[Federal Register Volume 81, Number 63 (Friday, April 1, 2016)]
[Notices]
[Pages 18935-18939]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2016-07353]
-----------------------------------------------------------------------
DEPARTMENT OF TRANSPORTATION
National Highway Traffic Safety Administration
[Docket No. NHTSA-2016-0040]
Request for Public Comments on NHTSA Enforcement Guidance
Bulletin 2016-02: Safety-Related Defects and Emerging Automotive
Technologies
AGENCY: National Highway Traffic Safety Administration (NHTSA),
Department of Transportation.
ACTION: Request for public comments.
-----------------------------------------------------------------------
SUMMARY: Automotive technology is at a moment of rapid change and may
evolve farther in the next decade than in the previous 45-plus year
history of the Agency. As the world moves toward autonomous vehicles
and innovative mobility solutions, NHTSA is interested in facilitating
the rapid advance of technologies that will promote safety. NHTSA is
commanded by Congress to protect the safety of the driving public
against unreasonable risks of harm that may occur because of the
design, construction, or performance of a motor vehicle or motor
vehicle equipment, and mitigate risks of harm, including risks that may
be emerging or contingent. As NHTSA always has done when evaluating new
technologies and solutions, we will be guided by our statutory mission,
the laws we are obligated to enforce, and the benefits of the emerging
technologies appearing on America's roadways.
NHTSA has broad enforcement authority, under existing statutes and
regulations, to address existing and emerging automotive technologies.
This proposed Enforcement Guidance Bulletin sets forth NHTSA's current
views on emerging automotive technologies--including its view that when
vulnerabilities of such technology or equipment pose an unreasonable
risk to safety, those vulnerabilities constitute a safety-related
defect--and suggests guiding principles and best practices for motor
vehicle and equipment manufacturers in this context. This notice
solicits comments from the public, motor vehicle and equipment
manufacturers, and other interested
[[Page 18936]]
parties concerning the proposed guidance for motor vehicle and
equipment manufacturers in developing and implementing new and emerging
automotive technologies, safety compliance programs, and other business
practices in connection with such technologies.
DATES: Comments must be received on or before May 2, 2016.
ADDRESSES: You may submit comments by any of the following methods:
Internet: Go to http://www.regulations.gov and follow the
online instructions for submitting comments.
Mail: Docket Management Facility, M-30, U.S. Department of
Transportation, 1200 New Jersey Avenue SE., West Building, Room W12-
140, Washington, DC 20590.
Hand Delivery or Courier: U.S. Department of
Transportation, 1200 New Jersey Avenue SE., West Building, Room W12-
140, Washington, DC 20590 between 9 a.m. and 5 p.m. Eastern Time,
Monday through Friday, except Federal holidays.
Facsimile: (202) 493-2251.
Regardless of how you submit your comments, please mention the
docket number of this document.
You may also call the Docket at (202) 366-9322.
Instructions: All comments received must include the Agency name
and docket ID. Please submit your comments by only one means.
Regardless of the method used for submitting comments, all submissions
will be posted without change to http://www.regulations.gov, including
any personal information provided. Thus, submitting such information
makes it public. You may wish to read the Privacy Act notice, which can
be viewed by clicking on the ``Privacy and Security Notice'' link in
the footer of http://www.regulations.gov.
FOR FURTHER INFORMATION CONTACT: Justine Casselle, Office of the Chief
Counsel, National Highway Traffic Safety Administration, or Elizabeth
Mykytiuk, Office of the Chief Counsel, National Highway Traffic Safety
Administration, at (202) 366-2992.
SUPPLEMENTARY INFORMATION:
I. Executive Summary
II. Legal and Policy Background
A. NHTSA's Enforcement Authority Under the Safety Act
B. Determining the Existence of a Defect
C. Determining an Unreasonable Risk to Safety
III. Guidance and Recommended Best Practices: Safety-Related
Defects, Unreasonable Risk, and Emerging Technologies
I. Executive Summary
Recent and continuing advances in automotive technology have great
potential to generate significant safety benefits. Today's motor
vehicles are increasingly equipped with electronics, sensors, and
computing power that enable the deployment of safety technologies and
functions, such as forward-collision warning, automatic-emergency
braking, and lane keeping assist, which dramatically enhance safety.
