2016-23010. NHTSA Enforcement Guidance Bulletin 2016-02: Safety-Related Defects and Automated Safety Technologies
-
Start Preamble
AGENCY:
National Highway Traffic Safety Administration (NHTSA), Department of Transportation.
ACTION:
Final notice.
SUMMARY:
Automotive technology is at a moment of rapid change and may evolve farther in the next decade than in the previous 45-plus year history of the Agency. As the automobile industry moves toward fully automated (self-driving) vehicles and other innovative mobility solutions, NHTSA seeks to facilitate the advance of automated technologies that currently present safety improvements and that, in the future, are likely to improve safety and decrease the number of crashes, traffic fatalities, and serious injuries on U.S. roadways. NHTSA is commanded by Congress to protect the safety of the driving public against unreasonable risks of harm that may occur because of Start Printed Page 65706the design, construction, or performance of a motor vehicle or motor vehicle equipment, and to mitigate risks of harm, including risks that may be emerging or contingent. As NHTSA has always done when evaluating new vehicle technologies, the Agency will be guided by its statutory mission, the laws it is obligated to enforce, and the benefits of the emerging automated safety technologies appearing on U.S. roadways.
NHTSA has broad enforcement authority under existing statutes and regulations to address existing and emerging automated safety technologies. This Enforcement Guidance Bulletin sets forth NHTSA's current views on its enforcement authority—including its view that when vulnerabilities in automated safety technology or equipment pose an unreasonable risk to safety, those vulnerabilities constitute a safety-related defect—and suggests guiding principles and best practices for motor vehicle and equipment manufacturers in this context.
Start Further InfoFOR FURTHER INFORMATION CONTACT:
Justine Casselle or Elizabeth Mykytiuk, Office of the Chief Counsel, National Highway Traffic Safety Administration, at (202) 366-2992.
End Further Info End Preamble Start Supplemental InformationSUPPLEMENTARY INFORMATION:
I. Executive Summary
II. Legal and Policy Background
A. NHTSA's Enforcement Authority Under the Safety Act
B. Determining the Existence of a Defect
C. Determining an Unreasonable Risk to Safety
III. Guidance and Recommended Best Practices: Safety-Related Defects, Unreasonable Risk, and Automated Safety Technologies
I. Executive Summary
Recent and continuing advances in automotive technology have great potential to generate significant safety benefits. Today's motor vehicles are increasingly equipped with electronics, sensors, and computing power that enable automated safety technologies, including technologies such as forward-collision warning, automatic-emergency braking, and lane-keeping assist, which have the potential to dramatically enhance safety. New technologies may not only prevent drivers from crashing, but may even do some or all of the driving for them. The potential safety implications of such technologies are vast. Importantly, as these technologies become more widespread, manufacturers must ensure their safe development and implementation.
On April 1, 2016, NHTSA published a proposed Enforcement Guidance Bulletin setting forth an overview of the Agency's enforcement authority under the Safety Act and its present views on certain enforcement subjects and issues. See Docket No. NHTSA-2016-0040. Recognizing the public interest in this topic and the safety concerns associated with automated safety technologies, the Agency solicited public comment before issuing a final Enforcement Guidance Bulletin. In response to the request for comment, the Agency received thirty-five (35) public submissions. Although some comments were submitted after the stated closing date of May 2, 2016, all comments submitted to the docket were considered in formulating this final Guidance.
In response to various comments suggesting that NHTSA give additional review to issues associated with certain software and cybersecurity, the Agency has decided to focus this Guidance solely on how its enforcement authority relates to automated safety technologies, including fully automated (self-driving) vehicles. Thus, comments related to cybersecurity will be addressed in future interpretations and guidance. However, this does not mean that cybersecurity is outside of NHTSA's authority. Manufacturers of motor vehicles and motor vehicle equipment must continue to follow the requirements of the Safety Act, including those related to cybersecurity.
