Request for Comment on Automotive Electronic Control Systems Safety and Security, 60574-60583 [2014-23805]

Download as PDF 60574 Federal Register / Vol. 79, No. 194 / Tuesday, October 7, 2014 / Notices • Government-wide rulemaking Web site: Go to https://www.regulations.gov and follow the instructions for sending your comments electronically. • Mail: Send comments to the Docket Management Facility; U.S. Department of Transportation, 1200 New Jersey Avenue SE., West Building Ground Floor, Room W12–140, Washington, DC 20590. • Fax: Fax comments to the Docket Management Facility at 202–493–2251. • Hand Delivery: Bring comments to the Docket Management Facility in Room W12–140 of the West Building Ground Floor at 1200 New Jersey Avenue SE., Washington, DC, between 9 a.m. and 5 p.m., Monday through Friday, except Federal holidays. Privacy: We will post all comments we receive, without change, to https:// www.regulations.gov, including any personal information you provide. Using the search function of our docket Web site, anyone can find and read the comments received into any of our dockets, including the name of the individual sending the comment (or signing the comment for an association, business, labor union, etc.). You may review DOT’s complete Privacy Act Statement in the Federal Register published on April 11, 2000 (65 FR 19477–78). Docket: To read background documents or comments received, go to https://www.regulations.gov at any time or to the Docket Management Facility in Room W12–140 of the West Building Ground Floor at 1200 New Jersey Avenue SE., Washington, DC, between 9 a.m. and 5 p.m., Monday through Friday, except Federal holidays. FOR FURTHER INFORMATION CONTACT: Jake Troutman, (202) 267–9521, 800 Independence Avenue SW., Washington, DC, 20951. This notice is published pursuant to 14 CFR 11.85. Issued in Washington, DC, on October 1, 2014. Lirio Liu, Director, Office of Rulemaking. asabaliauskas on DSK5VPTVN1PROD with NOTICES Petition for Exemption Docket No.: FAA–2014–0727. Petitioner: SenseFly Ltd. Section of 14 CFR: parts 21 Subpart H, 45.23, 45.29, 61.3, 61.23, 61.113(a) and (b), 61.133(a), 91.7(a), 91.9, 91.109(a), 91.119, 91.121, 91.151(a), 91.203, 91.401, 91.403, 91.405, 91.407, 91.409, 91.411, 91.413, 91.415, 91.417, 91.419, and 91.421. Description of Relief Sought: The petitioner, manufacturer of the eBee unmanned aircraft system (UAS), is seeking an exemption to commercially VerDate Sep<11>2014 17:15 Oct 06, 2014 Jkt 235001 operate their UAS for mapping and precision agriculture applications. [FR Doc. 2014–23826 Filed 10–6–14; 8:45 am] BILLING CODE 4910–13–P DEPARTMENT OF TRANSPORTATION Federal Highway Administration Environmental Impact Statement; Suffolk County, New York Federal Highway Administration (FHWA), Department of Transportation (DOT). ACTION: Revised notice of intent (NOI). AGENCY: The FHWA is issuing this notice to advise the public that the NOI to prepare an Environmental Impact Statement (EIS) for a proposed construction project for the reconstruction of NY 112 from the Long Island Expressway, I–495 North Service Road to NY 25 in Suffolk County, New York is being rescinded. On December 19, 2002, the FHWA issued an NOI to advise the public that an EIS would be prepared for a proposed construction project for the Reconstruction of NY Route 112, from I–495 to Skips Road (Mill Road Connector), Suffolk County, New York (67 FR 77823). FOR FURTHER INFORMATION CONTACT: New York State Department of Transportation, State Building, 250 Veterans Memorial Highway, Hauppauge, New York 11788, Telephone: (631) 952–6632; or Jonathan D. McDade, Division Administrator, Federal Highway Administration, New York Division, Leo W. O’Brien Federal Building, Suite 719, 11A Clinton Avenue, Albany, New York 12207, Telephone: (518) 431–4127. SUPPLEMENTARY INFORMATION: The FHWA, in cooperation with the New York State Department of Transportation (NYSDOT) intended to prepare an EIS on the proposal to improve safety and traffic flow on NY 112 from I–495 to Skips Road. The scope of the project was to move the public through this area of the NY 112 corridor as safely and efficiently as possible. It is proposed to terminate the EIS for the following reasons: • NYSDOT has delayed this project due to competing priorities and the inability to make a financial commitment to the 2012 estimated construction cost of $76M excluding the costs of right-of-way, construction inspection, and design. • NYSDOT has implemented a system-wide preservation first strategy that will continue to impact the implementation of larger capital SUMMARY: PO 00000 Frm 00131 Fmt 4703 Sfmt 4703 intensive projects such as the proposed reconstruction of NY112 • NYSDOT’s adoption of both Smart Growth and Complete Streets makes the consideration of a significant capacity expansion of NY112 problematic in this area • Since the original public hearing, the dedication of the 450 acre Overton Preserve (adjacent to NY 112) further precludes any substantial widening of NY 112 at the northerly end the project • Studies performed to date indicate that a lower cost roadway section, not as wide as initially proposed, with resultant reduced environmental impact would produce an acceptable Level of Service throughout the corridor • Reportable accidents have declined and continue to demonstrate a downward trend, further supporting the termination of the proposal to construct a four lane roadway section with continuous left turn lane or raised median as proposed in the draft EIS. Termination of this EIS will enable NYSDOT to undertake smaller scoped transportation projects in the existing NY 112 corridor to address current transportation needs. Jonathan D. McDade, Division Administrator, Federal Highway Administration, Albany, New York. [FR Doc. 2014–23881 Filed 10–6–14; 8:45 am] BILLING CODE 4910–22–P DEPARTMENT OF TRANSPORTATION National Highway Traffic Safety Administration [Docket No. NHTSA–2014–0108] Request for Comment on Automotive Electronic Control Systems Safety and Security National Highway Traffic Safety Administration (NHTSA), Department of Transportation (DOT). ACTION: Request for comments. AGENCY: This notice presents the National Highway Traffic Safety Administration’s research program on vehicle electronics and our progress on examining the need for safety standards with regard to electronic systems in passenger motor vehicles. The agency undertook this examination pursuant to the requirements of the Moving Ahead for Progress in the 21st Century Act (MAP–21) Division C, Title I, Subtitle D, Section 31402, Subsection (a). In addition, and in accordance with MAP– 21, we are seeking comment (through this document) on various components of our examination of the need for safety SUMMARY: E:\FR\FM\07OCN1.SGM 07OCN1 asabaliauskas on DSK5VPTVN1PROD with NOTICES Federal Register / Vol. 79, No. 194 / Tuesday, October 7, 2014 / Notices standards in this area. As MAP–21 also requires this agency to report to Congress on our findings pursuant to this examination, we intend to submit a report to Congress based in part on our findings from this examination and public comments received in response to this document. DATES: You should submit your comments early enough to ensure that Docket Management receives them no later than December 8, 2014. ADDRESSES: Comments should refer to the docket number above and be submitted by one of the following methods: • Federal Rulemaking Portal: https:// www.regulations.gov. Follow the online instructions for submitting comments. • Mail: Docket Management Facility, U.S. Department of Transportation, 1200 New Jersey Avenue SE., West Building Ground Floor, Room W12–140, Washington, DC 20590–0001. • Hand Delivery: 1200 New Jersey Avenue SE., West Building Ground Floor, Room W12–140, Washington, DC, between 9 a.m. and 5 p.m. ET, Monday through Friday, except Federal Holidays. • Instructions: For detailed instructions on submitting comments and additional information on the rulemaking process, see the Public Participation heading of the SUPPLEMENTARY INFORMATION section of this document. Note that all comments received will be posted without change to https://www.regulations.gov, including any personal information provided. • Privacy Act: Anyone is able to search the electronic form of all comments received into any of our dockets by the name of the individual submitting the comment (or signing the comment, if submitted on behalf of an association, business, labor union, etc.). You may review DOT’s complete Privacy Act Statement in the Federal Register published on April 11, 2000 (65 FR 19477–78). For access to the docket to read background documents or comments received, go to https:// www.regulations.gov or the street address listed above. Follow the online instructions for accessing the dockets. FOR FURTHER INFORMATION CONTACT: For technical issues: Mr. David V. Freeman of NHTSA’s Office of Vehicle Crash Avoidance & Electronic Controls Research at (202) 366–0168 or by email at david.v.freeman@dot.gov. For legal issues: Mr. Jesse Chang of NHTSA’s Office of Chief Counsel at (202) 366– 9874 or by email at jesse.chang@dot.gov. SUPPLEMENTARY INFORMATION: In this document, the agency is presenting its progress in conducting an examination VerDate Sep<11>2014 17:15 Oct 06, 2014 Jkt 235001 of the need for safety standards and seeking comments on its findings thus far. The agency is directed to conduct this examination and report its findings to Congress by the Moving Ahead for Progress in the 21st Century Act (MAP– 21).1 I. MAP–21 and Examining the Need for Electronic System Safety Standards In section 31402 of MAP–21, Congress directs this agency to ‘‘complete an examination of the need for safety standards with regard to electronic systems in passenger motor vehicles.’’ 2 In conducting this examination, the Act directed the agency to consider various topics: (1) Electronic components; (2) the interaction of electronic components; (3) the security needs for those electronic components to prevent unauthorized access; and (4) the effect of surrounding environments on the electronic systems.3 Finally, the Act also directed the agency to allow for public comment in conducting this examination.4 Upon completing the examination, the Act also directs the agency to submit a report to Congress on the highest priority areas for safety with regard to the electronic systems.5 This document presents the agency’s progress thus far in conducting the examination required in section 31402. We illustrate how we are examining each of the areas described by Congress in section 31402 and are seeking public comment on that examination. We intend to incorporate the comments received pursuant to this document in our report to Congress identifying the need for safety standards. II. Background a. NHTSA’s Safety Role The National Highway Traffic Safety Administration (NHTSA) is responsible for developing, setting, and enforcing regulations for motor vehicles and motor vehicle equipment. Many of the agency’s regulations are Federal Motor Vehicle Safety Standards (FMVSSs) with which manufacturers must certify compliance when offering motor vehicles and motor vehicle equipment for sale in the United States. NHTSA also studies behaviors and attitudes in highway safety, focusing on drivers, 1 Moving Ahead for Progress in the 21st Century Act, Public Law 112–141 (Jul. 6, 2012), § 31402. 2 Id. 3 Id. 4 Id. 5 Id. PO 00000 Frm 00132 Fmt 4703 Sfmt 4703 60575 passengers, pedestrians, and motorcyclists. We identify and measure behaviors involved in crashes or associated with injuries, and working with States and other partners develop and refine countermeasures to deter unsafe behaviors and promote safe alternatives. Further, the agency provides consumer information relevant to motor vehicle safety. For example, NHTSA’s New Car Assessment Program (NCAP) provides comparative safety information for various vehicle models to aid consumers in their purchasing decisions (e.g., the 5-star crash test ratings). The purpose of the agency’s programs is to reduce motor vehicle crashes and their attendant deaths, injuries, and property damage. b. Growth in Automotive Electronics and Their Safety Challenges The use of electronics in the design of modern automobiles is a rapid ongoing progression. The first common use of automotive electronics 6 dates back to 1970s and by 2009 a typical automobile featured over 100 microprocessors, 50 electronic control units, five miles of wiring and 100 million lines of code.7 Use of electronics is not new. It has enabled safer and more fuel-efficient vehicles for decades. Electric and hybrid vehicles could not have been developed and produced without the extensive use of electronics and proven safety technologies such as electronic stability control could not have been implemented. Over time, growth of electronics use has accelerated and this trend is expected to continue as the automotive industry develops and deploys even more advanced automated vehicle features. This trend results in increased complexities in the design, testing, and validation of automotive systems. Those complexities also raise general concerns in the areas of reliability, security, and safety assurance of growingly networked vehicles leveraging electronics. Electronics provide many safety, security, convenience, comfort, and efficiency functions for vehicle operators through interconnections and communications with other onboard electronics systems. Common communications networks and protocols allow for the exchange of information between sensors, actuators, and the electronic control units that execute software programs to accomplish specific functions. A vehicle will typically feature multiple networks. 6 Not including electronics use for radio purposes. 7 ‘‘This car runs on code,’’ R.N. Charette, 2009, https://spectrum.ieee.org/transportation/systems/ this-car-runs-on-code. E:\FR\FM\07OCN1.SGM 07OCN1 asabaliauskas on DSK5VPTVN1PROD with NOTICES 60576 Federal Register / Vol. 79, No. 194 / Tuesday, October 7, 2014 / Notices Those networks may be isolated from one another for a variety of reasons such as safety and security; however, in other cases different networks could be interconnected to enable exchange of information across a broader range of systems. Sharing data across multiple networks can be safeguarded against adverse influence over safety-critical systems; however, effectiveness of such approaches is only anecdotally known today. Growing system complexity and abundance of design variants even within one manufacturer over model years and across classes of vehicles pose general concerns over whether existing processes can ensure their functional safety. Further, anomalies associated with electronic systems—including those related to software programming, intermittent electronics hardware malfunctions, and effects of electromagnetic disturbances—may not leave physical evidence, and hence are difficult to investigate without a record of data from the electronic systems. While there are challenges, progressively introduced safety technologies, such as Automatic Emergency Braking (AEB), have the potential to significantly reduce the many thousands of fatalities and injuries that occur each year as a result of motor vehicle crashes. Further, continued innovation into more advanced forms of vehicle automation could address other types of crashes where human driver error plays a role. In May 2013, NHTSA released a preliminary statement of policy 8 concerning automated vehicles where the agency outlined its planned research into emerging technologies. Given the complexity of these new systems in terms of the additional electronics software and hardware needed, electronic control systems safety will continue to grow in importance as these systems become more commonplace in production vehicles. Along these lines, the Transportation Research Board (TRB) Special Report 308 9 by the National Academies of Sciences (NAS) in 2012 identified five challenges for the safety of future electronic control systems: • An increased amount of complex software that cannot be exhaustively tested; • The highly interactive nature of the electronic control system—more interactions exist among system 8 https://www.nhtsa.gov/staticfiles/rulemaking/ pdf/Automated_Vehicles_Policy.pdf. 9 The Safety Promise and Challenge of Automotive Electronics, insights from unintended acceleration, National Research Council of the National Academies, ISBN 978–0–309–22304–1, 2012. VerDate Sep<11>2014 17:15 Oct 06, 2014 Jkt 235001 components, and the outcome may be difficult to anticipate; • The growing importance of human factors consideration in automotive electronic control system design; • The potentially harmful interaction with the external environment including electromagnetic interference; and • The novel and rapidly changing technology. Further, the study offered recommendations to NHTSA on the actions that the agency could take to meet the five challenges they identified. These include: • becoming more familiar with and engaged in standard-setting and other efforts (involving industry) that are aimed at strengthening the means by which manufacturers ensure the safe performance of their automotive electronics systems; • convening a standing technical advisory panel; undertaking a comprehensive review of the capabilities that the agency will need in monitoring for and investigating safety deficiencies in electronics-intensive vehicles; • ensuring that Event Data Recorders (EDRs) become commonplace in new vehicles; • conducting research on human factors issues informing manufacturers’ system design decisions; • initiating a strategic planning effort that gives explicit consideration to the safety challenges resulting from vehicle electronics that give rise to an agenda for meeting them; and • making the formulation of a strategic plan a top goal in NHTSA’s overall priority plan. In addition to the challenges regarding electronic components and their ability to function reliably in spite of their complex interactions, NHTSA believes there are also challenges with regard to the ability of these systems to remain free of unauthorized access or malicious attacks. While documented demonstrations 10 11 12 of vehicle hacking to date have required some form of longterm physical access to the vehicle and our review has not identified any reported field incidents resulting in a safety concern, we recognize that lack of occurrence does not imply impossibility. As further discussed in 10 ‘‘Experimental Security Analysis of a Modern Automobile,’’ K. Koscher et. al., IEEE Symposium on Security and Privacy, Oakland, CA, 2010. 