NHTSA Enforcement Guidance Bulletin 2016-02: Safety-Related Defects and Automated Safety Technologies, 65705-65709 [2016-23010]

Download as PDF Federal Register / Vol. 81, No. 185 / Friday, September 23, 2016 / Notices sradovich on DSK3GMQ082PROD with NOTICES complexity and novelty of these innovations, will challenge the Agency’s conventional regulatory processes and capabilities. This challenge requires NHTSA to examine whether the ways in which NHTSA has addressed safety for the last several decades should be expanded to realize the safety potential of HAVs over the decades to come. Therefore, Section IV of the HAV Policy identifies potential new tools, authorities, and regulatory approaches that could aid the safe deployment of new technologies by enabling the Agency to be more nimble and flexible. There will always be an important role for standards and testing protocols based on careful scientific research and developed through the give-and-take of an open public process. However, it is likely that additional regulatory tools along with new expertise and research also will be needed to allow the Agency to more quickly address safety challenges and speed the deployment of lifesaving technology. Public Comment Although most of this policy is effective immediately upon publication, NHTSA is seeking public comment on the entire document. While the Agency sought input from various stakeholders during the development of the document, it recognizes that not all interested persons had a full opportunity to provide such input. Formal comments will allow for that opportunity. Similarly, some of the items in the vehicle performance guidance are subject to the requirements of the Paperwork Reduction Act, which requires that the Agency provide separate notice and comment. The notice for those items will be published shortly at http://www.regulations.gov (search Docket No. NHTSA–2016–0091). Finally, NHTSA expects to hold public meetings and workshops associated with specific items in this Policy. Once the timing of those meetings has been finalized, Federal Register notices for those meetings will also be published. While the Policy is intended as a starting point that provides needed initial guidance to industry, government, and consumers, it will necessarily evolve over time to meet the changing needs and demands of improved safety and technology. Accordingly, NHTSA expects and intends the policy document and its guidance to be iterative, changing based on public comment; the experience of the agency, manufacturers, suppliers, consumers, and others; and further technological innovation. NHTSA intends to revise and refine the VerDate Sep<11>2014 18:22 Sep 22, 2016 Jkt 238001 document regularly to reflect such experience, innovation, and public input. Public Participation How do I prepare and submit comments? Your comments must be written and in English. To ensure that your comments are filed correctly in the docket, please include the docket number of this document in your comments. Your comments must not be more than 15 pages long (49 CFR 553.21). NHTSA established this limit to encourage you to write your primary comments in a concise fashion. However, you may attach necessary additional documents to your comments. There is no limit on the length of the attachments. Please submit one copy (two copies if submitting by mail or hand delivery) of your comments, including the attachments, to the docket following the instructions given above under ADDRESSES. Please note, if you are submitting comments electronically as a PDF (Adobe) file, we ask that the documents submitted be scanned using an Optical Character Recognition (OCR) process, thus allowing the agency to search and copy certain portions of your submissions. How do I submit confidential business information? If you wish to submit any information under a claim of confidentiality, you should submit three copies of your complete submission, including the information you claim to be confidential business information, to the Office of the Chief Counsel, NHTSA, at the address given above under FOR FURTHER INFORMATION CONTACT. In addition, you may submit a copy (two copies if submitting by mail or hand delivery), from which you have deleted the claimed confidential business information, to the docket by one of the methods given above under ADDRESSES. When you send a comment containing information claimed to be confidential business information, you should include a cover letter setting forth the information specified in NHTSA’s confidential business information regulation (49 CFR part 512). Will the agency consider late comments? NHTSA will consider all comments received before the close of business on the comment closing date indicated above under DATES. To the extent possible, the agency will also consider PO 00000 Frm 00084 Fmt 4703 Sfmt 4703 65705 comments received after that date. Given that we intend for the policy document to be a living document and to be developed in an iterative fashion, subsequent opportunities to comment will also be provided periodically. How can I read the comments submitted by other people? You may read the comments received at the address given