The Agency received twenty-eight (28) comments that specifically addressed automated safety technologies from a wide variety of stakeholders and members of the public. Many commenters supported the proposed Enforcement Guidance Bulletin, noting that it adequately explained NHTSA's existing authority and how that authority extends to automated safety technologies. Some commenters opined that guidance should not be viewed as a substitute for traditional rulemaking or the establishment of performance standards. One commenter suggested that manufacturers be required to engage in constant monitoring and reporting, due to the possibility of certain systems showing no outward sign of a defect and the increased possibility of defects resulting from two systems failing to correctly interact. Another suggested replacement of NHTSA's existing enforcement model with a more flexible approach after implementing new standards. None of the alternative approaches described in this paragraph are foreclosed by this Guidance. NHTSA remains open to consideration of those and other options.
Traditionally, only after new technology is developed and proven does the Agency establish new safety standards. This approach has yielded enormous safety benefits, but one limitation of this approach is that it takes time. Strong safety regulations and standards are a vital piece of NHTSA's safety mission and the Agency will engage in rulemaking related to automated safety technologies in the future. This Guidance serves in part as a reminder that even before such rulemaking occurs, NHTSA currently has enforcement authority to address safety risks as they arise.
A number of commenters urged the Agency, when developing guidance and regulations, to not provide immunity to manufacturers for the consequences of failures of automated safety technologies simply because a manufacturer introduces them to the U.S. public. This Guidance is limited to setting forth an overview of NHTSA's enforcement authority over automated safety technologies and, therefore, is not intended to provide such legal immunity.
Other commenters suggested that while automated safety technologies may facilitate increased safety, manufacturers should ensure that over the lifespan of the vehicle such technologies themselves do not create unreasonable risks to safety due to predictable abuse or impractical recalibration requirements. The Agency agrees. Unreasonable risks due to predictable abuse or impractical recalibration requirements may constitute safety-related defects. See United States v. Gen. Motors Corp., 518 F.2d 420, 427 (D.C. Cir. 1975) (“Wheels”). Manufacturers have a continuing obligation to proactively identify and mitigate such safety risks. This includes safety risks discovered after the vehicle and/or equipment has been in safe operation.
Finally, some commenters suggested that the Agency had misinterpreted its authority over certain motor vehicle equipment. Some further questioned whether software and certain devices constitute motor vehicle equipment.
NHTSA's authority over motor vehicle equipment, in its many forms, is expressed unequivocally in the Safety Act. Because some non-traditional motor vehicle equipment manufacturers may not fully recognize their responsibilities under the Safety Act, this Guidance aims to increase awareness of NHTSA's enforcement authority over motor vehicle equipment in all of its various forms.[1] This Start Printed Page 65707Guidance is not an attempt to alter the relationship between motor vehicle and equipment manufacturers and their suppliers, or their respective responsibilities under the Safety Act. However, manufacturers and suppliers at all levels should be aware of their respective Safety Act obligations.
NHTSA acknowledges the complexity of this evolving landscape. Nonetheless, NHTSA has been charged by Congress to protect the safety of the driving public against unreasonable risks of harm that may arise because of the design, construction, or performance of a motor vehicle or motor vehicle equipment. To fulfill that responsibility and accomplish its mission, the Agency must take steps to mitigate risks of harm, including risks that may result from automated safety technologies. This Guidance lays out a high-level overview of NHTSA's enforcement authority to evaluate and address safety risks of motor vehicle technologies. To the extent the Agency may need additional expertise to adequately evaluate such safety risks, NHTSA will take the necessary steps (as it has in the past) to meet those needs.
Based on the Agency's consideration of all comments submitted in this proceeding; to aid in the successful development and deployment of automated safety technologies; to protect the public from potential defects associated with automated safety technologies that pose an unreasonable risk to safety; and as informed by the Agency's judgment and expertise, NHTSA now publishes this Enforcement Guidance Bulletin setting forth the Agency's current view of its enforcement authority and principles guiding its exercise of that authority. This includes guiding principles and best practices for use by motor vehicle and equipment manufacturers. NHTSA is not here establishing a binding set of rules, nor is the Agency suggesting that one particular set of practices applies in all situations. The Agency recognizes that best practices may vary depending on circumstances, and manufacturers remain free to choose the solution that best fits their needs while satisfying the demands of automotive safety.