11 ‘‘Comprehensive Experimental Analyses of Automotive Attack Surfaces,’’ S. Checkoway et.al., USENIX Security, 2011. 12 ‘‘Adventures in Automotive Networks and Control Units,’’ C. Miller, C. Valasek, DEF CON 21, Las Vegas, NV, 2013. PO 00000 Frm 00133 Fmt 4703 Sfmt 4703 this document, NHTSA is interested in gathering and evaluating information from the public (as part of its examination pursuant to MAP–21) to determine what additional work is needed in this area. c. Industry’s Existing Safety Assurance Processes Notwithstanding the increased difficulty in the safety assurance of growingly more complex systems, the automotive industry uses a number of safety and quality assurance practices in the design of safety critical systems, which are not unique to but also cover electronic systems. As documented in a number of publications and also summarized in the NAS Report, these approaches include the: • Establishment of system safety requirements; • assessment of design hazards and risks at component, function, system, manufacturing and process levels such as by the use of failure mode and effects analysis 13 (FMEA) and fault tree analysis 14 (FTA); • quality management systems such as ISO/TS 16949,15 advanced product quality planning (APQP), and Design for Six Sigma (DFSS); • design validation and verification testing such as electrical, environmental, lab, test track and limited field trials; • variants of production part approval process (PPAP); and • post deployment field data analysis. Further, many automotive original equipment manufacturers (OEM) were actively engaged in the development and revision of the ISO 26262 16 standard and some have already started to follow its principles. As further discussed in this document, NHTSA is interested in gathering and evaluating information from the public (as part of its examination pursuant to MAP–21) to determine whether there are emerging gaps in the functional safety assurance processes of motor vehicles. d. Existing Safety Process Standards Research Overview Sectors of the automotive industry currently consider electronics safety and cybersecurity as part of their design and quality control processes. Three process 13 IEC 60812 standard covers the process for conducting FMEA analysis. 14 IEC 61025 standard covers the process for conducting FTA analysis. 15 ISO/TS 16949:2002 covers particular requirements for the application of ISO 9001:2000 for automotive production and relevant service part organizations. 16 International Organization for Standardization (ISO) standard for Road vehicles—Functional safety. E:\FR\FM\07OCN1.SGM 07OCN1 Federal Register / Vol. 79, No. 194 / Tuesday, October 7, 2014 / Notices asabaliauskas on DSK5VPTVN1PROD with NOTICES standards from the broader transportation industry are frequently mentioned as suitable and preferred methods also used in the design of road vehicles usually complementing existing safety assurance practices: ISO 26262, MIL–STD–882E, and DO–178C. ISO 26262 is the first automotive industry specific standard 17 that addresses safety-related systems comprised of electrical, electronic, and software elements providing safetyrelated functions in the design of road vehicles. It is an adaptation to the International Electrotechnical Commission (IEC) 61508 18 standard to road vehicles. The first publication of ISO 26262 was in November 2011. This standard seeks to address various important challenges facing today’s road vehicle technologies including: • The safety of new electrical, electronic, and software functionality in vehicles; • the trend of increasing system complexity, software content, and use of electromechanical components; and • the risk from both systematic failure and random hardware failure. Typical concerns associated with the ISO 26262 standard may include that the • Standard could be laborious to apply; • hardware portions of the standard’s coverage may be very similar to existing industry practices with limited incremental benefits; • software portions of the standard may primarily recommend good systems engineering practices for software safety; and • assessment of the automotive safety integrity levels (ASIL) may vary due to subjectivity in the process. Due to some of these limitations, existing practices and ISO 262626 are sometimes augmented with more mature system engineering approaches that are outlined in MIL–STD–882E and DO–178C, particularly on the software engineering side. MIL–STD–882E is the U.S. Department of Defense’s systems engineering approach for eliminating hazards, where possible, and minimizing risks where those hazards cannot be eliminated. By taking a 17 Van Eikema Hommes, Q., ‘‘Review and Assessment of the ISO 26262 Draft Road Vehicle— Functional Safety,’’ SAE Technical Paper 2012–01– 0025, 2012, doi:10.4271/2012–01–0025. 18 IEC 61508 is an international standard for functional safety of electrical/electronic/ programmable electronic safety-related systems. This standard considers all of the environments that could result in an unsafe situation for the subject product, including shock, vibration, temperature, and electromagnetic fields and their induced voltages and currents. VerDate Sep<11>2014 17:15 Oct 06, 2014 Jkt 235001 systems approach, this standard considers hazards in the entire lifecycle of systems, products, equipment, and infrastructure including design, development, test, production, use, and disposal stages. The principle of this standard is that system safety should follow the system engineering process, and is the responsibility of all functional disciplines, not just the system safety professionals. This standard has gone through a number of revisions in order to adapt to changes in technology and lessons learned through experience. In the aviation industry, DO–178C 19 is an accepted guidance for software development. Conformance to this standard means the software satisfies airworthiness 20 requirements with an acceptable level of confidence. As part of the airworthiness certification process, DO–178C provides guidelines to produce the software lifecycle data needed in order to support the certification process (e.g. plans for software development, verification, configuration management, and quality assurance). It also provides a comprehensive list of considerations in order to avoid errors and mistakes that could be introduced into software. DO– 178C considers system software development as a subset of the overall system development process. It assumes that safety-critical requirements for software systems are defined in the higher-level system engineering activities and are given at the beginning of the software development process. Some automotive companies indicated that the principles outlined in this more mature standard complement the software standard described in ISO 26262 Part 6,21 which is still evolving. As we discuss further in this document, NHTSA continues to investigate functional safety approaches for the automotive industry that may effectively address emerging concerns from the increased use of electronics and software in the design of automobiles. e. Available Data 22 Sources Research Overview For purposes of determining the capabilities of various datasets to categorize and rank vehicle electronics 19 DO–178C: Software considerations in airborne systems and equipment certification. 20 Airworthiness of an aircraft refers to meeting established standards for safe flight. 21 ISO 26262–6:2011-Road vehicles; Functional safety; Part 6: Product development at the software level. 22 Data for purposes of examining the need for safety standards with regard to automotive electronic systems does not include personally identifiable information about the operators. PO 00000 Frm 00134 Fmt 4703 Sfmt 4703 60577 safety issues, we considered vehicle recall data, vehicle owner’s questionnaire (VOQ) data, early warning reporting (EWR) data, and data from our field crash investigation databases such as National Automotive Sampling System (NASS), Fatality Analysis Reporting System (FARS), and Special Crash Investigation (SCI) database. Further, we considered event data recorder (EDR) capabilities. We briefly describe our findings on these various data sources in this section. While we believe that the sources of information available to NHTSA in this regard are useful in helping the agency begin to identify the highest priority areas with regard to electronic components (and their interactions), we also believe that they have certain limitations in ranking safety issues associated with vehicle electronics. This limitation is mostly driven from the lack of detailed information regarding specific electronic system failure types. Hence, in section V. we seek comment from the public as to what other sources of information and data are available. The vehicle recall database is a publicly available resource that documents safety defects or failures to meet minimum performance standards set by the Federal Motor Vehicle Safety Standards (FMVSS) in a motor vehicle or item of motor vehicle equipment. When manufacturers decide a safety defect or a noncompliance exists in a motor vehicle or item of motor vehicle equipment they manufactured, they are required to notify NHTSA and furnish a report with particular information about the defect or noncompliance, the products involved, and additional information including the manufacturer’s plan to remedy for free the defect or noncompliance (See U.S.C. 30118 and 49 CFR 573.6). Defect and noncompliance notifications and information reports are reviewed by NHTSA analysts who enter them in the recall database. The database includes summaries of the defect description, consequences, and remedy for each recall. The number of vehicle recalls has increased significantly in the past 20 years, nearly tripling from 1993 (222) to 2013 (654). While the vehicle recall database contains a large amount of useful information, the database and underlying defect reports were not intended for detailed or precise statistical analyses of recalls by typology or root cause related to motor vehicle electronic systems. Any such analysis requires a manual review and classification process. However, this work can be limited by the amount of detail contained in the defect E:\FR\FM\07OCN1.SGM 07OCN1 asabaliauskas on DSK5VPTVN1PROD with NOTICES 60578 Federal Register / Vol. 79, No. 194 / Tuesday, October 7, 2014 / Notices information reports, which normally provide more general descriptions of the defect condition and potential safety consequences. Vehicle Owner Questionnaires (VOQs) are voluntarily submitted by consumers to NHTSA to report a complaint in a vehicle or related equipment item. Each complaint (which is stored in a database and made available to the public redacted of personal identifiers) identifies the vehicle type, incident specifics, and includes a free form narrative to describe details. Complaint content and trends are helpful for general screening purposes but follow-up is sometimes necessary to verify and clarify complaints and incident specifics. Approximately 50,000 VOQs were filed in 2013. Another source of data is the EWR system. Several data types are regularly reported to NHTSA by manufacturers. The data include non-dealer field reports (documents), listings of death/ injury claims (records), and aggregated counts of certain claim types. The quarterly reporting interval, high level component coding of aggregate figures, and variability in manufacturer reporting are factors that are considered when analyzing certain EWR data sets to study safety critical embedded control systems. Field reports are the only EWR data sets available for evaluating specific defect conditions, including incidents in which the problem is intermittent or cannot be duplicated. Separately, regarding our national crash databases, the National Automotive Sampling System (NASS) 23 is composed of two systems—the Crashworthiness Data System (CDS) and the General Estimates System (GES). These are based on cases selected from a sample of police crash reports. CDS data focus on passenger vehicle crashes, and are used to investigate crash circumstances, vehicle crash response and occupant injury and identify potential improvements in vehicle design. The GES database contains crash statistics on police-reported crashes involving all types of vehicles. The information comes from samples of police reports of the estimated six million crashes that occur annually. Each NASS database is weighted to characterize a nationally representative sample. Each crash must involve at least one motor vehicle traveling on a traffic way, which results in property damage, injury, or death, and it must be obtained from a police report. 23 https://www.nhtsa.gov/NASS. VerDate Sep<11>2014 17:15 Oct 06, 2014 Jkt 235001 The Fatality Analysis Reporting System (FARS) 24 is a nationwide census database on crashes involving fatalities containing similar information to NASS–GES. These two crash databases consist of approximately 120 data elements that describe the crash, which are derived from review of police crash reports by trained data entry personnel; however, similar to the case with VOQs, there may be challenges in using these databases to perform detailed analyses for purposes of ranking emerging electronics concerns because data elements were not established with this specific purpose in mind. In combination with other datasets, analysis of GES and FARS can still provide confirming or augmenting evidence in identifying potential priority areas in electronics reliability. The Crash Injury Research and Engineering Network (CIREN) database consists of over 1,000 discrete fields of data concerning severe motor vehicle crashes, including crash reconstruction and medical injury profiles extending back to 1996. CIREN cases feature detailed data on occupant injury, vehicle damage and restraint technology and crash environment, as well as technical or human factors that are related to injury causation in motor vehicle crashes. Each CIREN case is reviewed together by both medical and engineering professionals, along with the crash investigator, to determine injury causation and data accuracy. The Special Crash Investigations (SCI) 25 database contains a range of data collected from basic data contained in routine police and insurance crash reports to comprehensive data from special reports by professional crash investigation teams. Hundreds of data elements relevant to the vehicle, occupants, injury mechanisms, roadway, and safety systems are collected for each of the over 100 crashes designated for study annually. SCI cases are intended to be an anecdotal data set useful for examining special crash circumstances or outcomes from an engineering perspective. The SCI program’s flexibility allows for investigations of new emerging technologies related to automotive safety. Finally, Event Data Recorders 26 (EDRs) are devices that may be installed in a motor vehicle to record technical vehicle information for a few seconds leading up to the crash. For instance, EDRs may record vehicle speed, engine throttle position, brake use, driver safety belt status, and air bag warning lamp status. NHTSA has been using EDRs to support its crash investigation program for several years and EDR data is routinely incorporated into NHTSA’s crash databases. This type of data could potentially play a role in finding when safety critical automotive electronics were not functioning properly. III. Our Examination of the Areas Identified in MAP–21 to Date NHTSA has been actively engaged in research (both internally and with outside parties) in automotive electronics reliability, cybersecurity, and emerging technologies in advanced vehicle automation for the past two years. The agency has established, per MAP–21,27 a Council on ‘‘Vehicle Electronics, Vehicle Software, and Emerging Technologies’’ to coordinate and share information on a broad array of topics related to advanced vehicle electronics and emerging technologies. The Council is governed by senior NHTSA management and the mission of the group is to broaden, leverage, and expand the agency’s expertise in motor vehicle electronics to continue ensuring that technologies enhance vehicle safety and review and advise on the research program established over electronics reliability, cybersecurity and automation topics. With input from the Council, NHTSA has identified and funded initial research into the following areas: • Hazard analyses of safety-critical electronic vehicle control systems, applying Hazard and Operability (HazOp) process referenced within the ISO 26262 standard as well as System Theoretic Process Analysis (STPA); • Examination of process oriented functional safety and security standards for automotive electronics design and development; • Automotive cybersecurity concerns, threats, and vulnerabilities, and potential countermeasures; • Best practices in safeguarding against cybersecurity risks in related but in non-automotive industries; and 24 https://www.nhtsa.gov/FARS. 25 https://www.nhtsa.gov/SCI. 26 In 2006, NHTSA published a final rule creating a regulation (49 CFR Part 563, Event Data Recorders (Part 563)) that specifies the minimum data set that should be collected if a manufacturer decides to voluntarily install an EDR in their vehicle, along with requirements for the range and accuracy of EDR data, as well as requirements for storage and PO 00000 Frm 00135 Fmt 4703 Sfmt 4703 retrieval. Part 563 applies to vehicles manufactured on or after September 1, 2012. In December 2012, NHTSA proposed a standard that would mandate EDRs on all vehicles required to have frontal air bags. (77 FR 74144). No final rule publication date has been established. 