you believe that any of the administrative 
mechanisms described in this document falls outside the Agency's 
existing rulemaking or enforcement authority under the Vehicle Safety 
Act or Department of Transportation regulations, please explain the 
reasons for that belief.
     Question 24. If your comment supports the Agency taking 
actions that you believe may fall outside its existing rulemaking or 
enforcement authority, please explain your reasons for that belief and 
describe what additional authority might be needed.

VI. Preparation and Submission of Written Comments

How do I prepare and submit comments?

    Your comments must be written and in English. To ensure that your 
comments are filed in the correct docket, please include the docket 
number of this document in your comments.
    Please submit one copy (two copies if submitting by mail or hand 
delivery) of your comments, including the attachments, to the docket 
following the instructions given above under ADDRESSES. Please note, if 
you are submitting comments electronically as a PDF (Adobe) file, we 
ask that the documents submitted be scanned using an Optical Character 
Recognition (OCR) process, thus allowing NHTSA to search and copy 
certain portions of your submissions.

How do I submit confidential business information?

    If you wish to submit any information under a claim of 
confidentiality, you must submit three copies of your complete 
submission, including the information you claim to be confidential 
business information, to the Office of the Chief Counsel, NHTSA, at the 
address given above under FOR FURTHER INFORMATION CONTACT.
    In addition, you may submit a copy (two copies if submitting by 
mail or hand delivery) from which you have deleted the claimed 
confidential business information, to the docket by one of the methods 
given above under ADDRESSES. When you send a comment containing 
information claimed to be confidential business information, you should 
include a cover letter setting forth the information specified in 
NHTSA's confidential business information regulation (49 CFR part 512).

Will NHTSA consider late comments?

    NHTSA will consider all comments received before the close of 
business on the comment closing date indicated above under DATES. To 
the extent possible, NHTSA will also consider comments received after 
that date.

How can I read the comments submitted by other people?

    You may read the comments received at the address given above under 
ADDRESSES. The hours of the docket are indicated above in the same 
location. You may also read the comments on the internet, identified by 
the docket number at the heading of this document, at http://www.regulations.gov.
    Please note that, even after the comment closing date, NHTSA will 
continue to file relevant information in the docket as it becomes 
available. Further, some people may submit late comments. Accordingly, 
NHTSA recommends that you periodically check the docket for new 
material.

VII. Regulatory Notices

    This action has been determined to be significant under Executive 
Order 12866, as amended by Executive Order

[[Page 78075]]

13563, and DOT's Regulatory Policies and Procedures. It has been 
reviewed by the Office of Management and Budget under that Order. 
Executive Orders 12866 (Regulatory Planning and Review) and 13563 
(Improving Regulation and Regulatory Review) require agencies to 
regulate in the ``most cost-effective manner,'' to make a ``reasoned 
determination that the benefits of the intended regulation justify its 
costs,'' and to develop regulations that ``impose the least burden on 
society.'' In addition, Executive Orders 12866 and 13563 require 
agencies to provide a meaningful opportunity for public participation. 
Accordingly, we have asked commenters to answer a variety of questions 
to elicit practical information about alternative approaches and 
relevant technical data. These comments will help the Department 
evaluate whether a proposed rulemaking is needed and appropriate. This 
action is not subject to the requirements of E.O. 13771 (82 FR 9339, 
February 3, 2017) because it is an advance notice of proposed 
rulemaking.

    Authority: 49 U.S.C. 30101 et seq., 49 U.S.C. 30182.

    Issued in Washington, DC, under authority delegated in 49 CFR 
1.95 and 501.5.
James C. Owens,
Deputy Administrator.
[FR Doc. 2020-25930 Filed 12-2-20; 8:45 am]
BILLING CODE 4910-59-P




The Crittenden Automotive Library