II. Legal and Policy Background
A. NHTSA's Enforcement Authority Under the Safety Act
The National Traffic and Motor Vehicle Safety Act, as amended (“Safety Act”), 49 U.S.C. 30101 et seq., provides the basis and framework for NHTSA's enforcement authority over motor vehicle and motor vehicle equipment defects and noncompliances with federal motor vehicle safety standards (FMVSS). This authority includes investigations, administrative proceedings, civil penalties, and other civil enforcement actions. While fully automated (self-driving) vehicles and other automated safety technologies may modify motor vehicle and equipment design, NHTSA's statutory enforcement authority is sufficiently general and flexible to keep pace with such innovation. The Agency has the authority to respond to a safety problem posed by new technologies in the same manner it is able to respond to safety problems posed by more established automotive technology and equipment, such as carburetors, the powertrain, vehicle control systems, and forward collision warning systems—by determining the existence of a defect that poses an unreasonable risk to motor vehicle safety and ordering the manufacturer to conduct a recall. See 49 U.S.C. 30118(b). This enforcement authority applies notwithstanding the presence or absence of an FMVSS for any particular type of advanced equipment or technology. See, e.g., United States v. Chrysler Corp., 158 F.3d 1350, 1351 (D.C. Cir. 1998) (NHTSA “may seek the recall of a motor vehicle either when a vehicle has `a defect related to motor vehicle safety' or when a vehicle `does not comply with an applicable motor vehicle safety standard.' ”).[2]
Under the Safety Act, NHTSA has authority over motor vehicles, equipment included in or on a motor vehicle at the time of delivery to the first purchaser (i.e., original equipment), and motor vehicle replacement equipment. See 49 U.S.C. 30102(a)-(b). Motor vehicle equipment is broadly defined to include “any system, part, or component of a motor vehicle as originally manufactured” and “any similar part or component manufactured or sold for replacement or improvement of a system, part, or component.” 49 U.S.C. 30102(a)(7)(A)-(B). The Safety Act also gives NHTSA jurisdiction over after-market improvements, accessories, or additions to motor vehicles. See 49 U.S.C. 30102(a)(7)(B). All devices “manufactured, sold, delivered, or offered to be sold for use on public streets, roads, and highways with the apparent purpose of safeguarding users of motor vehicles against risk of accident, injury, or death” are similarly subject to NHTSA's enforcement authority. 49 U.S.C. 30102(a)(7)(C).
With respect to current and emerging automated motor vehicle safety technologies, NHTSA considers such technologies (including systems and equipment) to be motor vehicle equipment, whether they are offered to the public as part of a new motor vehicle (as original equipment) or as an after-market replacement(s) of or improvement(s) to original equipment. NHTSA also considers software (including, but not necessarily limited to, the programs, instructions, code, and data used to operate computers and related devices), and after-market software updates, to be motor vehicle equipment within the meaning of the Safety Act. Software that enables devices not located in or on the motor vehicle to connect to the motor vehicle or its systems could, in some circumstances, also be considered motor vehicle equipment. Accordingly, a manufacturer of current and emerging automated safety technologies, whether it is the supplier of the equipment or the manufacturer of a motor vehicle on which the equipment is installed, has an obligation to notify NHTSA of any and all safety-related defects. See 49 CFR part 573. Any manufacturer or supplier that fails to do so may be subject to civil penalties. See 49 U.S.C. 30165(a).
NHTSA is charged with reducing deaths, injuries, and economic losses resulting from motor vehicle crashes. See 49 U.S.C. 30101. Part of that mandate includes ensuring that motor vehicles and motor vehicle equipment, including automated safety technologies, perform in ways that “protect[] the public against unreasonable risk of accidents occurring because of the design, construction, or performance of a motor vehicle, and against unreasonable risk of death or injury in an accident.” 49 U.S.C. 30102(a)(8). This responsibility also includes the nonoperational safety of a motor vehicle. Id. In pursuit of these safety objectives, and in the absence of adequate action by the manufacturer, NHTSA is authorized to determine that a motor vehicle or motor vehicle equipment is defective and that the defect poses an unreasonable risk to safety. See 49 U.S.C. 30118(b) and (c)(1).
B. Determining the Existence of a Defect
Under the Safety Act, a “defect” includes “any defect in performance, construction, a component, or material of a motor vehicle or motor vehicle equipment.” 49 U.S.C. 30102(a)(2). This includes a defect in design. See Wheels, 518 F.2d at 436. A defect in an item of motor vehicle equipment (including Start Printed Page 65708hardware, software, and other electronic systems) may be considered a defect of the motor vehicle itself. See 49 U.S.C. 30102(b)(1)(F).