27 Moving Ahead for Progress in the 21st Century Act, Public Law 112–141 (Jul. 6, 2012), § 31401(a). E:\FR\FM\07OCN1.SGM 07OCN1 Federal Register / Vol. 79, No. 194 / Tuesday, October 7, 2014 / Notices • Human factors and other emerging concerns associated with highly automated vehicles. Because the agency was already investigating vehicle electronics as a new and emerging research area for vehicle safety prior to the passage of MAP–21, the agency has already completed some research and analyses that address some of the items listed by Congress in section 31402 of MAP–21. Research reports are available on the agency’s Web site 28 and we expect to publish more reports as projects are completed over the 2015–16 timeframe. It should be noted that the research described in this notice represents research already underway and future research that the agency anticipates undertaking as resources permit. This section shows our initial progress on the areas that Congress directed the agency to consider in the examination required under section 31402. We further request comments on our research thus far and request specific comments on the issues identified in the following sections. asabaliauskas on DSK5VPTVN1PROD with NOTICES a. Electronics Components and the Interaction of Electronic Components To examine the potential safety concerns associated with electronic components and interactions of electronic components, we initiated research in developing potential approaches to analyzing the automotive electronic control system architecture and their interconnections. In conjunction, we reviewed data sources available to NHTSA to assess datasets that would be useful to analyze for purposes of this initiative (as documented in section II.e.). Further, we initiated systematic hazard analyses on select safety-critical automotive control systems to better understand the vehicle level safety risks. In the following paragraphs, we provide further details on these research topics that enable us to begin examining the first two areas stated in MAP–21 systematically. NHTSA is also conducting research to develop an electronics-related failuretypology.29 As part of this research, we are evaluating the various sources of data described in section II. e. (defect 28 Office of Vehicle Crash Avoidance & Electronic Control Research technical publications are posted on the NHTSA Web site at https://www.nhtsa.gov/ Research/Crash+Avoidance/Office+of+Crash+ Avoidance+Research+Technical+Publications. 29 Establishing a failure typology refers to developing categories and data elements that can help the agency (and others) organize the types of failures relating to electronic control systems in vehicles. Establishing the typology is an important step in helping to create a structure to help analyze potential safety problems relating to electronics in vehicles. VerDate Sep<11>2014 17:15 Oct 06, 2014 Jkt 235001 data, crash databases, etc.) to determine if suitable data exists at this time to effectively utilize a detailed failure typology that would describe and categorize the hazards and causes of automotive electronic control system failures. Through such analysis, the agency would like to understand how trends in the underlying data for the chosen dataset change over time as a function of increased use of electronics. We expect to publish our failuretypology research in 2015 and continue our research on appropriate datasets into 2016. Another approach we are taking is to study the automotive electronic system architecture. Functional safety assurance of modern automobiles requires a thorough understanding of electronic control systems’ design under a variety of scenarios. These circumstances include systems’ behavior under nominal conditions and also during failure conditions. Equally important are state-of-the-art capabilities in detecting failures (diagnostic/prognostic) and faulttolerant and/or fail-safe strategies that can prevent errors from resulting in safety hazards. To this end, NHTSA funded initial research to perform hazard analyses in select safety-critical automotive control system areas, such as Accelerator Control Systems (ACS)/ Electronic Throttle Control (ETC), Rechargeable Energy Storage Systems (RESS), and steering and braking control systems within the context of automatic lane centering function. These studies apply the Hazard and Operability (HazOp) process referenced within the ISO 26262 standard as well as System Theoretic Process Analysis (STPA) approach to identify the system level hazards associated with potential failures in the subject control systems. The purpose of these studies is to better understand the critical automotive system functions, failures, and risks and identify safety goals and requirements. Further, another purpose is to compare and contrast results obtained from existing hazard analyses techniques. We are currently prioritizing our hazard analysis research to cover electronic throttle control, steering control, braking control and motive power areas. We expect to publish a series of research reports on hazard analyses starting in 2015. A typical automotive electronic control system primarily relies on the following to perform its intended purposes: • Sensors (measurements); • Interpretation of sensed signals (e.g. conversion, configuration, classification); PO 00000 Frm 00136 Fmt 4703 Sfmt 4703 60579 • Estimations of parameters (when direct sensing may not be available, e.g., vehicle speed); • Actuators (to carry out the intended motive); • Communication networks (that facilitate electronic exchange of information between sensors, controllers and actuators); • Design and programming of the control algorithm (conditions and respective actions) including: a. Design and software coding that implement: i. The intended functions; and ii. system monitoring and malfunction detection logic; and b. supervisory logic that arbitrates between multiple, potentially conflicting, subsystem commands; and • Availability of motive power. Interactions between electronic components (and distributed embedded systems) are facilitated primarily by communication networks and shared use of sensors, software logic and actuators. Prioritization of competing requests from the various control subsystems and the driver for safetycritical functions is a potential area of anticipated future research due to continued proliferation of safety and convenience functions. Comments Requested (1) NHTSA currently has research underway that is evaluating the hazards associated with electronic control systems that could impact a vehicle’s steering, throttle, braking and motive power first because they can impact the fundamental control functions that a driver performs (such as providing lateral (via steering) and longitudinal (throttle, braking) control for the vehicle). This means, we would research safety hazards associated with other automotive electronic control systems (e.g. safety restraint systems control, power door lock control, lighting control) later. We seek comment on this approach from a need for standards research priority stand-point. (a) Should the agency pursue alternative approaches to categorize and prioritize potential electronic control system hazards and impacts to support new standards? (b) For hazard analysis research, the agency is currently pursuing HazOp and STPA. What other hazard analysis methods should the agency also consider and why? (c) What other automotive electronics should we consider in our research that could affect the electronics in the safety critical systems we identified (steering, throttle, brakes, etc.)? E:\FR\FM\07OCN1.SGM 07OCN1 asabaliauskas on DSK5VPTVN1PROD with NOTICES 60580 Federal Register / Vol. 79, No. 194 / Tuesday, October 7, 2014 / Notices (2) NHTSA currently has research underway that is evaluating system performance requirements for critical safety systems. We seek comment on automotive electronic component and system performance requirements for control systems that impact throttle, braking, steering, and motive power management: (a) What performance-based tests, methods, and processes are now available for safety assurance of these types of automotive electronic control systems? (b) What series of performance-based tests should the agency consider to ensure safe functionality of these types of automotive electronic control systems under all real-world conditions (e.g. nominal, expected, non-nominal, and failure conditions)? (c) Performance tests would ideally be applicable regardless of any specific design choices. We surmise that electronic components may have a wider variety of manufacturer specific tuning and implementation variations. What types of challenges does this create for designing performance tests for electronic components? What methods are available for addressing those challenges? (3) NHTSA currently has research underway that is evaluating diagnostics and prognostics for critical safety systems. We seek comment on vehicle health monitoring, diagnostics, and prognostics capabilities and faulttolerant design alternatives for automotive safety applications. (a) What methods are effective in identifying potential anomalous behavior associated with electronic components, systems, and communications reliably and quickly? (b) What strategies do current vehicles have for activating a ‘‘fail-safe’’ mode when critical problems are detected? What types of problems are classified as ‘‘critical’’ and how does the vehicle detect these problems? (c) What state-of-the-art detection and fail-safe response methods should the agency be aware of and further assess? (4) NHTSA currently has research underway that is evaluating various process standards and their applicability to critical safety systems. We seek comment on testing, validation, certification, and regulation alternatives for vehicle electronics to these process standards: (a) What are the pros and cons of utilizing a process—certification method (e.g., ISO 26262) where the manufacturer is asked to identify, categorize, and consider potential remedies for electronics safety problems? VerDate Sep<11>2014 17:15 Oct 06, 2014 Jkt 235001 (i) What approaches should be considered for manufacturers to demonstrate conformity with voluntary industry process standards such as ISO 26262? (ii) How does one evaluate conformity to a process standard that uses an engineer’s best judgment to identify, categorize, and consider potential remedies to electronics safety problems? (iii) What verification steps may be appropriate to ensure that potential standards are met? b. Security Needs To Prevent Unauthorized Access to Electronic Components Cybersecurity, within the context of road vehicles, is the protection of vehicular electronic systems, communication networks, control algorithms, software, users, and underlying data from malicious attacks, damage, unauthorized access, or manipulation. NHTSA has been actively researching existing cybersecurity standards and best practices in automotive and other industries. In reviewing the practices of other industries in dealing with cybersecurity issues, NHTSA has identified two general process-oriented approaches to addressing cybersecurity concerns. The first is design and quality control processes that focus on cybersecurity issues throughout the lifecycle of a product. The second is dealing with cybersecurity issues through establishing robust information sharing forums such as an Information Sharing and Analysis Center (ISAC). This section discusses the agency’s findings regarding each of these strategies. In regards to security design and quality assurance processes, the automotive manufacturers, suppliers, and other stakeholders are collaborating through SAE International to examine the emerging vehicle cybersecurity concerns and considering actions that could include the development of voluntary standards, guidelines, or best practices documents. While there may be no readilyavailable automotive cybersecurity standards at this time, NHTSA’s research identified general cybersecurity safeguarding approaches that can potentially be examined and adapted for use in the automotive industry. For example, the cybersecurity framework 30 developed and published by the National Institute of Standards and 30 ‘‘Framework for Improving Critical Infrastructure Cybersecurity,’’ Version 1.0, NIST, 2014. Accessible at https://www.nist.gov/ cyberframework/upload/cybersecurity-framework021214.pdf. PO 00000 Frm 00137 Fmt 4703 Sfmt 4703 Technology (NIST) treats cybersecurity as a process integrated into the system, component, and device lifecycle. The guidelines referenced in this framework could allow the automotive industry to develop a security program for modernday automobiles analogous to information security programs in place for information technology (IT) systems in general. Similarly, system security engineering could potentially be incorporated into the design process in a way similar to system safety engineering as specified in ISO 26262 and ‘‘E-safety vehicle intrusion protected applications (EVITA).’’ 31 In regards to information sharing mechanisms, NHTSA studied 32 the ISAC model for safeguarding against cybersecurity risks and threats in other industries such as financial services, information technology, and communications. Our initial analyses indicate that an automotive sector specific information sharing forum, such as an ISAC, is beneficial to pursue. It could advance the cybersecurity awareness and countermeasure development effectiveness among public and private stakeholders. ISACs have a unique capability to provide comprehensive inter- and intra-sector coverage to share critical information pertaining to sector analysis, alert and intelligence sharing, and incident management and response. Our research across other industries indicates that prevention of cyber-threats would be impractical if not impossible. This fact and the successful use of ISACs in other industry sectors suggest that it might also be effective for the auto industry to have mechanisms in place to expeditiously exchange information related to cyber-threats, vulnerabilities, and countermeasures among industry stakeholders. Such a mechanism would enhance the ability of the automotive sector to prepare for, respond to, and recover from cyber threats, vulnerabilities and incidents. Related to the sector-wide cybersecurity information sharing topic, the Alliance of Automotive Manufacturers (Alliance) and the Association of Global Automakers (Global Automakers) 31 EVITA is a project co-funded by the European Union that aims to design, verify, and prototype architecture for automotive on-board networks where security-relevant components are protected against tampering and sensitive data are protected against compromise (https://www.evita-project.org/). 32 The study report ‘‘An assessment of the information sharing and analysis center (ISAC) model’’ can be accessed at the ‘‘Automotive Cybersecurity Topics and Publications’’ docket: NHTSA–2014–0071. E:\FR\FM\07OCN1.SGM 07OCN1 asabaliauskas on DSK5VPTVN1PROD with NOTICES Federal Register / Vol. 79, No. 194 / Tuesday, October 7, 2014 / Notices wrote 33 to NHTSA in July 2014 to inform about the new cybersecurity initiative they are undertaking with the goal of establishing a voluntary automobile industry sector information sharing and analysis center or other comparable program. In response,34 NHTSA encouraged Alliance and Global Automakers (as well as automotive original equipment manufacturers) to proceed expeditiously with the outlined process and expressed Agency’s hope that their plan would target a date in 2015 for an automotive industry ISAC to become operational. Security process standards and information sharing forums fit in a larger, more comprehensive automotive cybersecurity assurance approach. In general terms, there are four major pieces to the agency’s research approach: 1. Preventive methods and techniques: This group of techniques would seek to harden the design of automotive electronic systems and networks such that it would be difficult for malicious attacks to take place in newer generation systems. Deployment and use of structured security process standards could help identify vulnerabilities such that necessary design improvements can be identified and implemented. These vulnerabilities include possible entry points through accessible physical interfaces such as the OBD–II port, USB ports, CD/DVD players; short range wireless interfaces, such as Bluetooth, Wi-Fi, or Dedicated Short Range Communications (DSRC); and long-range wireless interfaces such as cellular or satellite-based connectivity to the vehicle. Examples of design improvements include potential use of: a. Encryption and/or authentication on communication networks; b. different communication approaches or protocols; segmentation/ isolation of safety-critical system control networks; c. strong authentication controls for remote access to vehicles; d. gateway controls between interfaced vehicle networks; etc. Other approaches in the field of prevention research include methods such as those investigated in the Defense Advanced Research Projects Agency’s (DARPA) high-assurance cyber military systems (HACMS) 35 program. The primary intents of this category of 33 Correspondence related to this initiative can be viewed in the ‘‘Automotive Cybersecurity Topics and Publications’’ docket: NHTSA–2014–0071. 34 Id. 35 https://www.darpa.mil/Our_Work/I2O/ Programs/High-Assurance_Cyber_Military_ Systems_(HACMS).aspx. VerDate Sep<11>2014 17:15 Oct 06, 2014 Jkt 235001 activities are (1) to significantly reduce the probability of cyber risks; and (2) to limit the impact of a potential cybersecurity breach (e.g. one vehicle as opposed to an entire fleet). NHTSA initiated applied research into vulnerability assessment and preventive type measures in 2014 and expects to publish reports starting in 2016. 