New technologies may not only prevent drivers from crashing, but may
even do some or all of the driving for them. The safety implications of
such emerging technologies are vast. Importantly, as these technologies
become more widespread, manufacturers must ensure their safe
development and implementation.
To facilitate automotive safety innovation, to aid in the
successful development and deployment of emerging automotive
technologies, and to protect the public from potential flaws or threats
associated with emerging automotive technologies, NHTSA is publishing,
for guidance and informational purposes, this Enforcement Guidance
Bulletin setting forth the Agency's current view of its enforcement
authority and principles guiding its exercise of that authority. This
includes guiding principles and best practices for use by motor vehicle
and equipment manufacturers. NHTSA is not establishing a binding set of
rules, nor is the Agency suggesting that one particular set of
practices applies in all situations. The Agency recognizes that best
practices vary depending on circumstances, and manufacturers remain
free to choose the solution that best fits their needs and the demands
of automotive safety. However, to address safety concerns associated
with emerging technologies in a comprehensive way, and to advise
regulated entities of the Agency's present views of certain enforcement
subjects and issues, NHTSA submits this proposed Enforcement Guidance
Bulletin for public comment. Based on the Agency's review and analysis
of that input, it will develop and issue a final ``Enforcement Guidance
Bulletin'' on this topic.
II. Legal and Policy Background
A. NHTSA's Enforcement Authority Under the Safety Act
The National Traffic and Motor Vehicle Safety Act, as amended
(``Safety Act''), 49 U.S.C. 30101 et seq., provides the basis and
framework for NHTSA's enforcement authority over motor vehicle and
motor vehicle equipment defects and noncompliances with federal motor
vehicle safety standards (FMVSS). This authority includes
investigations, administrative proceedings, civil penalties, and civil
enforcement actions. While automation and other advanced technologies
may modify motor vehicle and equipment design, NHTSA's statutory
enforcement authority is general and flexible, which allows it to keep
pace with innovation. The Agency has the authority to respond to a
safety problem posed by new technologies in the same manner it has
responded to safety problems posed by more established automotive
technology and equipment, such as carburetors, the powertrain, vehicle
control systems, and forward collision warning systems--by determining
the existence of a defect that poses an unreasonable risk to motor
vehicle safety and ordering the manufacturer to conduct a recall. See
49 U.S.C. 30118(b). This enforcement authority applies notwithstanding
the presence or absence of an FMVSS for any particular type of advanced
technology. See, e.g., United States v. Chrysler Corp., 158 F.3d 1350,
1351 (D.C. Cir. 1998) (NHTSA ``may seek the recall of a motor vehicle
either when a vehicle has `a defect related to motor vehicle safety' or
when a vehicle `does not comply with an applicable motor vehicle safety
standard.' '').\1\
---------------------------------------------------------------------------
\1\ A manufacturer's obligation to recall motor vehicles and
motor vehicle equipment determined to have a safety-related defect
is separate and distinct from its obligation to recall motor
vehicles and motor vehicle equipment that fail to comply with an
applicable FMVSS. See 49 U.S.C. 30120.
---------------------------------------------------------------------------
Under the Safety Act, NHTSA has authority over motor vehicles,
equipment included in or on a motor vehicle at the time of delivery to
the first purchaser (i.e., original equipment), and motor vehicle
replacement equipment. See 49 U.S.C. 30102(a)-(b). Motor vehicle
equipment is broadly defined to include ``any system, part, or
component of a motor vehicle as originally manufactured'' and ``any
similar part or component manufactured or sold for replacement or
improvement of a system, part, or component.'' 49 U.S.C.
30102(a)(7)(A)-(B). The Safety Act also gives NHTSA jurisdiction over
after-market improvements, accessories, or additions to motor vehicles.