above under COMMENTS. The hours of the docket are indicated above in the same location. You may also see the comments on the Internet, identified by the docket number at the heading of this notice, at http://www.regulations.gov. Please note that, even after the comment closing date, NHTSA will continue to file relevant information in the docket as it becomes available. Further, some people may submit late comments. Accordingly, the agency recommends that you periodically check the docket for new material. Authority: 49 U.S.C. 30101. Issued in Washington, DC, on September 20, 2016 under authority delegated in 49 CFR part 1.95. Nathaniel Beuse, Associate Administrator for Vehicle Safety Research. [FR Doc. 2016–22993 Filed 9–22–16; 8:45 am] BILLING CODE 4910–59–P DEPARTMENT OF TRANSPORTATION National Highway Traffic Safety Administration [Docket No. NHTSA–2016–0040] NHTSA Enforcement Guidance Bulletin 2016–02: Safety-Related Defects and Automated Safety Technologies National Highway Traffic Safety Administration (NHTSA), Department of Transportation. ACTION: Final notice. AGENCY: Automotive technology is at a moment of rapid change and may evolve farther in the next decade than in the previous 45-plus year history of the Agency. As the automobile industry moves toward fully automated (selfdriving) vehicles and other innovative mobility solutions, NHTSA seeks to facilitate the advance of automated technologies that currently present safety improvements and that, in the future, are likely to improve safety and decrease the number of crashes, traffic fatalities, and serious injuries on U.S. roadways. NHTSA is commanded by Congress to protect the safety of the driving public against unreasonable risks of harm that may occur because of SUMMARY: E:\FR\FM\23SEN1.SGM 23SEN1 65706 Federal Register / Vol. 81, No. 185 / Friday, September 23, 2016 / Notices the design, construction, or performance of a motor vehicle or motor vehicle equipment, and to mitigate risks of harm, including risks that may be emerging or contingent. As NHTSA has always done when evaluating new vehicle technologies, the Agency will be guided by its statutory mission, the laws it is obligated to enforce, and the benefits of the emerging automated safety technologies appearing on U.S. roadways. NHTSA has broad enforcement authority under existing statutes and regulations to address existing and emerging automated safety technologies. This Enforcement Guidance Bulletin sets forth NHTSA’s current views on its enforcement authority—including its view that when vulnerabilities in automated safety technology or equipment pose an unreasonable risk to safety, those vulnerabilities constitute a safety-related defect—and suggests guiding principles and best practices for motor vehicle and equipment manufacturers in this context. FOR FURTHER INFORMATION CONTACT: Justine Casselle or Elizabeth Mykytiuk, Office of the Chief Counsel, National Highway Traffic Safety Administration, at (202) 366–2992. SUPPLEMENTARY INFORMATION: sradovich on DSK3GMQ082PROD with NOTICES I. Executive Summary II. Legal and Policy Background A. NHTSA’s Enforcement Authority Under the Safety Act B. Determining the Existence of a Defect C. Determining an Unreasonable Risk to Safety III. Guidance and Recommended Best Practices: Safety-Related Defects, Unreasonable Risk, and Automated Safety Technologies I. Executive Summary Recent and continuing advances in automotive technology have great potential to generate significant safety benefits. Today’s motor vehicles are increasingly equipped with electronics, sensors, and computing power that enable automated safety technologies, including technologies such as forwardcollision warning, automatic-emergency braking, and lane-keeping assist, which have the potential to dramatically enhance safety. New technologies may not only prevent drivers from crashing, but may even do some or all of the driving for them. The potential safety implications of such technologies are vast. Importantly, as these technologies become more widespread, manufacturers must ensure their safe development and implementation. On April 1, 2016, NHTSA published a proposed Enforcement Guidance Bulletin setting forth an overview of the VerDate Sep<11>2014 18:22 Sep 22, 2016 Jkt 238001 Agency’s enforcement authority under the Safety Act and its present views on certain enforcement subjects and issues. See Docket No. NHTSA–2016–0040. Recognizing the public interest in this topic and the safety concerns associated with automated safety technologies, the Agency solicited public comment before issuing a final Enforcement Guidance Bulletin. In response to the request for comment, the Agency received thirtyfive (35) public submissions. Although some comments were submitted after the stated closing date of May 2, 2016, all comments submitted to the docket were considered in formulating this final Guidance. In response to various comments suggesting that NHTSA give additional review to issues associated with certain software and cybersecurity, the Agency has decided to focus this Guidance solely on how its enforcement authority relates to automated safety technologies, including fully automated (self-driving) vehicles. Thus, comments related to cybersecurity will be addressed in future interpretations and guidance. However, this does not mean that cybersecurity is outside of NHTSA’s authority. Manufacturers of motor vehicles and motor vehicle equipment must continue to follow the requirements of the Safety Act, including those related to cybersecurity. The Agency received twenty-eight (28) comments that specifically addressed automated safety technologies from a wide variety of stakeholders and members of the public. Many commenters supported the proposed Enforcement Guidance Bulletin, noting that it adequately explained NHTSA’s existing authority and how that authority extends to automated safety technologies. Some commenters opined that guidance should not be viewed as a substitute for traditional rulemaking or the establishment of performance standards. One commenter suggested that manufacturers be required to engage in constant monitoring and reporting, due to the possibility of certain systems showing no outward sign of a defect and the increased possibility of defects resulting from two systems failing to correctly interact. Another suggested replacement of NHTSA’s existing enforcement model with a more flexible approach after implementing new standards. None of the alternative approaches described in this paragraph are foreclosed by this Guidance. NHTSA remains open to consideration of those and other options. Traditionally, only after new technology is developed and proven does the Agency establish new safety PO 00000 Frm 00085 Fmt 4703 Sfmt 4703 standards. This approach has yielded enormous safety benefits, but one limitation of this approach is that it takes time. Strong safety regulations and standards are a vital piece of NHTSA’s safety mission and the Agency will engage in rulemaking related to automated safety technologies in the future. This Guidance serves in part as a reminder that even before such rulemaking occurs, NHTSA currently has enforcement authority to address safety risks as they arise. A number of commenters urged the Agency, when developing guidance and regulations, to not provide immunity to manufacturers for the consequences of failures of automated safety technologies simply because a manufacturer introduces them to the U.S. public. This Guidance is limited to setting forth an overview of NHTSA’s enforcement authority over automated safety technologies and, therefore, is not intended to provide such legal immunity. Other commenters suggested that while automated safety technologies may facilitate increased safety, manufacturers should ensure that over the lifespan of the vehicle such technologies themselves do not create unreasonable risks to safety due to predictable abuse or impractical recalibration requirements. The Agency agrees. Unreasonable risks due to predictable abuse or impractical recalibration requirements may constitute safety-related defects. See United States v. Gen. Motors Corp., 518 F.2d 420, 427 (D.C. Cir. 1975) (‘‘Wheels’’). Manufacturers have a continuing obligation to proactively identify and mitigate such safety risks. This includes safety risks discovered after the vehicle and/or equipment has been in safe operation. Finally, some commenters suggested that the Agency had misinterpreted its authority over certain motor vehicle equipment. Some further questioned whether software and certain devices constitute motor vehicle equipment. NHTSA’s authority over motor vehicle equipment, in its many forms, is expressed unequivocally in the Safety Act. Because some non-traditional motor vehicle equipment manufacturers may not fully recognize their responsibilities under the Safety Act, this Guidance aims to increase awareness of NHTSA’s enforcement authority over motor vehicle equipment in all of its various forms.1 This 1 The Agency anticipates publishing additional guidance at a later date, further clarifying the criteria the Agency considers when determining whether certain devices constitute motor vehicle equipment. E:\FR\FM\23SEN1.SGM 23SEN1 Federal Register / Vol. 81, No. 185 / Friday, September 23, 2016 / Notices Guidance is not an attempt to alter the relationship between motor vehicle and equipment manufacturers and their suppliers, or their respective responsibilities under the Safety Act. However, manufacturers and suppliers at all levels should be aware of their respective Safety Act obligations. NHTSA acknowledges the complexity of this evolving landscape. Nonetheless, NHTSA has been charged by Congress to protect the safety of the driving public against unreasonable risks of harm that may arise because of the design, construction, or performance of a motor vehicle or motor vehicle equipment. To fulfill that responsibility and accomplish its mission, the Agency must take steps to mitigate risks of harm, including risks that may result from automated safety technologies. This Guidance lays out a high-level overview of NHTSA’s enforcement authority to evaluate and address safety risks of motor vehicle technologies. To the extent the Agency may need additional expertise to adequately evaluate such safety risks, NHTSA will take the necessary steps (as it has