2. Real-time intrusion detection methods: Total security through preventive measures may not be realistically achievable. Thus, as a complement to the preventative measures, detecting intrusions into the system through communications networks would provide additional protection. A cybersecurity breach would take place on or through a communication network. From an intrusion detection perspective, vehicular network communications are considered fairly predictable and wellsuited for real-time monitoring to detect anomalous activity with respect to nominal expected message flows. We are initiating research into this type of technologies in the automotive sector. 3. Real-time response methods: Once a potential intrusion is detected, the strategies to mitigate its potential harmful impacts would also need to be designed in a practical manner. Depending on the potential risks and level of intrusion detection confidence, the vehicle architecture could be designed to take a variety of actions such as: temporarily or permanently shut down the communication network(s) (at the potential cost of disabling various safety functions); inform the driver; record and transmit data before-and-after trigger point for further analysis and counter-measure development, etc. The purpose of this category of cybersecurity defense is to mitigate the potential harmful consequences of detected anomalous activity on the vehicle experiencing the potential breach. We expect to develop further research into this category of methods in 2016. 4. Treatment methods: While the previous paragraph discussed response methods (deal with ensuring fail-safe operation of the vehicle where an intrusion is detected), treatment methods deal with distributing information related to the subject risk to other potential vulnerable entities even before the compromise may be experienced by them. Treatment methods involve timely information extraction from impacted parties, their analysis, development of countermeasures and timely dissemination to all relevant stakeholders (such as through an ISAC). This approach allows for design of PO 00000 Frm 00138 Fmt 4703 Sfmt 4703 60581 stronger preventive methods in future generations of electronics. As outlined earlier, automotive industry (through Alliance and Global Automakers) is actively exploring information sharing alternatives related to automotive cybersecurity and NHTSA is closely monitoring activities related to this initiative. Comments Requested (1) We seek comment on any technical areas of automotive cybersecurity that the agency could focus on in its further research. (a) Specifically, are there particularly vulnerable or strong design architectures that the agency should further examine? (b) What additional types of techniques (either in real world occurrences or as a part of research) have persons used to gain unauthorized access to vehicle systems? What types of systems were such persons able to gain access to? (c) What is the public’s view on the differences in cybersecurity risks associated with an intrusion that requires use of in-cab physical interfaces (e.g. OBD–II port) versus close-proximity wireless interfaces (e.g. Bluetooth) versus long-range wireless means (e.g. cellular/satellite links)? (2) We seek comment on security process standards. (a) What security process standard alternatives are available? How do these standards differ and are there standards that are more suitable for application to the automotive industry versus others? (b) Could security assurance be handled within a modified framework of existing safety process standards (such as FMEAs, FTAs, ISO 26262) or does ‘‘design for security’’ require its own process? (3) We seek comments on security performance standards. In contrast to the process standards (that establish methods for considering cybersecurity risks during product design), we use the term ‘‘performance standard’’ to mean standards that evaluate the cybersecurity performance (or resilience) of a system after production of the final product. (a) What types of metrics are available to test a vehicle’s ability to withstand a cyber-attack? (b) Are there any common design characteristics that help ensure a minimum level of security from unauthorized access to a vehicle’s electronic control systems? (c) What performance-based tests, methods, and processes are available for security assurance of automotive electronic control systems? E:\FR\FM\07OCN1.SGM 07OCN1 60582 Federal Register / Vol. 79, No. 194 / Tuesday, October 7, 2014 / Notices asabaliauskas on DSK5VPTVN1PROD with NOTICES (d) Are there hardware, software, watchdog algorithm, etc. requirements or criteria that would help differentiate algorithm designs that are more secure against cyber-attack? c. Effects of the Surrounding Environment on Electronic Component Performance In addition to malicious interference that may be artificially introduced (as covered under cybersecurity in section III.b.), the surrounding natural environment could affect the electronic components and systems in three primary ways: 1. By creating conditions that could cause electronic components to fail prematurely; 2. By creating conditions that could result in electronic control systems to act in unintended ways; and 3. By creating conditions for electronic sensors or systems to perceive the environment differently than reality. Effects of the environment potentially causing electronic components to fail prematurely, such as through moisture, heat and corrosion, are typically handled by fail-safe strategies. Monitoring algorithms can detect sensors and components that fail and operate outside of the intended range and inform control algorithms to operate in fail-safe mode. Manufacturers take placement and environmental exposure into account in the design of electromechanical components. Examples of the environment potentially causing electronic control systems to act in unintended ways are electromagnetic interference (EMI) and potential build-up of low-resistance paths on a circuit-board, such as a tin whisker.36 OEMs very commonly perform electromagnetic compatibility (EMC) testing on their platforms in accordance with SAE International 37 and ISO 38 standards. NHTSA has investigated EMI effects on an electronic control system in a recent investigation. In 2010, NHTSA and National Aeronautics and Space Administration (NASA) conducted EMC testing as part of the inquiry into whether Unintended Acceleration (UA) was related to the electronic throttle control system in Toyota vehicles. In this study, EMC testing at exposure levels well above existing certification standards did not produce open throttle.39 36 A crystalline, hair-like structure of tin that can form on a tin-finished surface. (taken from NAS Report). 37 SAE J551, SAE J1113. 38 ISO 7637, ISO 10605, ISO 11451, ISO 11452. 39 ‘‘Technical Support to the National Highway Traffic Safety Administration (NHTSA) on the Reported Toyota Motor Corporation (TMC) VerDate Sep<11>2014 17:15 Oct 06, 2014 Jkt 235001 Among the risks with EMI is for the electronic control unit’s memory settings to be altered unintentionally. This could change the way the system behaves especially if the EMI’s influence is not detected. Manufacturers utilize various methods to prevent unintended EMI influence, such as by retaining safety critical system parameters in more than one memory location (such that a random alteration could be detected and system shut down with warning). Formation of conductive tin whiskers on a circuit board could potentially result in low resistance paths and unintended system behavior, particularly if they cause a short between circuits resulting in unintended activation of an actuator. Most such issues result in electrical faults and safe shut-down of corresponding functions. Manufacturers use various techniques to mitigate the concern including changes to the manufacturing process, addition of elements like copper and nickel, and the use of surface coatings. Further, circuit board design takes into account the possibility of circuit-board shorts in trace placement. Another possibility is for the environment to impact the advanced sensors (such as radar, lidar, cameras, GPS, etc.) on a contemporary vehicle in a way that could result in unintended engagement or non-operational status of system functions. To mitigate this risk, manufacturers utilize various forms of sensor fusion technologies to reduce reliance on any single sensor signal for safety-critical functions. Related to 5.9 GHz DSRC, NHTSA is initiating research into analyzing potential communication interference impacts of devices that operate on and in neighboring spectrums of the DSRC band.40 NHTSA expects to complete this study in 2015. Comments Requested (1) NHTSA has reviewed the state-ofthe art with respect to environmental conditions and vehicle electronics. What other ways can the environment impact electronic system performance other than the ways that we have considered, above? (2) NHTSA has done some testing on interference issues. We seek comment in the area of EMI/EMC. (a) What could the agency do to further assess the electromagnetic interference (EMI) susceptibility Unintended Acceleration (UA) Investigation’’, 2011, NASA. Section 6.8 of this report discusses the EMC testing and the full report can be accessed at https:// www.nhtsa.gov/staticfiles/nvs/pdf/NASA-UA_ report.pdf. 40 DSRC band: 5.850–5.925 GHz. PO 00000 Frm 00139 Fmt 4703 Sfmt 4703 impacts of growing use of electronics on automotive system safety and assess the adequacy of existing voluntary standards? (b) Are there known EMI susceptibility differences in vehicles designed and sold in the U.S. versus in regions where EMC may be explicitly regulated? (3) We seek comment in the area of the environment’s potential impact on advanced automotive sensors. (a) Are any particular sensing technologies more susceptible or less susceptible to such effects (including EMC and other environmental effects such as moisture, corrosion, etc.)? IV. Additional Comments Requested In addition to the comments requested in regards to the specific topics discussed above, we are also seeking comment on other general issues relating to electronic component safety and cybersecurity. (1) One issue that we seek comment is the potential for voluntary safety process standards to help address challenges introduced by expanding use of electronics in automotive applications. In section II.d. above, we discuss the various design and quality control processes that the industry already uses to assess the safety and cybersecurity of their electronic components (e.g., ISO 26262). (a) We seek public comment on the degree to which this type of safety process standard can provide an adequate level of protection from electronic component failures or potential cybersecurity breaches. (i) What voluntary industry standards are best able to address safety assurance of electronics control system design for motor vehicles? (ii) Specifically, what elements of the voluntary industry standards are best able to address electronics control systems and cybersecurity issues in motor vehicles? (iii) What other standards than those described in this document are relevant for the agency to consider? (b) What types of concerns with regard to electronic components safety and cybersecurity would not be addressed by voluntary safety process standards? (i) What other standards are available that could address this type of safety concern? (ii) What software development, validation and safety assurance methods and processes are suitable for safety critical automotive control systems? (c) Are existing process standards such as ISO 26262, IEC 60812, IEC 61025, etc, suitable to address electronic E:\FR\FM\07OCN1.SGM 07OCN1 Federal Register / Vol. 79, No. 194 / Tuesday, October 7, 2014 / Notices control system design challenges for more advanced forms of vehicle automation? (2) Another issue that we seek comment on is in regards to the available information and data sources for identifying and understanding the issues related to electronic component reliability and cybersecurity. We recognize that much of the data available to the agency captures retrospective data. Thus, the traditional sources of information available to the agency have various limitations in this rapidly-developing area of automotive technology. Information that shows historic data on electronic component issues may not necessarily give an accurate prediction of what future electronic component reliability and cybersecurity issues can be. We seek comment on the data sources that are identified for potential consideration in the categorization of priority focus areas for electronics reliability. (a) We are especially interested in identifying any potential data sources that could assist the agency in identifying potential emerging electronic component failures in vehicles in a timely manner. (b) Has the agency considered all the relevant data on this subject? What additional sources of information could the agency consider? (3) We seek comment on what other information sources or strategies are available that can enhance the ability to detect potential electronics system related concerns in a timely fashion. What methods are available to improve traceability of potential electronic control system malfunctions? V. Public Participation asabaliauskas on DSK5VPTVN1PROD with NOTICES How do I prepare and submit comments? Your comments must be written and in English. To ensure that your comments are filed correctly in the docket, please include the docket number of this document in your comments. Your comments must not be more than 15 pages long (49 CFR 553.21). NHTSA established this limit to encourage you to write your primary comments in a concise fashion. However, you may attach necessary additional documents to your comments. There is no limit on the length of the attachments. Please submit one copy (two copies if submitting by mail or hand delivery) of your comments, including the attachments, to the docket following the instructions given above under ADDRESSES. Please note, if you are VerDate Sep<11>2014 17:15 Oct 06, 2014 Jkt 235001 submitting comments electronically as a PDF (Adobe) file, we ask that the documents submitted be scanned using an Optical Character Recognition (OCR) process, thus allowing the agency to search and copy certain portions of your submissions. How do I submit confidential business information? If you wish to submit any information under a claim of confidentiality, you should submit three copies of your complete submission, including the information you claim to be confidential business information, to the Office of the Chief Counsel, NHTSA, at the address given above under FOR FURTHER INFORMATION CONTACT. In addition, you may submit a copy (two copies if submitting by mail or hand delivery), from which you have deleted the claimed confidential business information, to the docket by one of the methods given above under ADDRESSES. When you send a comment containing information claimed to be confidential business information, you should include a cover letter setting forth the information specified in NHTSA’s confidential business information regulation (49 CFR Part 512). Will the agency consider late comments? NHTSA will consider all comments received before the close of business on the comment closing date indicated above under DATES. To the extent possible, the agency will also consider comments received after that date. How can I read the comments submitted by other people? You may read the comments received at the address given above under Comments. The hours of the docket are indicated above in the same location. You may also see the comments on the Internet, identified by the docket number at the heading of this notice, at https://www.regulations.gov. Please note that, even after the comment closing date, NHTSA will continue to file relevant information in the docket as it becomes available. Further, some people may submit late comments. Accordingly, the agency recommends that you periodically check the docket for new material. Anyone is able to search the electronic form of all comments received into any of our dockets by the name of the individual submitting the comment (or signing the comment, if submitted on behalf of an association, business, labor union, etc.). You may review DOT’s complete Privacy Act Statement in the Federal Register PO 00000 Frm 00140 Fmt 4703 Sfmt 4703 60583 published on April 11, 2000 (65 FR 19477–78) or you may visit https:// www.dot.gov/privacy.html. Authority: Sec. 31402, Pub. L. 112–141. Issued in Washington, DC under authority delegated in 49 CFR part 1.95. Nathaniel Beuse, Associate Administrator for Vehicle Safety Research. [FR Doc. 2014–23805 Filed 10–6–14; 8:45 am] BILLING CODE 4910–59–P DEPARTMENT OF THE TREASURY United States Mint Notification of Citizens Coinage Advisory Committee October 14, 2014, Public Meeting Pursuant to United States Code, Title 31, section 5135(b)(8)(C), the United States Mint announces the Citizens Coinage Advisory Committee (CCAC) public meeting scheduled for October 14, 2014. Date: October 14, 2014. Time: 9:30 a.m. to 2:30 p.m. Location: Conference Rooms B & C, United States Mint, 801 9th Street NW., Washington, DC 20220. Subject: Review and consideration of candidate designs for the American Fighter Aces Congressional Gold Medal and the Doolittle Tokyo Raiders Congressional Gold Medal, and discussion of themes for the Monuments Men Recognition Congressional Gold Medal and the 2015 Mark Twain Commemorative Coin Program. Interested persons should call the CCAC HOTLINE at (202) 354–7502 for the latest update on meeting time and room location. In accordance with 31 U.S.C. 5135, the CCAC: D Advises the Secretary of the Treasury on any theme or design proposals relating to circulating coinage, bullion coinage, Congressional Gold Medals, and national and other medals. D Advises the Secretary of the Treasury with regard to the events, persons, or places to be commemorated by the issuance of commemorative coins in each of the five calendar years succeeding the year in which a commemorative coin designation is made. D Makes recommendations with respect to the mintage level for any commemorative coin recommended. FOR FURTHER INFORMATION CONTACT: William Norton, United States Mint Liaison to the CCAC; 801 9th Street NW.; Washington, DC 20220; or call 202–354–7200. SUMMARY: E:\FR\FM\07OCN1.SGM 07OCN1