See 49 U.S.C. 30102(a)(7)(B). All devices ``manufactured, sold,
delivered, or offered to be sold for use on public streets, roads, and
highways with the apparent purpose of safeguarding users of motor
vehicles against risk of accident, injury, or death'' are similarly
subject to NHTSA's enforcement authority. 49 U.S.C. 30102(a)(7)(C).
[[Page 18937]]
With respect to new and emerging technologies, NHTSA considers
automated vehicle technologies, systems, and equipment to be motor
vehicle equipment, whether they are offered to the public as part of a
new motor vehicle (as original equipment) or as an after-market
replacement(s) of or improvement(s) to original equipment. NHTSA also
considers software (including, but not necessarily limited to, the
programs, instructions, code, and data used to operate computers and
related devices), and after-market software updates, to be motor
vehicle equipment within the meaning of the Safety Act. Software that
enables devices not located in or on the motor vehicle to connect to
the motor vehicle or its systems could, in some circumstances, also be
considered motor vehicle equipment. Accordingly, a manufacturer of new
and emerging vehicle technologies and equipment, whether it is the
supplier of the equipment or the manufacturer of a motor vehicle on
which the equipment is installed, has an obligation to notify NHTSA of
any and all safety-related defects. See 49 CFR part 573. Any
manufacturer or supplier that fails to do so may be subject to civil
penalties. See 49 U.S.C. 30165(a).
NHTSA is charged with reducing deaths, injuries, and economic
losses resulting from motor vehicle crashes. See 49 U.S.C. 30101. Part
of that mandate includes ensuring that motor vehicles and motor vehicle
equipment, including new technologies, perform in ways that ``protect[]
the public against unreasonable risk of accidents occurring because of
the design, construction, or performance of a motor vehicle, and
against unreasonable risk of death or injury in an accident.'' 49
U.S.C. 30102(a)(8). This responsibility also includes the
nonoperational safety of a motor vehicle. Id. In pursuit of these
safety objectives, and in the absence of adequate action by the
manufacturer, NHTSA is authorized to determine that a motor vehicle or
motor vehicle equipment is defective and that the defect poses an
unreasonable risk to safety. See 49 U.S.C. 30118(b) and (c)(1).
B. Determining the Existence of a Defect
Under the Safety Act, a ``defect'' includes ``any defect in
performance, construction, a component, or material of a motor vehicle
or motor vehicle equipment.'' 49 U.S.C. 30102(a)(2). It also includes a
defect in design. See United States v. General Motors Corp., 518 F.2d
420, 436 (D.C. Cir. 1975) (``Wheels''). A defect in an item of motor
vehicle equipment (including hardware, software and other electronic
systems) may be considered a defect of the motor vehicle itself. See 49
U.S.C. 30102(b)(1)(F).
Congress intended the Safety Act to represent a ``commonsense''
approach to safety and courts have followed that approach in
determining what constitutes a ``defect.'' Wheels, 518 F.2d at 436.
Accord Center for Auto Safety, Inc. v. National Highway Traffic Safety
Administration, 342 F. Supp. 2d 1, 15 (D.D.C. 2004); Clarke v. TRW,
Inc., 921 F. Supp. 927, 934 (N.D.N.Y. 1996). For this reason, a defect
determination does not require an engineering explanation or root
cause, but instead ``may be based exclusively on the performance record
of the component.'' Wheels, 518 F.2d at 432 (``[A] determination of a
`defect' does not require any predicate of a finding identifying
engineering, metallurgical, or manufacturing failures.''). Thus, a
motor vehicle or item of equipment contains a defect if it is subject
to a significant number of failures in normal operation, ``including
those failures occurring during `specified use' or resulting from
predictable abuse, but not including those resulting from normal
deterioration due to age and wear.'' \2\ Center for Auto Safety, 342
F.2d at 13-14 (citing Wheels, 518 F.2d at 427).
---------------------------------------------------------------------------
\2\ ``The protection afforded by the [Safety] Act was not
limited to careful drivers who fastidiously observed speed limits
and conscientiously complied with manufacturer's instructions on
vehicle maintenance and operation . . . . [the statute provides] an
added area of safety to an owner who is lackadaisical, who neglects
regular maintenance . . .'' Wheels, 518 F.2d at 434.