Congress intended the Safety Act to represent a “commonsense” approach to safety and courts have followed that approach in determining what constitutes a “defect.” See, e.g., Wheels, 518 F.2d at 436. For this reason, a defect determination does not require an engineering explanation or root cause, but instead “may be based exclusively on the performance record of the component.” Wheels, 518 F.2d at 432 (“[A] determination of a `defect' does not require any predicate of a finding identifying engineering, metallurgical, or manufacturing failures.”). Thus, a motor vehicle or item of motor vehicle equipment contains a defect “if it is subject to a significant number of failures in normal operation, including failures either occurring during specified use or resulting from owner abuse (including inadequate maintenance) that is reasonably foreseeable (ordinary abuse).” [3] Wheels, 518 F.2d at 427.
A “significant number of failures” is merely a “non-de minimus” quantity; it need not be a “substantial percentage of the total.” Wheels, 518 F.2d at 438 n.84. Whether there have been a “significant number of failures” is a fact-specific inquiry that includes considerations such as: the failure rate of the component in question; the failure rates of comparable components; the importance of the component to the safe operation of the vehicle; and the severity of harm to the vehicle and/or occupant caused by the failure. Id. at 427. In addition, where appropriate, the determination of the existence of a defect may depend upon the failure rate in the affected class of vehicles compared to that of other peer vehicles. See United States v. Gen. Motors Corp., 841 F.2d 400, 412 (D.C. Cir. 1988)(“X-Cars”).
The Agency relies on the performance record of a vehicle or component in making a defect determination where the engineering or root cause of a failure is unknown. See Wheels, 518 F.2d at 432. Where, however, the engineering or root cause is known, the Agency need not proceed with analyzing the performance record. See id.; see also United States v. Gen. Motors Corp., 565 F.2d 754, 758 (D.C. Cir. 1977) (“Carburetors”) (finding a defect to be safety-related if it “results in hazards as potentially dangerous as sudden engine fire, and where there is no dispute that at least some such hazards . . . can definitely be expected to occur in the future.”). For software or other electronic systems, for example, when the engineering or root cause of the hazard is known, a defect exists regardless of whether there have been any actual performance failures.
C. Determining an Unreasonable Risk to Safety
In order to support a recall, a defect must be related to motor vehicle safety. United States v. General Motors Corp., 561 F.2d 923, 928-29 (D.C. Cir. 1977) (“Pitman Arms”). In the context of the Safety Act, “motor vehicle safety” refers to an “unreasonable risk of accidents” and an “unreasonable risk of death or injury in an accident.” 49 U.S.C. 30102(a)(8). Thus, while the defect analysis has generally entailed a retrospective look at how many failures have occurred (see, e.g., Wheels and Pitman Arms), the safety-relatedness question is forward-looking, and concerns hazards that may arise in the future. See, e.g., Carburetors, 565 F.2d at 758.
In general, for a defect to present an “unreasonable risk,” there must be a likelihood that it will cause or be associated with a “non-negligible” number of crashes, injuries, or deaths in the future. See, e.g., Carburetors, 565 F.2d at 759. This prediction of future hazards is called a “risk analysis.” See, e.g., Pitman Arms, 561 F.2d at 924 (Leventhal, J., dissenting) (“GM presented a `risk analysis' which predicts the likely number of future injuries or deaths to be expected in the remaining service life of the affected models”). A forward-looking risk analysis is compelled by the purpose of the Safety Act, which “is not to protect individuals from the risks associated with defective vehicles only after serious injuries have already occurred; it is to prevent serious injuries stemming from established defects before they occur.” Carburetors, 565 F.2d at 759 (emphasis added).