Agencies

[Federal Register Volume 79, Number 194 (Tuesday, October 7, 2014)]
[Notices]
[Pages 60574-60583]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2014-23805]


-----------------------------------------------------------------------

DEPARTMENT OF TRANSPORTATION

National Highway Traffic Safety Administration

[Docket No. NHTSA-2014-0108]


Request for Comment on Automotive Electronic Control Systems 
Safety and Security

AGENCY: National Highway Traffic Safety Administration (NHTSA), 
Department of Transportation (DOT).

ACTION: Request for comments.

-----------------------------------------------------------------------

SUMMARY: This notice presents the National Highway Traffic Safety 
Administration's research program on vehicle electronics and our 
progress on examining the need for safety standards with regard to 
electronic systems in passenger motor vehicles. The agency undertook 
this examination pursuant to the requirements of the Moving Ahead for 
Progress in the 21st Century Act (MAP-21) Division C, Title I, Subtitle 
D, Section 31402, Subsection (a). In addition, and in accordance with 
MAP-21, we are seeking comment (through this document) on various 
components of our examination of the need for safety

[[Page 60575]]

standards in this area. As MAP-21 also requires this agency to report 
to Congress on our findings pursuant to this examination, we intend to 
submit a report to Congress based in part on our findings from this 
examination and public comments received in response to this document.

DATES: You should submit your comments early enough to ensure that 
Docket Management receives them no later than December 8, 2014.

ADDRESSES: Comments should refer to the docket number above and be 
submitted by one of the following methods:
     Federal Rulemaking Portal: https://www.regulations.gov. 
Follow the online instructions for submitting comments.
     Mail: Docket Management Facility, U.S. Department of 
Transportation, 1200 New Jersey Avenue SE., West Building Ground Floor, 
Room W12-140, Washington, DC 20590-0001.
     Hand Delivery: 1200 New Jersey Avenue SE., West Building 
Ground Floor, Room W12-140, Washington, DC, between 9 a.m. and 5 p.m. 
ET, Monday through Friday, except Federal Holidays.
     Instructions: For detailed instructions on submitting 
comments and additional information on the rulemaking process, see the 
Public Participation heading of the SUPPLEMENTARY INFORMATION section 
of this document. Note that all comments received will be posted 
without change to https://www.regulations.gov, including any personal 
information provided.
     Privacy Act: Anyone is able to search the electronic form 
of all comments received into any of our dockets by the name of the 
individual submitting the comment (or signing the comment, if submitted 
on behalf of an association, business, labor union, etc.). You may 
review DOT's complete Privacy Act Statement in the Federal Register 
published on April 11, 2000 (65 FR 19477-78). For access to the docket 
to read background documents or comments received, go to https://www.regulations.gov or the street address listed above. Follow the 
online instructions for accessing the dockets.

FOR FURTHER INFORMATION CONTACT: For technical issues: Mr. David V. 
Freeman of NHTSA's Office of Vehicle Crash Avoidance & Electronic 
Controls Research at (202) 366-0168 or by email at 
david.v.freeman@dot.gov. For legal issues: Mr. Jesse Chang of NHTSA's 
Office of Chief Counsel at (202) 366-9874 or by email at 
jesse.chang@dot.gov.

SUPPLEMENTARY INFORMATION: In this document, the agency is presenting 
its progress in conducting an examination of the need for safety 
standards and seeking comments on its findings thus far. The agency is 
directed to conduct this examination and report its findings to 
Congress by the Moving Ahead for Progress in the 21st Century Act (MAP-
21).\1\
---------------------------------------------------------------------------

    \1\ Moving Ahead for Progress in the 21st Century Act, Public 
Law 112-141 (Jul. 6, 2012), Sec.  31402.
---------------------------------------------------------------------------

I. MAP-21 and Examining the Need for Electronic System Safety Standards

    In section 31402 of MAP-21, Congress directs this agency to 
``complete an examination of the need for safety standards with regard 
to electronic systems in passenger motor vehicles.'' \2\ In conducting 
this examination, the Act directed the agency to consider various 
topics:
---------------------------------------------------------------------------

    \2\ Id.
---------------------------------------------------------------------------

    (1) Electronic components;
    (2) the interaction of electronic components;
    (3) the security needs for those electronic components to prevent 
unauthorized access; and
    (4) the effect of surrounding environments on the electronic 
systems.\3\
---------------------------------------------------------------------------

    \3\ Id.
---------------------------------------------------------------------------

    Finally, the Act also directed the agency to allow for public 
comment in conducting this examination.\4\ Upon completing the 
examination, the Act also directs the agency to submit a report to 
Congress on the highest priority areas for safety with regard to the 
electronic systems.\5\
---------------------------------------------------------------------------

    \4\ Id.
    \5\ Id.
---------------------------------------------------------------------------

    This document presents the agency's progress thus far in conducting 
the examination required in section 31402. We illustrate how we are 
examining each of the areas described by Congress in section 31402 and 
are seeking public comment on that examination. We intend to 
incorporate the comments received pursuant to this document in our 
report to Congress identifying the need for safety standards.

II. Background

a. NHTSA's Safety Role

    The National Highway Traffic Safety Administration (NHTSA) is 
responsible for developing, setting, and enforcing regulations for 
motor vehicles and motor vehicle equipment. Many of the agency's 
regulations are Federal Motor Vehicle Safety Standards (FMVSSs) with 
which manufacturers must certify compliance when offering motor 
vehicles and motor vehicle equipment for sale in the United States. 
NHTSA also studies behaviors and attitudes in highway safety, focusing 
on drivers, passengers, pedestrians, and motorcyclists. We identify and 
measure behaviors involved in crashes or associated with injuries, and 
working with States and other partners develop and refine 
countermeasures to deter unsafe behaviors and promote safe 
alternatives. Further, the agency provides consumer information 
relevant to motor vehicle safety. For example, NHTSA's New Car 
Assessment Program (NCAP) provides comparative safety information for 
various vehicle models to aid consumers in their purchasing decisions 
(e.g., the 5-star crash test ratings). The purpose of the agency's 
programs is to reduce motor vehicle crashes and their attendant deaths, 
injuries, and property damage.

b. Growth in Automotive Electronics and Their Safety Challenges

    The use of electronics in the design of modern automobiles is a 
rapid ongoing progression. The first common use of automotive 
electronics \6\ dates back to 1970s and by 2009 a typical automobile 
featured over 100 microprocessors, 50 electronic control units, five 
miles of wiring and 100 million lines of code.\7\ Use of electronics is 
not new. It has enabled safer and more fuel-efficient vehicles for 
decades. Electric and hybrid vehicles could not have been developed and 
produced without the extensive use of electronics and proven safety 
technologies such as electronic stability control could not have been 
implemented. Over time, growth of electronics use has accelerated and 
this trend is expected to continue as the automotive industry develops 
and deploys even more advanced automated vehicle features. This trend 
results in increased complexities in the design, testing, and 
validation of automotive systems. Those complexities also raise general 
concerns in the areas of reliability, security, and safety assurance of 
growingly networked vehicles leveraging electronics.
---------------------------------------------------------------------------

    \6\ Not including electronics use for radio purposes.
    \7\ ``This car runs on code,'' R.N. Charette, 2009, https://spectrum.ieee.org/transportation/systems/this-car-runs-on-code.
---------------------------------------------------------------------------

    Electronics provide many safety, security, convenience, comfort, 
and efficiency functions for vehicle operators through interconnections 
and communications with other onboard electronics systems. Common 
communications networks and protocols allow for the exchange of 
information between sensors, actuators, and the electronic control 
units that execute software programs to accomplish specific functions. 
A vehicle will typically feature multiple networks.

[[Page 60576]]

Those networks may be isolated from one another for a variety of 
reasons such as safety and security; however, in other cases different 
networks could be interconnected to enable exchange of information 
across a broader range of systems. Sharing data across multiple 
networks can be safeguarded against adverse influence over safety-
critical systems; however, effectiveness of such approaches is only 
anecdotally known today. Growing system complexity and abundance of 
design variants even within one manufacturer over model years and 
across classes of vehicles pose general concerns over whether existing 
processes can ensure their functional safety. Further, anomalies 
associated with electronic systems--including those related to software 
programming, intermittent electronics hardware malfunctions, and 
effects of electromagnetic disturbances--may not leave physical 
evidence, and hence are difficult to investigate without a record of 
data from the electronic systems.
    While there are challenges, progressively introduced safety 
technologies, such as Automatic Emergency Braking (AEB), have the 
potential to significantly reduce the many thousands of fatalities and 
injuries that occur each year as a result of motor vehicle crashes. 
Further, continued innovation into more advanced forms of vehicle 
automation could address other types of crashes where human driver 
error plays a role. In May 2013, NHTSA released a preliminary statement 
of policy \8\ concerning automated vehicles where the agency outlined 
its planned research into emerging technologies. Given the complexity 
of these new systems in terms of the additional electronics software 
and hardware needed, electronic control systems safety will continue to 
grow in importance as these systems become more commonplace in 
production vehicles.
---------------------------------------------------------------------------

    \8\ https://www.nhtsa.gov/staticfiles/rulemaking/pdf/Automated_Vehicles_Policy.pdf.
---------------------------------------------------------------------------

    Along these lines, the Transportation Research Board (TRB) Special 
Report 308 \9\ by the National Academies of Sciences (NAS) in 2012 
identified five challenges for the safety of future electronic control 
systems:
---------------------------------------------------------------------------

    \9\ The Safety Promise and Challenge of Automotive Electronics, 
insights from unintended acceleration, National Research Council of 
the National Academies, ISBN 978-0-309-22304-1, 2012.
---------------------------------------------------------------------------

     An increased amount of complex software that cannot be 
exhaustively tested;
     The highly interactive nature of the electronic control 
system--more interactions exist among system components, and the 
outcome may be difficult to anticipate;
     The growing importance of human factors consideration in 
automotive electronic control system design;
     The potentially harmful interaction with the external 
environment including electromagnetic interference; and
     The novel and rapidly changing technology.
    Further, the study offered recommendations to NHTSA on the actions 
that the agency could take to meet the five challenges they identified. 
These include:
     becoming more familiar with and engaged in standard-
setting and other efforts (involving industry) that are aimed at 
strengthening the means by which manufacturers ensure the safe 
performance of their automotive electronics systems;
     convening a standing technical advisory panel; undertaking 
a comprehensive review of the capabilities that the agency will need in 
monitoring for and investigating safety deficiencies in electronics-
intensive vehicles;
     ensuring that Event Data Recorders (EDRs) become 
commonplace in new vehicles;
     conducting research on human factors issues informing 
manufacturers' system design decisions;
     initiating a strategic planning effort that gives explicit 
consideration to the safety challenges resulting from vehicle 
electronics that give rise to an agenda for meeting them; and
     making the formulation of a strategic plan a top goal in 
NHTSA's overall priority plan.
    In addition to the challenges regarding electronic components and 
their ability to function reliably in spite of their complex 
interactions, NHTSA believes there are also challenges with regard to 
the ability of these systems to remain free of unauthorized access or 
malicious attacks. While documented demonstrations 10 11 12 
of vehicle hacking to date have required some form of long-term 
physical access to the vehicle and our review has not identified any 
reported field incidents resulting in a safety concern, we recognize 
that lack of occurrence does not imply impossibility. As further 
discussed in this document, NHTSA is interested in gathering and 
evaluating information from the public (as part of its examination 
pursuant to MAP-21) to determine what additional work is needed in this 
area.
---------------------------------------------------------------------------

    \10\ ``Experimental Security Analysis of a Modern Automobile,'' 
K. Koscher et. al., IEEE Symposium on Security and Privacy, Oakland, 
CA, 2010.
    \11\ ``Comprehensive Experimental Analyses of Automotive Attack 
Surfaces,'' S. Checkoway et.al., USENIX Security, 2011.
    \12\ ``Adventures in Automotive Networks and Control Units,'' C. 
Miller, C. Valasek, DEF CON 21, Las Vegas, NV, 2013.
---------------------------------------------------------------------------

c. Industry's Existing Safety Assurance Processes

    Notwithstanding the increased difficulty in the safety assurance of 
growingly more complex systems, the automotive industry uses a number 
of safety and quality assurance practices in the design of safety 
critical systems, which are not unique to but also cover electronic 
systems. As documented in a number of publications and also summarized 
in the NAS Report, these approaches include the:
     Establishment of system safety requirements;
     assessment of design hazards and risks at component, 
function, system, manufacturing and process levels such as by the use 
of failure mode and effects analysis \13\ (FMEA) and fault tree 
analysis \14\ (FTA);
---------------------------------------------------------------------------