---------------------------------------------------------------------------
A ``significant number of failures'' is merely a ``non-de minimus''
quantity; it need not be a ``substantial percentage of the total.''
Wheels, 518 F.2d at 438 n.84. Whether there have been a ``significant
number of failures'' is a fact-specific inquiry that includes
considerations such as: The failure rate of the component in question;
the failure rates of comparable components; and the importance of the
component to the safe operation of the vehicle. Id. at 427. In
addition, where appropriate, the determination of the existence of a
defect may depend upon the failure rate in the affected class of
vehicles compared to that of other peer vehicles. See United States v.
Gen. Motors Corp., 841 F.2d 400, 412 (D.C. Cir.1988) (``X-Cars'').
Finally, to constitute a defect, the failures must be attributable to
the motor vehicle or equipment itself, rather than the driver or the
road conditions. See id.
It must be noted, however, that in some circumstances, a crash,
injury, or death need not occur in order for a vulnerability or safety
risk to be considered a defect. The Agency relies on the performance
record of a vehicle or component in making a defect determination where
the engineering or root cause is unknown. See Wheels, 518 F.2d at 432.
Where, however, the engineering or root cause is known, the Agency need
not proceed with analyzing the performance record. See id.; see also
United States v. Gen. Motors Corp., 565 F.2d 754, 758 (D.C. Cir. 1977)
(``Carburetors'') (finding a defect to be safety-related if it
``results in hazards as potentially dangerous as sudden engine fire,
and where there is no dispute that at least some such hazards . . . can
definitely be expected to occur in the future.''). For software or
other electronic systems, for example, when the engineering or root
cause of the vulnerability or risk is known, a defect exists regardless
of whether there have been any actual failures.
C. Determining an Unreasonable Risk to Safety
In order to support a recall, a defect must be related to motor
vehicle safety. United States v. General Motors Corp., 561 F.2d 923,
928-29 (D.C. Cir. 1977) (``Pitman Arms''). In the context of the Safety
Act, ``motor vehicle safety'' refers to an ``unreasonable risk of
accidents'' and an ``unreasonable risk of death or injury in an
accident.'' 49 U.S.C. 30102(a)(8). Thus, while the defect analysis has
generally entailed a retrospective look at how many failures have
occurred (see Wheels, Center for Auto Safety, and Pitman Arms), the
safety-relatedness question is forward-looking, and concerns the
hazards that may arise in the future. See, e.g., Carburetors, 565 F.2d
at 758.
In general, for a defect to present an ``unreasonable risk,'' there
must be a likelihood that it will cause or be associated with a ``non-
negligible'' number of crashes, injuries, or deaths in the future. See,
e.g., Carburetors, 565 F.2d at 759. This prediction of future hazards
is called a ``risk analysis.'' See, e.g., Pitman Arms, 561 F.2d at 924
(Leventhal, J., dissenting) (``GM presented a `risk analysis' which
predicts the likely number of future injuries or deaths to be expected
in the remaining service life of the affected models''). A forward-
looking risk analysis is compelled by the purpose of the Safety Act,
which ``is not to protect individuals from the risks associated with
defective vehicles only after serious injuries have already occurred;
it is to prevent serious injuries stemming from established defects
before they occur.'' Carburetors, 565 F.2d at 759 (emphasis added).
[[Page 18938]]
If the hazard is sufficiently serious, and at least some harm,
however small, is expected to occur in the future, the risk may be
deemed unreasonable. Carburetors, 565 F.2d at 759 (``In the context of
this case . . . even an `exceedingly small' number of injuries from
this admittedly defective and clearly dangerous carburetor appears to
us `unreasonably large.' ''). In other words, where a defect presents a
``clearly'' or ``potentially dangerous'' hazard, and where ``at least
some such hazards''--even an ``exceedingly small'' number--will occur
in the future, that defect is necessarily safety-related. See
Carburetors, 565 F.2d 754. This is so regardless of whether any
injuries have already occurred, or whether the projected number of
failures/injuries in the future is trending down. See id. at 759.