However, in some circumstances, a crash, injury, or death need not occur for a defect to be considered to pose an unreasonable risk. If the hazard is sufficiently serious, and at least some harm, however small, is expected to occur in the future, the risk may be deemed unreasonable. Carburetors, 565 F.2d at 759 (“In the context of this case . . . even an `exceedingly small' number of injuries from this admittedly defective and clearly dangerous carburetor appears to us `unreasonably large.'”). In other words, where a defect presents a “clearly” or “potentially dangerous” hazard, and where “at least some such hazards”—even an “exceedingly small” number—will occur in the future, that defect is necessarily safety-related. See id. at 754. This is so regardless of whether any injuries have already occurred, or whether the projected number of failures/injuries in the future is trending down. See id. at 759. Moreover, a defect may be considered “per se” safety-related if it causes the failure of a critical component; causes a vehicle fire; causes a loss of vehicle control; or suddenly moves the driver away from steering, accelerator, and brake controls—regardless of how many injuries or accidents are likely to occur in the future. See Carburetors, 565 F.2d 754 (engine fires); Pitman Arms, 561 F.2d 923 (loss of control); United States v. Ford Motor Co., 453 F. Supp. 1240 (D.D.C. 1978) (“Wipers”) (loss of visibility); United States v. Ford Motor Co., 421 F. Supp. 1239, 1243-1244 (D.D.C. 1976) (“Seatbacks”) (loss of control). Similarly, where a defect “is systematic and is prevalent in a particular class [of motor vehicles or equipment], . . . this is prima facie an unreasonable risk.” Pitman Arms, 561 F.2d at 929.
III. Guidance and Recommended Best Practices: Safety-Related Defects, Unreasonable Risk, and Automated Safety Technologies
Consistent with the foregoing background, NHTSA's enforcement authority concerning safety-related defects in motor vehicles and motor vehicle equipment extends and applies equally to current and emerging automated safety technologies. This includes fully automated (self-driving) vehicles. Where a fully automated (self-driving) vehicle or other automated safety technology causes crashes or injuries, or poses other safety risks, the Agency will evaluate such technology through its investigative authority to determine whether the technology presents an unreasonable risk to safety. Similarly, should the Agency determine that a fully automated (self-driving) vehicle or other automated safety technology has manifested a safety-related defect, and a manufacturer fails to act, NHTSA will exercise its enforcement authority to the fullest extent.
To avoid violating Safety Act requirements and standards, manufacturers of current and emerging automated safety technologies are Start Printed Page 65709strongly encouraged to take steps to proactively identify and resolve safety concerns before their products are available for use on U.S. roadways, and to discuss such actions with NHTSA. The Agency recognizes that most automated safety technologies heavily involve electronic systems (such as hardware, software, sensors, global positioning systems (GPS) and vehicle-to-vehicle (V2V) safety communications systems). The Agency acknowledges that the increased use of electronic systems in motor vehicles and motor vehicle equipment may raise new and different safety concerns. However, the complexities of these systems do not diminish manufacturers' duties under the Safety Act. Both motor vehicle manufacturers and motor vehicle equipment manufacturers remain responsible for ensuring that their vehicles and equipment are free of safety-related defects and noncompliances, and do not otherwise pose an unreasonable risk to safety. Manufacturers are also reminded that they remain responsible for promptly reporting to NHTSA any safety-related defects or noncompliances, as well as timely notifying owners and dealers of the same.
In assessing whether a motor vehicle or item of motor vehicle equipment poses an unreasonable risk to safety, NHTSA considers the vehicle component or system involved, the likelihood of the occurrence of a hazard, the potential frequency of a hazard, the severity of hazard to the vehicle and occupant, known engineering or root cause, and other relevant factors. Where a threatened hazard is substantial (e.g., fire or stalling), low potential frequency may not carry as much weight in NHTSA's analysis. NHTSA may weigh the above factors, and other relevant factors, differently depending on the circumstances of the particular underlying matter at issue.
Software installed in or on a motor vehicle—which is motor vehicle equipment—presents its own unique safety risks. Because software often interacts with a motor vehicle's critical systems (i.e., systems encompassing critical control functions such as braking, steering, or acceleration), the operation of those systems can be substantially altered by after-market software updates. Software located outside the motor vehicle could also be used to affect and control a motor vehicle's critical systems.[4] Under either circumstance, if software (whether or not it purports to have a safety-related purpose) creates or introduces an unreasonable safety risk to motor vehicle systems, then that safety risk constitutes a defect compelling a recall.