    \13\ IEC 60812 standard covers the process for conducting FMEA 
analysis.
    \14\ IEC 61025 standard covers the process for conducting FTA 
analysis.
---------------------------------------------------------------------------

     quality management systems such as ISO/TS 16949,\15\ 
advanced product quality planning (APQP), and Design for Six Sigma 
(DFSS);
---------------------------------------------------------------------------

    \15\ ISO/TS 16949:2002 covers particular requirements for the 
application of ISO 9001:2000 for automotive production and relevant 
service part organizations.
---------------------------------------------------------------------------

     design validation and verification testing such as 
electrical, environmental, lab, test track and limited field trials;
     variants of production part approval process (PPAP); and
     post deployment field data analysis.
    Further, many automotive original equipment manufacturers (OEM) 
were actively engaged in the development and revision of the ISO 26262 
\16\ standard and some have already started to follow its principles. 
As further discussed in this document, NHTSA is interested in gathering 
and evaluating information from the public (as part of its examination 
pursuant to MAP-21) to determine whether there are emerging gaps in the 
functional safety assurance processes of motor vehicles.
---------------------------------------------------------------------------

    \16\ International Organization for Standardization (ISO) 
standard for Road vehicles--Functional safety.
---------------------------------------------------------------------------

d. Existing Safety Process Standards Research Overview

    Sectors of the automotive industry currently consider electronics 
safety and cybersecurity as part of their design and quality control 
processes. Three process

[[Page 60577]]

standards from the broader transportation industry are frequently 
mentioned as suitable and preferred methods also used in the design of 
road vehicles usually complementing existing safety assurance 
practices: ISO 26262, MIL-STD-882E, and DO-178C.
    ISO 26262 is the first automotive industry specific standard \17\ 
that addresses safety-related systems comprised of electrical, 
electronic, and software elements providing safety-related functions in 
the design of road vehicles. It is an adaptation to the International 
Electrotechnical Commission (IEC) 61508 \18\ standard to road vehicles. 
The first publication of ISO 26262 was in November 2011. This standard 
seeks to address various important challenges facing today's road 
vehicle technologies including:
---------------------------------------------------------------------------

    \17\ Van Eikema Hommes, Q., ``Review and Assessment of the ISO 
26262 Draft Road Vehicle--Functional Safety,'' SAE Technical Paper 
2012-01-0025, 2012, doi:10.4271/2012-01-0025.
    \18\ IEC 61508 is an international standard for functional 
safety of electrical/electronic/programmable electronic safety-
related systems. This standard considers all of the environments 
that could result in an unsafe situation for the subject product, 
including shock, vibration, temperature, and electromagnetic fields 
and their induced voltages and currents.
---------------------------------------------------------------------------

     The safety of new electrical, electronic, and software 
functionality in vehicles;
     the trend of increasing system complexity, software 
content, and use of electromechanical components; and
     the risk from both systematic failure and random hardware 
failure.
    Typical concerns associated with the ISO 26262 standard may include 
that the
     Standard could be laborious to apply;
     hardware portions of the standard's coverage may be very 
similar to existing industry practices with limited incremental 
benefits;
     software portions of the standard may primarily recommend 
good systems engineering practices for software safety; and
     assessment of the automotive safety integrity levels 
(ASIL) may vary due to subjectivity in the process.
    Due to some of these limitations, existing practices and ISO 262626 
are sometimes augmented with more mature system engineering approaches 
that are outlined in MIL-STD-882E and DO-178C, particularly on the 
software engineering side.
    MIL-STD-882E is the U.S. Department of Defense's systems 
engineering approach for eliminating hazards, where possible, and 
minimizing risks where those hazards cannot be eliminated. By taking a 
systems approach, this standard considers hazards in the entire 
lifecycle of systems, products, equipment, and infrastructure including 
design, development, test, production, use, and disposal stages. The 
principle of this standard is that system safety should follow the 
system engineering process, and is the responsibility of all functional 
disciplines, not just the system safety professionals. This standard 
has gone through a number of revisions in order to adapt to changes in 
technology and lessons learned through experience.
    In the aviation industry, DO-178C \19\ is an accepted guidance for 
software development. Conformance to this standard means the software 
satisfies airworthiness \20\ requirements with an acceptable level of 
confidence. As part of the airworthiness certification process, DO-178C 
provides guidelines to produce the software lifecycle data needed in 
order to support the certification process (e.g. plans for software 
development, verification, configuration management, and quality 
assurance). It also provides a comprehensive list of considerations in 
order to avoid errors and mistakes that could be introduced into 
software. DO-178C considers system software development as a subset of 
the overall system development process. It assumes that safety-critical 
requirements for software systems are defined in the higher-level 
system engineering activities and are given at the beginning of the 
software development process. Some automotive companies indicated that 
the principles outlined in this more mature standard complement the 
software standard described in ISO 26262 Part 6,\21\ which is still 
evolving.
---------------------------------------------------------------------------

    \19\ DO-178C: Software considerations in airborne systems and 
equipment certification.
    \20\ Airworthiness of an aircraft refers to meeting established 
standards for safe flight.
    \21\ ISO 26262-6:2011-Road vehicles; Functional safety; Part 6: 
Product development at the software level.
---------------------------------------------------------------------------

    As we discuss further in this document, NHTSA continues to 
investigate functional safety approaches for the automotive industry 
that may effectively address emerging concerns from the increased use 
of electronics and software in the design of automobiles.

e. Available Data \22\ Sources Research Overview
---------------------------------------------------------------------------

    \22\ Data for purposes of examining the need for safety 
standards with regard to automotive electronic systems does not 
include personally identifiable information about the operators.
---------------------------------------------------------------------------

    For purposes of determining the capabilities of various datasets to 
categorize and rank vehicle electronics safety issues, we considered 
vehicle recall data, vehicle owner's questionnaire (VOQ) data, early 
warning reporting (EWR) data, and data from our field crash 
investigation databases such as National Automotive Sampling System 
(NASS), Fatality Analysis Reporting System (FARS), and Special Crash 
Investigation (SCI) database. Further, we considered event data 
recorder (EDR) capabilities. We briefly describe our findings on these 
various data sources in this section. While we believe that the sources 
of information available to NHTSA in this regard are useful in helping 
the agency begin to identify the highest priority areas with regard to 
electronic components (and their interactions), we also believe that 
they have certain limitations in ranking safety issues associated with 
vehicle electronics. This limitation is mostly driven from the lack of 
detailed information regarding specific electronic system failure 
types. Hence, in section V. we seek comment from the public as to what 
other sources of information and data are available.
    The vehicle recall database is a publicly available resource that 
documents safety defects or failures to meet minimum performance 
standards set by the Federal Motor Vehicle Safety Standards (FMVSS) in 
a motor vehicle or item of motor vehicle equipment. When manufacturers 
decide a safety defect or a noncompliance exists in a motor vehicle or 
item of motor vehicle equipment they manufactured, they are required to 
notify NHTSA and furnish a report with particular information about the 
defect or noncompliance, the products involved, and additional 
information including the manufacturer's plan to remedy for free the 
defect or noncompliance (See U.S.C. 30118 and 49 CFR 573.6).
    Defect and noncompliance notifications and information reports are 
reviewed by NHTSA analysts who enter them in the recall database. The 
database includes summaries of the defect description, consequences, 
and remedy for each recall. The number of vehicle recalls has increased 
significantly in the past 20 years, nearly tripling from 1993 (222) to 
2013 (654). While the vehicle recall database contains a large amount 
of useful information, the database and underlying defect reports were 
not intended for detailed or precise statistical analyses of recalls by 
typology or root cause related to motor vehicle electronic systems. Any 
such analysis requires a manual review and classification process. 
However, this work can be limited by the amount of detail contained in 
the defect

[[Page 60578]]

information reports, which normally provide more general descriptions 
of the defect condition and potential safety consequences.
    Vehicle Owner Questionnaires (VOQs) are voluntarily submitted by 
consumers to NHTSA to report a complaint in a vehicle or related 
equipment item. Each complaint (which is stored in a database and made 
available to the public redacted of personal identifiers) identifies 
the vehicle type, incident specifics, and includes a free form 
narrative to describe details. Complaint content and trends are helpful 
for general screening purposes but follow-up is sometimes necessary to 
verify and clarify complaints and incident specifics. Approximately 
50,000 VOQs were filed in 2013.
    Another source of data is the EWR system. Several data types are 
regularly reported to NHTSA by manufacturers. The data include non-
dealer field reports (documents), listings of death/injury claims 
(records), and aggregated counts of certain claim types. The quarterly 
reporting interval, high level component coding of aggregate figures, 
and variability in manufacturer reporting are factors that are 
considered when analyzing certain EWR data sets to study safety 
critical embedded control systems. Field reports are the only EWR data 
sets available for evaluating specific defect conditions, including 
incidents in which the problem is intermittent or cannot be duplicated.
    Separately, regarding our national crash databases, the National 
Automotive Sampling System (NASS) \23\ is composed of two systems--the 
Crashworthiness Data System (CDS) and the General Estimates System 
(GES). These are based on cases selected from a sample of police crash 
reports. CDS data focus on passenger vehicle crashes, and are used to 
investigate crash circumstances, vehicle crash response and occupant 
injury and identify potential improvements in vehicle design. The GES 
database contains crash statistics on police-reported crashes involving 
all types of vehicles. The information comes from samples of police 
reports of the estimated six million crashes that occur annually. Each 
NASS database is weighted to characterize a nationally representative 
sample. Each crash must involve at least one motor vehicle traveling on 
a traffic way, which results in property damage, injury, or death, and 
it must be obtained from a police report.
---------------------------------------------------------------------------

    \23\ https://www.nhtsa.gov/NASS.
---------------------------------------------------------------------------

    The Fatality Analysis Reporting System (FARS) \24\ is a nationwide 
census database on crashes involving fatalities containing similar 
information to NASS-GES. These two crash databases consist of 
approximately 120 data elements that describe the crash, which are 
derived from review of police crash reports by trained data entry 
personnel; however, similar to the case with VOQs, there may be 
challenges in using these databases to perform detailed analyses for 
purposes of ranking emerging electronics concerns because data elements 
were not established with this specific purpose in mind. In combination 
with other datasets, analysis of GES and FARS can still provide 
confirming or augmenting evidence in identifying potential priority 
areas in electronics reliability.
---------------------------------------------------------------------------

    \24\ https://www.nhtsa.gov/FARS.
---------------------------------------------------------------------------

    The Crash Injury Research and Engineering Network (CIREN) database 
consists of over 1,000 discrete fields of data concerning severe motor 
vehicle crashes, including crash reconstruction and medical injury 
profiles extending back to 1996. CIREN cases feature detailed data on 
occupant injury, vehicle damage and restraint technology and crash 
environment, as well as technical or human factors that are related to 
injury causation in motor vehicle crashes. Each CIREN case is reviewed 
together by both medical and engineering professionals, along with the 
crash investigator, to determine injury causation and data accuracy.
    The Special Crash Investigations (SCI) \25\ database contains a 
range of data collected from basic data contained in routine police and 
insurance crash reports to comprehensive data from special reports by 
professional crash investigation teams. Hundreds of data elements 
relevant to the vehicle, occupants, injury mechanisms, roadway, and 
safety systems are collected for each of the over 100 crashes 
designated for study annually. SCI cases are intended to be an 
anecdotal data set useful for examining special crash circumstances or 
outcomes from an engineering perspective. The SCI program's flexibility 
allows for investigations of new emerging technologies related to 
automotive safety.
---------------------------------------------------------------------------

    \25\ https://www.nhtsa.gov/SCI.
---------------------------------------------------------------------------

    Finally, Event Data Recorders \26\ (EDRs) are devices that may be 
installed in a motor vehicle to record technical vehicle information 
for a few seconds leading up to the crash. For instance, EDRs may 
record vehicle speed, engine throttle position, brake use, driver 
safety belt status, and air bag warning lamp status. NHTSA has been 
using EDRs to support its crash investigation program for several years 
and EDR data is routinely incorporated into NHTSA's crash databases. 
This type of data could potentially play a role in finding when safety 
critical automotive electronics were not functioning properly.
---------------------------------------------------------------------------

    \26\ In 2006, NHTSA published a final rule creating a regulation 
(49 CFR Part 563, Event Data Recorders (Part 563)) that specifies 
the minimum data set that should be collected if a manufacturer 
decides to voluntarily install an EDR in their vehicle, along with 
requirements for the range and accuracy of EDR data, as well as 
requirements for storage and retrieval. Part 563 applies to vehicles 
manufactured on or after September 1, 2012. In December 2012, NHTSA 
proposed a standard that would mandate EDRs on all vehicles required 
to have frontal air bags. (77 FR 74144). No final rule publication 
date has been established.
---------------------------------------------------------------------------

III. Our Examination of the Areas Identified in MAP-21 to Date

    NHTSA has been actively engaged in research (both internally and 
with outside parties) in automotive electronics reliability, 
cybersecurity, and emerging technologies in advanced vehicle automation 
for the past two years. The agency has established, per MAP-21,\27\ a 
Council on ``Vehicle Electronics, Vehicle Software, and Emerging 
Technologies'' to coordinate and share information on a broad array of 
topics related to advanced vehicle electronics and emerging 
technologies. The Council is governed by senior NHTSA management and 
the mission of the group is to broaden, leverage, and expand the 
agency's expertise in motor vehicle electronics to continue ensuring 
that technologies enhance vehicle safety and review and advise on the 
research program established over electronics reliability, 
cybersecurity and automation topics.
---------------------------------------------------------------------------

    \27\ Moving Ahead for Progress in the 21st Century Act, Public 
Law 112-141 (Jul. 6, 2012), Sec.  31401(a).
---------------------------------------------------------------------------