Moreover, a defect may be considered ``per se'' safety-related if it
causes the failure of a critical component; causes a vehicle fire;
causes a loss of vehicle control; or suddenly moves the driver away
from steering, accelerator, and brake controls--regardless of how many
injuries or accidents are likely to occur in the future. See
Carburetors, 565 F.2d 754 (engine fires); Pitman Arms, 561 F.2d 923
(loss of control); United States v. Ford Motor Co., 453 F. Supp. 1240
(D.D.C. 1978) (``Wipers'') (loss of visibility); United States v. Ford
Motor Co., 421 F. Supp. 1239, 1243-1244 (D.D.C. 1976) (``Seatbacks'')
(loss of control). Similarly, where it is alleged that a defect ``is
systematic and is prevalent in a particular class [of motor vehicles or
equipment], . . . this is prima facie an unreasonable risk.'' Pitman
Arms, 561 F.2d at 929.
III. Guidance and Recommended Best Practices: Safety-Related Defects,
Unreasonable Risk, and Emerging Technologies
Consistent with the foregoing background, NHTSA's enforcement
authority concerning safety-related defects in motor vehicles and
equipment extends and applies equally to new and emerging automotive
technologies. This includes, for example, automation technology and
equipment, as well as advanced crash avoidance technologies. Where an
autonomous vehicle or other emerging automotive technology causes
crashes or injuries, or has a manifested safety-related failure or
defect, and a manufacturer fails to act, NHTSA will exercise its
enforcement authority to the fullest extent. Similarly, should the
Agency determine that an autonomous vehicle or other new automotive
technology presents a safety concern, the Agency will evaluate such
technology through its investigative authority to determine whether the
technology presents an unreasonable risk to safety.
To avoid violating Safety Act requirements and standards,
manufacturers of emerging technology and the motor vehicles on which
such technology is installed are strongly encouraged to take steps to
proactively identify and resolve safety concerns before their products
are available for use on public roadways. The Agency recognizes that
much emerging automotive technology heavily involves electronic systems
(such as hardware, software, sensors, global positioning systems (GPS)
and vehicle-to-vehicle (V2V) safety communications systems). The Agency
acknowledges that the increased use of electronic systems in motor
vehicles and equipment may raise new and different safety concerns.
However, the complexities of these systems do not diminish
manufacturers' duties under the Safety Act--both motor vehicle
manufacturers and equipment manufacturers remain responsible for
ensuring that their vehicles or equipment are free of safety-related
defects or noncompliances, and do not otherwise pose an unreasonable
risk to safety. Manufacturers are also reminded that they remain
responsible for promptly reporting to NHTSA any safety-related defects
or noncompliances, as well as timely notifying owners and dealers of
the same.
In assessing whether a motor vehicle or piece of motor vehicle
equipment poses an unreasonable risk to safety, NHTSA considers the
likelihood of the occurrence of a harm (i.e., fire, stalling, or
malicious cybersecurity attack), the potential frequency of a harm, the
severity of a harm, known engineering or root cause, and other relevant
factors. Where a threatened harm is substantial, low potential
frequency may not carry as much weight in NHTSA's analysis.
Software installed in or on a motor vehicle--which is motor vehicle
equipment--presents its own unique safety risks. Because software often
interacts with a motor vehicle's critical safety systems (i.e., systems
encompassing critical control functions such as braking, steering, or
acceleration) the operation of those systems could be substantially
altered by after-market software updates. Additionally, software
located outside the motor vehicle (i.e., portable devices with vehicle-
related software applications) could be used to affect and control a
motor vehicle's safety systems. If software has manifested a safety-
related performance failure, or otherwise presents an unreasonable risk
to safety, then the software failure or safety-risk constitutes a
defect compelling a recall.