While the Agency acknowledges that manufacturers are not required to design motor vehicles or motor vehicle equipment that “never fail,” manufacturers should consider developing systems such that should an electrical, electronic, mechanical, or software failure occur, the vehicle or equipment can still be operated in a manner to mitigate the risks from such failures. Furthermore, with the increased introduction of current and emerging automated safety technologies, manufacturers should take steps necessary to ensure that any such technology introduced to U.S. roadways accounts for the driver's ease of use and any foreseeable misuse that may occur, particularly in circumstances that require driver interaction while a vehicle is in operation. A system design or configuration that fails to take into account and safeguard against the consequences of reasonably foreseeable driver distraction or error may present an unreasonable risk to safety.
For example, an unconventional electronic gearshift assembly that lacks detents or other tactile cues that provide gear selection feedback makes it more likely that a driver may attempt to exit a vehicle with the mistaken belief that the vehicle is in park. If the vehicle's design does not guard against this foreseeable driver error by providing an effective warning or (for instance) immobilizing the vehicle when the driver's door is opened, the design may present an unreasonable risk to safety. Similarly, a semi-autonomous driving system that allows a driver to relinquish control of the vehicle while it is in operation but fails to adequately account for reasonably foreseeable situations where a distracted or inattentive driver-occupant must retake control of the vehicle at any point may also be an unreasonable risk to safety. Additionally, where a software system is expected to last the life of the vehicle, manufacturers should take care to provide secure updates as needed to keep the system functioning. Conversely, if a manufacturer fails to provide secure updates to a software system and that failure results in a safety risk, NHTSA may consider such a safety risk to be a safety-related defect compelling a recall.
Motor vehicle and motor vehicle equipment manufacturers have a continuing obligation to proactively identify safety concerns and mitigate the risks of harm. If a manufacturer discovers or is otherwise made aware of any safety-related defects, noncompliances, or other safety risks after the vehicle and/or equipment (including automated safety technology) has been in safe operation, then it should promptly contact the appropriate NHTSA personnel to determine the necessary next steps. Where a manufacturer fails to adequately address a safety concern, NHTSA, when appropriate, will address that failure through its enforcement authority.
Applicability/Legal Statement: This Enforcement Guidance Bulletin sets forth NHTSA's current views on its enforcement authority and the topic of automated safety technology, and suggests guiding principles and best practices to be utilized by motor vehicle and equipment manufacturers in this context. This Bulletin is not a final agency action and is intended as guidance only. This Bulletin does not have the force or effect of law. This Bulletin is not intended, nor can it be relied upon, to create any rights enforceable by any party against NHTSA, the U.S. Department of Transportation, or the United States. These recommended practices do not establish any defense to any violations of the Safety Act, or regulations thereunder, or violation of any statutes or regulations that NHTSA administers. This Bulletin may be revised without notice to reflect changes in the Agency's views and analysis, or to clarify and update text.
Start SignatureIssued: September 20, 2016.
Paul A. Hemmersbaugh,
Chief Counsel.
Footnotes
1. The Agency anticipates publishing additional guidance at a later date, further clarifying the criteria the Agency considers when determining whether certain devices constitute motor vehicle equipment.
Back to Citation2. A manufacturer's obligation to recall motor vehicles and motor vehicle equipment determined to have a safety-related defect is separate and distinct from its obligation to recall motor vehicles and motor vehicle equipment that fail to comply with an applicable FMVSS. See 49 U.S.C. 30120.
Back to Citation3. “The protection afforded by the [Safety] Act was not limited to careful drivers who fastidiously observed speed limits and conscientiously complied with manufacturer's instructions on vehicle maintenance and operation. . . . [the statute provides] an added area of safety to an owner who is lackadaisical, who neglects regular maintenance . . .” Wheels, 518 F.2d at 434.
Back to Citation4. NHTSA intends to publish an interpretation clarifying in further detail the Agency's criteria for determining whether a portable device or portable application is an “accessory” to a motor vehicle at a later date.
Back to Citation[FR Doc. 2016-23010 Filed 9-22-16; 8:45 am]
BILLING CODE 4910-59-P
Document Information
- Published:
- 09/23/2016
- Department:
- National Highway Traffic Safety Administration
- Entry Type:
- Notice
- Action:
- Final notice.
- Document Number:
- 2016-23010
- Pages:
- 65705-65709 (5 pages)
- Docket Numbers:
- Docket No. NHTSA-2016-0040
- PDF File:
- 2016-23010.pdf