    With input from the Council, NHTSA has identified and funded 
initial research into the following areas:
     Hazard analyses of safety-critical electronic vehicle 
control systems, applying Hazard and Operability (HazOp) process 
referenced within the ISO 26262 standard as well as System Theoretic 
Process Analysis (STPA);
     Examination of process oriented functional safety and 
security standards for automotive electronics design and development;
     Automotive cybersecurity concerns, threats, and 
vulnerabilities, and potential countermeasures;
     Best practices in safeguarding against cybersecurity risks 
in related but in non-automotive industries; and

[[Page 60579]]

     Human factors and other emerging concerns associated with 
highly automated vehicles.
    Because the agency was already investigating vehicle electronics as 
a new and emerging research area for vehicle safety prior to the 
passage of MAP-21, the agency has already completed some research and 
analyses that address some of the items listed by Congress in section 
31402 of MAP-21. Research reports are available on the agency's Web 
site \28\ and we expect to publish more reports as projects are 
completed over the 2015-16 timeframe. It should be noted that the 
research described in this notice represents research already underway 
and future research that the agency anticipates undertaking as 
resources permit. This section shows our initial progress on the areas 
that Congress directed the agency to consider in the examination 
required under section 31402. We further request comments on our 
research thus far and request specific comments on the issues 
identified in the following sections.
---------------------------------------------------------------------------

    \28\ Office of Vehicle Crash Avoidance & Electronic Control 
Research technical publications are posted on the NHTSA Web site at 
https://www.nhtsa.gov/Research/Crash+Avoidance/Office+of+Crash+Avoidance+Research+Technical+Publications.
---------------------------------------------------------------------------

a. Electronics Components and the Interaction of Electronic Components

    To examine the potential safety concerns associated with electronic 
components and interactions of electronic components, we initiated 
research in developing potential approaches to analyzing the automotive 
electronic control system architecture and their interconnections. In 
conjunction, we reviewed data sources available to NHTSA to assess 
datasets that would be useful to analyze for purposes of this 
initiative (as documented in section II.e.). Further, we initiated 
systematic hazard analyses on select safety-critical automotive control 
systems to better understand the vehicle level safety risks. In the 
following paragraphs, we provide further details on these research 
topics that enable us to begin examining the first two areas stated in 
MAP-21 systematically.
    NHTSA is also conducting research to develop an electronics-related 
failure-typology.\29\ As part of this research, we are evaluating the 
various sources of data described in section II. e. (defect data, crash 
databases, etc.) to determine if suitable data exists at this time to 
effectively utilize a detailed failure typology that would describe and 
categorize the hazards and causes of automotive electronic control 
system failures. Through such analysis, the agency would like to 
understand how trends in the underlying data for the chosen dataset 
change over time as a function of increased use of electronics. We 
expect to publish our failure-typology research in 2015 and continue 
our research on appropriate datasets into 2016.
---------------------------------------------------------------------------

    \29\ Establishing a failure typology refers to developing 
categories and data elements that can help the agency (and others) 
organize the types of failures relating to electronic control 
systems in vehicles. Establishing the typology is an important step 
in helping to create a structure to help analyze potential safety 
problems relating to electronics in vehicles.
---------------------------------------------------------------------------

    Another approach we are taking is to study the automotive 
electronic system architecture. Functional safety assurance of modern 
automobiles requires a thorough understanding of electronic control 
systems' design under a variety of scenarios. These circumstances 
include systems' behavior under nominal conditions and also during 
failure conditions. Equally important are state-of-the-art capabilities 
in detecting failures (diagnostic/prognostic) and fault-tolerant and/or 
fail-safe strategies that can prevent errors from resulting in safety 
hazards. To this end, NHTSA funded initial research to perform hazard 
analyses in select safety-critical automotive control system areas, 
such as Accelerator Control Systems (ACS)/Electronic Throttle Control 
(ETC), Rechargeable Energy Storage Systems (RESS), and steering and 
braking control systems within the context of automatic lane centering 
function. These studies apply the Hazard and Operability (HazOp) 
process referenced within the ISO 26262 standard as well as System 
Theoretic Process Analysis (STPA) approach to identify the system level 
hazards associated with potential failures in the subject control 
systems. The purpose of these studies is to better understand the 
critical automotive system functions, failures, and risks and identify 
safety goals and requirements. Further, another purpose is to compare 
and contrast results obtained from existing hazard analyses techniques. 
We are currently prioritizing our hazard analysis research to cover 
electronic throttle control, steering control, braking control and 
motive power areas. We expect to publish a series of research reports 
on hazard analyses starting in 2015.
    A typical automotive electronic control system primarily relies on 
the following to perform its intended purposes:
     Sensors (measurements);
     Interpretation of sensed signals (e.g. conversion, 
configuration, classification);
     Estimations of parameters (when direct sensing may not be 
available, e.g., vehicle speed);
     Actuators (to carry out the intended motive);
     Communication networks (that facilitate electronic 
exchange of information between sensors, controllers and actuators);
     Design and programming of the control algorithm 
(conditions and respective actions) including:
    a. Design and software coding that implement:
    i. The intended functions; and
    ii. system monitoring and malfunction detection logic; and
    b. supervisory logic that arbitrates between multiple, potentially 
conflicting, subsystem commands; and
     Availability of motive power.
    Interactions between electronic components (and distributed 
embedded systems) are facilitated primarily by communication networks 
and shared use of sensors, software logic and actuators. Prioritization 
of competing requests from the various control subsystems and the 
driver for safety-critical functions is a potential area of anticipated 
future research due to continued proliferation of safety and 
convenience functions.
Comments Requested
    (1) NHTSA currently has research underway that is evaluating the 
hazards associated with electronic control systems that could impact a 
vehicle's steering, throttle, braking and motive power first because 
they can impact the fundamental control functions that a driver 
performs (such as providing lateral (via steering) and longitudinal 
(throttle, braking) control for the vehicle). This means, we would 
research safety hazards associated with other automotive electronic 
control systems (e.g. safety restraint systems control, power door lock 
control, lighting control) later. We seek comment on this approach from 
a need for standards research priority stand-point.
    (a) Should the agency pursue alternative approaches to categorize 
and prioritize potential electronic control system hazards and impacts 
to support new standards?
    (b) For hazard analysis research, the agency is currently pursuing 
HazOp and STPA. What other hazard analysis methods should the agency 
also consider and why?
    (c) What other automotive electronics should we consider in our 
research that could affect the electronics in the safety critical 
systems we identified (steering, throttle, brakes, etc.)?

[[Page 60580]]

    (2) NHTSA currently has research underway that is evaluating system 
performance requirements for critical safety systems. We seek comment 
on automotive electronic component and system performance requirements 
for control systems that impact throttle, braking, steering, and motive 
power management:
    (a) What performance-based tests, methods, and processes are now 
available for safety assurance of these types of automotive electronic 
control systems?
    (b) What series of performance-based tests should the agency 
consider to ensure safe functionality of these types of automotive 
electronic control systems under all real-world conditions (e.g. 
nominal, expected, non-nominal, and failure conditions)?
    (c) Performance tests would ideally be applicable regardless of any 
specific design choices. We surmise that electronic components may have 
a wider variety of manufacturer specific tuning and implementation 
variations. What types of challenges does this create for designing 
performance tests for electronic components? What methods are available 
for addressing those challenges?
    (3) NHTSA currently has research underway that is evaluating 
diagnostics and prognostics for critical safety systems. We seek 
comment on vehicle health monitoring, diagnostics, and prognostics 
capabilities and fault-tolerant design alternatives for automotive 
safety applications.
    (a) What methods are effective in identifying potential anomalous 
behavior associated with electronic components, systems, and 
communications reliably and quickly?
    (b) What strategies do current vehicles have for activating a 
``fail-safe'' mode when critical problems are detected? What types of 
problems are classified as ``critical'' and how does the vehicle detect 
these problems?
    (c) What state-of-the-art detection and fail-safe response methods 
should the agency be aware of and further assess?
    (4) NHTSA currently has research underway that is evaluating 
various process standards and their applicability to critical safety 
systems. We seek comment on testing, validation, certification, and 
regulation alternatives for vehicle electronics to these process 
standards:
    (a) What are the pros and cons of utilizing a process--
certification method (e.g., ISO 26262) where the manufacturer is asked 
to identify, categorize, and consider potential remedies for 
electronics safety problems?
    (i) What approaches should be considered for manufacturers to 
demonstrate conformity with voluntary industry process standards such 
as ISO 26262?
    (ii) How does one evaluate conformity to a process standard that 
uses an engineer's best judgment to identify, categorize, and consider 
potential remedies to electronics safety problems?
    (iii) What verification steps may be appropriate to ensure that 
potential standards are met?

b. Security Needs To Prevent Unauthorized Access to Electronic 
Components

    Cybersecurity, within the context of road vehicles, is the 
protection of vehicular electronic systems, communication networks, 
control algorithms, software, users, and underlying data from malicious 
attacks, damage, unauthorized access, or manipulation.
    NHTSA has been actively researching existing cybersecurity 
standards and best practices in automotive and other industries. In 
reviewing the practices of other industries in dealing with 
cybersecurity issues, NHTSA has identified two general process-oriented 
approaches to addressing cybersecurity concerns. The first is design 
and quality control processes that focus on cybersecurity issues 
throughout the lifecycle of a product. The second is dealing with 
cybersecurity issues through establishing robust information sharing 
forums such as an Information Sharing and Analysis Center (ISAC). This 
section discusses the agency's findings regarding each of these 
strategies.
    In regards to security design and quality assurance processes, the 
automotive manufacturers, suppliers, and other stakeholders are 
collaborating through SAE International to examine the emerging vehicle 
cybersecurity concerns and considering actions that could include the 
development of voluntary standards, guidelines, or best practices 
documents.
    While there may be no readily-available automotive cybersecurity 
standards at this time, NHTSA's research identified general 
cybersecurity safeguarding approaches that can potentially be examined 
and adapted for use in the automotive industry. For example, the 
cybersecurity framework \30\ developed and published by the National 
Institute of Standards and Technology (NIST) treats cybersecurity as a 
process integrated into the system, component, and device lifecycle. 
The guidelines referenced in this framework could allow the automotive 
industry to develop a security program for modern-day automobiles 
analogous to information security programs in place for information 
technology (IT) systems in general. Similarly, system security 
engineering could potentially be incorporated into the design process 
in a way similar to system safety engineering as specified in ISO 26262 
and ``E-safety vehicle intrusion protected applications (EVITA).'' \31\
---------------------------------------------------------------------------

    \30\ ``Framework for Improving Critical Infrastructure 
Cybersecurity,'' Version 1.0, NIST, 2014. Accessible at https://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf.
    \31\ EVITA is a project co-funded by the European Union that 
aims to design, verify, and prototype architecture for automotive 
on-board networks where security-relevant components are protected 
against tampering and sensitive data are protected against 
compromise (https://www.evita-project.org/).
---------------------------------------------------------------------------

    In regards to information sharing mechanisms, NHTSA studied \32\ 
the ISAC model for safeguarding against cybersecurity risks and threats 
in other industries such as financial services, information technology, 
and communications. Our initial analyses indicate that an automotive 
sector specific information sharing forum, such as an ISAC, is 
beneficial to pursue. It could advance the cybersecurity awareness and 
countermeasure development effectiveness among public and private 
stakeholders. ISACs have a unique capability to provide comprehensive 
inter- and intra-sector coverage to share critical information 
pertaining to sector analysis, alert and intelligence sharing, and 
incident management and response. Our research across other industries 
indicates that prevention of cyber-threats would be impractical if not 
impossible. This fact and the successful use of ISACs in other industry 
sectors suggest that it might also be effective for the auto industry 
to have mechanisms in place to expeditiously exchange information 
related to cyber-threats, vulnerabilities, and countermeasures among 
industry stakeholders. Such a mechanism would enhance the ability of 
the automotive sector to prepare for, respond to, and recover from 
cyber threats, vulnerabilities and incidents. Related to the sector-
wide cybersecurity information sharing topic, the Alliance of 
Automotive Manufacturers (Alliance) and the Association of Global 
Automakers (Global Automakers)

[[Page 60581]]

wrote \33\ to NHTSA in July 2014 to inform about the new cybersecurity 
initiative they are undertaking with the goal of establishing a 
voluntary automobile industry sector information sharing and analysis 
center or other comparable program. In response,\34\ NHTSA encouraged 
Alliance and Global Automakers (as well as automotive original 
equipment manufacturers) to proceed expeditiously with the outlined 
process and expressed Agency's hope that their plan would target a date 
in 2015 for an automotive industry ISAC to become operational.
---------------------------------------------------------------------------

    \32\ The study report ``An assessment of the information sharing 
and analysis center (ISAC) model'' can be accessed at the 
``Automotive Cybersecurity Topics and Publications'' docket: NHTSA-
2014-0071.
    \33\ Correspondence related to this initiative can be viewed in 
the ``Automotive Cybersecurity Topics and Publications'' docket: 
NHTSA-2014-0071.
    \34\ Id.
---------------------------------------------------------------------------

    Security process standards and information sharing forums fit in a 
larger, more comprehensive automotive cybersecurity assurance approach. 
In general terms, there are four major pieces to the agency's research 
approach:
    1. Preventive methods and techniques: This group of techniques 
would seek to harden the design of automotive electronic systems and 
networks such that it would be difficult for malicious attacks to take 
place in newer generation systems. Deployment and use of structured 
security process standards could help identify vulnerabilities such 
that necessary design improvements can be identified and implemented. 
These vulnerabilities include possible entry points through accessible 
physical interfaces such as the OBD-II port, USB ports, CD/DVD players; 
short range wireless interfaces, such as Bluetooth, Wi-Fi, or Dedicated 
Short Range Communications (DSRC); and long-range wireless interfaces 
such as cellular or satellite-based connectivity to the vehicle. 
Examples of design improvements include potential use of:
    a. Encryption and/or authentication on communication networks;
    b. different communication approaches or protocols; segmentation/
isolation of safety-critical system control networks;
    c. strong authentication controls for remote access to vehicles;
    d. gateway controls between interfaced vehicle networks; etc.