In the case of cybersecurity vulnerabilities, NHTSA will weigh
several factors in determining whether a vulnerability poses an
unreasonable risk to safety (and thus constitutes a safety-related
defect), including: (i) The amount of time elapsed since the
vulnerability was discovered (e.g., less than one day, three months, or
more than six months); (ii) the level of expertise needed to exploit
the vulnerability (e.g., whether a layman can exploit the vulnerability
or whether it takes experts to do so); (iii) the accessibility of
knowledge of the underlying system (e.g., whether how the system works
is public knowledge or whether it is sensitive and restricted); (iv)
the necessary window of opportunity to exploit the vulnerability (e.g.,
an unlimited window or a very narrow window); and, (v) the level of
equipment needed to exploit the vulnerability (e.g., standard or highly
specialized).
NHTSA uses those factors, and others, to help assess the overall
probability of a malicious cybersecurity attack. The probability of an
attack includes circumstances in which a vulnerability has been
identified, but no actual incidents have been documented or confirmed.
Confirmed field incidents may increase the weight NHTSA places on the
probability of an attack in its assessment. Even before evidence of an
attack, it is foreseeable that hackers will try to exploit
cybersecurity vulnerabilities. For instance, if a cybersecurity
vulnerability in any of a motor vehicle's entry points (e.g., Wi-Fi,
infotainment systems, the OBD-II port) allows remote access to a motor
vehicle's critical safety systems (i.e., systems encompassing critical
control functions such as braking, steering, or acceleration), NHTSA
may consider such a vulnerability to be a safety-related defect
compelling a recall.
Manufacturers should consider adopting a life-cycle approach to
safety risks when developing automated vehicles, other innovative
automotive technologies, and safety compliance programs and other
business practices in connection with such technologies. A life-cycle
approach would include ``elements of assessment, design,
implementation, and operations as well as an effective testing and
certification program.'' National Highway Traffic Safety
Administration, A Summary of Cybersecurity Best Practices, (Oct. 2014),
http://www.nhtsa.gov/DOT/
[[Page 18939]]
NHTSA/NVS/Crash%20Avoidance/Technical%20Publications/2014/
812075_CybersecurityBestPractices.pdf. Considering hardware, software,
and network and cloud security, manufacturers should consider
developing a simulator, using case scenarios and threat modeling on all
systems, sub-systems, and devices, to test for safety risks, including
cybersecurity vulnerabilities, at all steps in the manufacturing
process for the entire supply chain, to implement an effective risk
mitigation plan. See id.
Manufacturers of emerging technologies and the motor vehicles on
which such technology is installed have a continuing obligation to
proactively identify safety concerns and mitigate the risks of harm. If
a manufacturer discovers or is otherwise made aware of any defects,
noncompliances, or other unreasonable risks to safety after the vehicle
and/or technology has been in safe operation for some time, then it
should strongly consider promptly contacting the appropriate NHTSA
personnel to determine the necessary next steps. Where a manufacturer
fails to adequately address a safety concern, NHTSA, when appropriate,
will explicitly address that concern through its enforcement authority.
Applicability/Legal Statement: This proposed Enforcement Guidance
Bulletin sets forth NHTSA's current views on the topic of emerging
automotive technology and suggests guiding principles and best
practices to be utilized by motor vehicle and equipment manufacturers
in this context. This proposed Bulletin is not a final agency action
and is intended as guidance only. This proposed Bulletin does not have
the force or effect of law. This Bulletin is not intended, nor can it
be relied upon, to create any rights enforceable by any party against
NHTSA, the U.S. Department of Transportation, or the United States.
These recommended practices do not establish any defense to any
violations of the Safety Act, or regulations thereunder, or violation
of any statutes or regulations that NHTSA administers. This Bulletin
may be revised in writing without notice to reflect changes in the
Agency's views and analysis, or to clarify and update text.
Authority: 49 U.S.C. 30101-30103, 30116-30121, 30166; delegation
of authority at 49 CFR 1.95 and 49 CFR 501.8.
Issued in Washington, DC, on March 25, 2016 under authority
delegated pursuant to 49 CFR 1.95.
Paul A. Hemmersbaugh,
Chief Counsel.
[FR Doc. 2016-07353 Filed 3-29-16; 4:15 pm]
BILLING CODE 4910-59-P