Other approaches in the field of prevention research include methods 
such as those investigated in the Defense Advanced Research Projects 
Agency's (DARPA) high-assurance cyber military systems (HACMS) \35\ 
program. The primary intents of this category of activities are (1) to 
significantly reduce the probability of cyber risks; and (2) to limit 
the impact of a potential cybersecurity breach (e.g. one vehicle as 
opposed to an entire fleet). NHTSA initiated applied research into 
vulnerability assessment and preventive type measures in 2014 and 
expects to publish reports starting in 2016.
---------------------------------------------------------------------------

    \35\ https://www.darpa.mil/Our_Work/I2O/Programs/High-Assurance_Cyber_Military_Systems_(HACMS).aspx.
---------------------------------------------------------------------------

    2. Real-time intrusion detection methods: Total security through 
preventive measures may not be realistically achievable. Thus, as a 
complement to the preventative measures, detecting intrusions into the 
system through communications networks would provide additional 
protection. A cybersecurity breach would take place on or through a 
communication network. From an intrusion detection perspective, 
vehicular network communications are considered fairly predictable and 
well-suited for real-time monitoring to detect anomalous activity with 
respect to nominal expected message flows. We are initiating research 
into this type of technologies in the automotive sector.
    3. Real-time response methods: Once a potential intrusion is 
detected, the strategies to mitigate its potential harmful impacts 
would also need to be designed in a practical manner. Depending on the 
potential risks and level of intrusion detection confidence, the 
vehicle architecture could be designed to take a variety of actions 
such as: temporarily or permanently shut down the communication 
network(s) (at the potential cost of disabling various safety 
functions); inform the driver; record and transmit data before-and-
after trigger point for further analysis and counter-measure 
development, etc. The purpose of this category of cybersecurity defense 
is to mitigate the potential harmful consequences of detected anomalous 
activity on the vehicle experiencing the potential breach. We expect to 
develop further research into this category of methods in 2016.
    4. Treatment methods: While the previous paragraph discussed 
response methods (deal with ensuring fail-safe operation of the vehicle 
where an intrusion is detected), treatment methods deal with 
distributing information related to the subject risk to other potential 
vulnerable entities even before the compromise may be experienced by 
them. Treatment methods involve timely information extraction from 
impacted parties, their analysis, development of countermeasures and 
timely dissemination to all relevant stakeholders (such as through an 
ISAC). This approach allows for design of stronger preventive methods 
in future generations of electronics. As outlined earlier, automotive 
industry (through Alliance and Global Automakers) is actively exploring 
information sharing alternatives related to automotive cybersecurity 
and NHTSA is closely monitoring activities related to this initiative.
Comments Requested
    (1) We seek comment on any technical areas of automotive 
cybersecurity that the agency could focus on in its further research.
    (a) Specifically, are there particularly vulnerable or strong 
design architectures that the agency should further examine?
    (b) What additional types of techniques (either in real world 
occurrences or as a part of research) have persons used to gain 
unauthorized access to vehicle systems? What types of systems were such 
persons able to gain access to?
    (c) What is the public's view on the differences in cybersecurity 
risks associated with an intrusion that requires use of in-cab physical 
interfaces (e.g. OBD-II port) versus close-proximity wireless 
interfaces (e.g. Bluetooth) versus long-range wireless means (e.g. 
cellular/satellite links)?
    (2) We seek comment on security process standards.
    (a) What security process standard alternatives are available? How 
do these standards differ and are there standards that are more 
suitable for application to the automotive industry versus others?
    (b) Could security assurance be handled within a modified framework 
of existing safety process standards (such as FMEAs, FTAs, ISO 26262) 
or does ``design for security'' require its own process?
    (3) We seek comments on security performance standards. In contrast 
to the process standards (that establish methods for considering 
cybersecurity risks during product design), we use the term 
``performance standard'' to mean standards that evaluate the 
cybersecurity performance (or resilience) of a system after production 
of the final product.
    (a) What types of metrics are available to test a vehicle's ability 
to withstand a cyber-attack?
    (b) Are there any common design characteristics that help ensure a 
minimum level of security from unauthorized access to a vehicle's 
electronic control systems?
    (c) What performance-based tests, methods, and processes are 
available for security assurance of automotive electronic control 
systems?

[[Page 60582]]

    (d) Are there hardware, software, watchdog algorithm, etc. 
requirements or criteria that would help differentiate algorithm 
designs that are more secure against cyber-attack?

c. Effects of the Surrounding Environment on Electronic Component 
Performance

    In addition to malicious interference that may be artificially 
introduced (as covered under cybersecurity in section III.b.), the 
surrounding natural environment could affect the electronic components 
and systems in three primary ways:
    1. By creating conditions that could cause electronic components to 
fail prematurely;
    2. By creating conditions that could result in electronic control 
systems to act in unintended ways; and
    3. By creating conditions for electronic sensors or systems to 
perceive the environment differently than reality.
    Effects of the environment potentially causing electronic 
components to fail prematurely, such as through moisture, heat and 
corrosion, are typically handled by fail-safe strategies. Monitoring 
algorithms can detect sensors and components that fail and operate 
outside of the intended range and inform control algorithms to operate 
in fail-safe mode. Manufacturers take placement and environmental 
exposure into account in the design of electromechanical components.
    Examples of the environment potentially causing electronic control 
systems to act in unintended ways are electromagnetic interference 
(EMI) and potential build-up of low-resistance paths on a circuit-
board, such as a tin whisker.\36\ OEMs very commonly perform 
electromagnetic compatibility (EMC) testing on their platforms in 
accordance with SAE International \37\ and ISO \38\ standards. NHTSA 
has investigated EMI effects on an electronic control system in a 
recent investigation. In 2010, NHTSA and National Aeronautics and Space 
Administration (NASA) conducted EMC testing as part of the inquiry into 
whether Unintended Acceleration (UA) was related to the electronic 
throttle control system in Toyota vehicles. In this study, EMC testing 
at exposure levels well above existing certification standards did not 
produce open throttle.\39\
---------------------------------------------------------------------------

    \36\ A crystalline, hair-like structure of tin that can form on 
a tin-finished surface. (taken from NAS Report).
    \37\ SAE J551, SAE J1113.
    \38\ ISO 7637, ISO 10605, ISO 11451, ISO 11452.
    \39\ ``Technical Support to the National Highway Traffic Safety 
Administration (NHTSA) on the Reported Toyota Motor Corporation 
(TMC) Unintended Acceleration (UA) Investigation'', 2011, NASA. 
Section 6.8 of this report discusses the EMC testing and the full 
report can be accessed at https://www.nhtsa.gov/staticfiles/nvs/pdf/NASA-UA_report.pdf.
---------------------------------------------------------------------------

    Among the risks with EMI is for the electronic control unit's 
memory settings to be altered unintentionally. This could change the 
way the system behaves especially if the EMI's influence is not 
detected. Manufacturers utilize various methods to prevent unintended 
EMI influence, such as by retaining safety critical system parameters 
in more than one memory location (such that a random alteration could 
be detected and system shut down with warning). Formation of conductive 
tin whiskers on a circuit board could potentially result in low 
resistance paths and unintended system behavior, particularly if they 
cause a short between circuits resulting in unintended activation of an 
actuator. Most such issues result in electrical faults and safe shut-
down of corresponding functions. Manufacturers use various techniques 
to mitigate the concern including changes to the manufacturing process, 
addition of elements like copper and nickel, and the use of surface 
coatings. Further, circuit board design takes into account the 
possibility of circuit-board shorts in trace placement.
    Another possibility is for the environment to impact the advanced 
sensors (such as radar, lidar, cameras, GPS, etc.) on a contemporary 
vehicle in a way that could result in unintended engagement or non-
operational status of system functions. To mitigate this risk, 
manufacturers utilize various forms of sensor fusion technologies to 
reduce reliance on any single sensor signal for safety-critical 
functions.
    Related to 5.9 GHz DSRC, NHTSA is initiating research into 
analyzing potential communication interference impacts of devices that 
operate on and in neighboring spectrums of the DSRC band.\40\ NHTSA 
expects to complete this study in 2015.
---------------------------------------------------------------------------

    \40\ DSRC band: 5.850-5.925 GHz.
---------------------------------------------------------------------------

Comments Requested
    (1) NHTSA has reviewed the state-of-the art with respect to 
environmental conditions and vehicle electronics. What other ways can 
the environment impact electronic system performance other than the 
ways that we have considered, above?
    (2) NHTSA has done some testing on interference issues. We seek 
comment in the area of EMI/EMC.
    (a) What could the agency do to further assess the electromagnetic 
interference (EMI) susceptibility impacts of growing use of electronics 
on automotive system safety and assess the adequacy of existing 
voluntary standards?
    (b) Are there known EMI susceptibility differences in vehicles 
designed and sold in the U.S. versus in regions where EMC may be 
explicitly regulated?
    (3) We seek comment in the area of the environment's potential 
impact on advanced automotive sensors.
    (a) Are any particular sensing technologies more susceptible or 
less susceptible to such effects (including EMC and other environmental 
effects such as moisture, corrosion, etc.)?

IV. Additional Comments Requested

    In addition to the comments requested in regards to the specific 
topics discussed above, we are also seeking comment on other general 
issues relating to electronic component safety and cybersecurity.
    (1) One issue that we seek comment is the potential for voluntary 
safety process standards to help address challenges introduced by 
expanding use of electronics in automotive applications. In section 
II.d. above, we discuss the various design and quality control 
processes that the industry already uses to assess the safety and 
cybersecurity of their electronic components (e.g., ISO 26262).
    (a) We seek public comment on the degree to which this type of 
safety process standard can provide an adequate level of protection 
from electronic component failures or potential cybersecurity breaches.
    (i) What voluntary industry standards are best able to address 
safety assurance of electronics control system design for motor 
vehicles?
    (ii) Specifically, what elements of the voluntary industry 
standards are best able to address electronics control systems and 
cybersecurity issues in motor vehicles?
    (iii) What other standards than those described in this document 
are relevant for the agency to consider?
    (b) What types of concerns with regard to electronic components 
safety and cybersecurity would not be addressed by voluntary safety 
process standards?
    (i) What other standards are available that could address this type 
of safety concern?
    (ii) What software development, validation and safety assurance 
methods and processes are suitable for safety critical automotive 
control systems?
    (c) Are existing process standards such as ISO 26262, IEC 60812, 
IEC 61025, etc, suitable to address electronic

[[Page 60583]]

control system design challenges for more advanced forms of vehicle 
automation?
    (2) Another issue that we seek comment on is in regards to the 
available information and data sources for identifying and 
understanding the issues related to electronic component reliability 
and cybersecurity. We recognize that much of the data available to the 
agency captures retrospective data. Thus, the traditional sources of 
information available to the agency have various limitations in this 
rapidly-developing area of automotive technology. Information that 
shows historic data on electronic component issues may not necessarily 
give an accurate prediction of what future electronic component 
reliability and cybersecurity issues can be. We seek comment on the 
data sources that are identified for potential consideration in the 
categorization of priority focus areas for electronics reliability.
    (a) We are especially interested in identifying any potential data 
sources that could assist the agency in identifying potential emerging 
electronic component failures in vehicles in a timely manner.
    (b) Has the agency considered all the relevant data on this 
subject? What additional sources of information could the agency 
consider?
    (3) We seek comment on what other information sources or strategies 
are available that can enhance the ability to detect potential 
electronics system related concerns in a timely fashion. What methods 
are available to improve traceability of potential electronic control 
system malfunctions?

V. Public Participation

How do I prepare and submit comments?

    Your comments must be written and in English. To ensure that your 
comments are filed correctly in the docket, please include the docket 
number of this document in your comments.
    Your comments must not be more than 15 pages long (49 CFR 553.21). 
NHTSA established this limit to encourage you to write your primary 
comments in a concise fashion. However, you may attach necessary 
additional documents to your comments. There is no limit on the length 
of the attachments.
    Please submit one copy (two copies if submitting by mail or hand 
delivery) of your comments, including the attachments, to the docket 
following the instructions given above under ADDRESSES. Please note, if 
you are submitting comments electronically as a PDF (Adobe) file, we 
ask that the documents submitted be scanned using an Optical Character 
Recognition (OCR) process, thus allowing the agency to search and copy 
certain portions of your submissions.

How do I submit confidential business information?

    If you wish to submit any information under a claim of 
confidentiality, you should submit three copies of your complete 
submission, including the information you claim to be confidential 
business information, to the Office of the Chief Counsel, NHTSA, at the 
address given above under FOR FURTHER INFORMATION CONTACT. In addition, 
you may submit a copy (two copies if submitting by mail or hand 
delivery), from which you have deleted the claimed confidential 
business information, to the docket by one of the methods given above 
under ADDRESSES. When you send a comment containing information claimed 
to be confidential business information, you should include a cover 
letter setting forth the information specified in NHTSA's confidential 
business information regulation (49 CFR Part 512).

Will the agency consider late comments?

    NHTSA will consider all comments received before the close of 
business on the comment closing date indicated above under DATES. To 
the extent possible, the agency will also consider comments received 
after that date.

How can I read the comments submitted by other people?

    You may read the comments received at the address given above under 
Comments. The hours of the docket are indicated above in the same 
location. You may also see the comments on the Internet, identified by 
the docket number at the heading of this notice, at https://www.regulations.gov.
    Please note that, even after the comment closing date, NHTSA will 
continue to file relevant information in the docket as it becomes 
available. Further, some people may submit late comments. Accordingly, 
the agency recommends that you periodically check the docket for new 
material.
    Anyone is able to search the electronic form of all comments 
received into any of our dockets by the name of the individual 
submitting the comment (or signing the comment, if submitted on behalf 
of an association, business, labor union, etc.). You may review DOT's 
complete Privacy Act Statement in the Federal Register published on 
April 11, 2000 (65 FR 19477-78) or you may visit https://www.dot.gov/privacy.html.

    Authority:  Sec. 31402, Pub. L. 112-141.

    Issued in Washington, DC under authority delegated in 49 CFR 
part 1.95.
Nathaniel Beuse,
Associate Administrator for Vehicle Safety Research.
[FR Doc. 2014-23805 Filed 10-6-14; 8:45 am]
BILLING CODE 4910-59-P
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.