in the past) to meet those needs. Based on the Agency’s consideration of all comments submitted in this proceeding; to aid in the successful development and deployment of automated safety technologies; to protect the public from potential defects associated with automated safety technologies that pose an unreasonable risk to safety; and as informed by the Agency’s judgment and expertise, NHTSA now publishes this Enforcement Guidance Bulletin setting forth the Agency’s current view of its enforcement authority and principles guiding its exercise of that authority. This includes guiding principles and best practices for use by motor vehicle and equipment manufacturers. NHTSA is not here establishing a binding set of rules, nor is the Agency suggesting that one particular set of practices applies in all situations. The Agency recognizes that best practices may vary depending on circumstances, and manufacturers remain free to choose the solution that best fits their needs while satisfying the demands of automotive safety. sradovich on DSK3GMQ082PROD with NOTICES II. Legal and Policy Background A. NHTSA’s Enforcement Authority Under the Safety Act The National Traffic and Motor Vehicle Safety Act, as amended (‘‘Safety Act’’), 49 U.S.C. 30101 et seq., provides the basis and framework for NHTSA’s enforcement authority over motor vehicle and motor vehicle equipment defects and noncompliances with VerDate Sep<11>2014 18:22 Sep 22, 2016 Jkt 238001 federal motor vehicle safety standards (FMVSS). This authority includes investigations, administrative proceedings, civil penalties, and other civil enforcement actions. While fully automated (self-driving) vehicles and other automated safety technologies may modify motor vehicle and equipment design, NHTSA’s statutory enforcement authority is sufficiently general and flexible to keep pace with such innovation. The Agency has the authority to respond to a safety problem posed by new technologies in the same manner it is able to respond to safety problems posed by more established automotive technology and equipment, such as carburetors, the powertrain, vehicle control systems, and forward collision warning systems—by determining the existence of a defect that poses an unreasonable risk to motor vehicle safety and ordering the manufacturer to conduct a recall. See 49 U.S.C. 30118(b). This enforcement authority applies notwithstanding the presence or absence of an FMVSS for any particular type of advanced equipment or technology. See, e.g., United States v. Chrysler Corp., 158 F.3d 1350, 1351 (D.C. Cir. 1998) (NHTSA ‘‘may seek the recall of a motor vehicle either when a vehicle has ‘a defect related to motor vehicle safety’ or when a vehicle ‘does not comply with an applicable motor vehicle safety standard.’ ’’).2 Under the Safety Act, NHTSA has authority over motor vehicles, equipment included in or on a motor vehicle at the time of delivery to the first purchaser (i.e., original equipment), and motor vehicle replacement equipment. See 49 U.S.C. 30102(a)–(b). Motor vehicle equipment is broadly defined to include ‘‘any system, part, or component of a motor vehicle as originally manufactured’’ and ‘‘any similar part or component manufactured or sold for replacement or improvement of a system, part, or component.’’ 49 U.S.C. 30102(a)(7)(A)–(B). The Safety Act also gives NHTSA jurisdiction over after-market improvements, accessories, or additions to motor vehicles. See 49 U.S.C. 30102(a)(7)(B). All devices ‘‘manufactured, sold, delivered, or offered to be sold for use on public streets, roads, and highways with the apparent purpose of safeguarding users of motor vehicles against risk of accident, injury, or death’’ are similarly 2 A manufacturer’s obligation to recall motor vehicles and motor vehicle equipment determined to have a safety-related defect is separate and distinct from its obligation to recall motor vehicles and motor vehicle equipment that fail to comply with an applicable FMVSS. See 49 U.S.C. 30120. PO 00000 Frm 00086 Fmt 4703 Sfmt 4703 65707 subject to NHTSA’s enforcement authority. 49 U.S.C. 30102(a)(7)(C). With respect to current and emerging automated motor vehicle safety technologies, NHTSA considers such technologies (including systems and equipment) to be motor vehicle equipment, whether they are offered to the public as part of a new motor vehicle (as original equipment) or as an after-market replacement(s) of or improvement(s) to original equipment. NHTSA also considers software (including, but not necessarily limited to, the programs, instructions, code, and data used to operate computers and related devices), and after-market software updates, to be motor vehicle equipment within the meaning of the Safety Act. Software that enables devices not located in or on the motor vehicle to connect to the motor vehicle or its systems could, in some circumstances, also be considered motor vehicle equipment. Accordingly, a manufacturer of current and emerging automated safety technologies, whether it is the supplier of the equipment or the manufacturer of a motor vehicle on which the equipment is installed, has an obligation to notify NHTSA of any and all safety-related defects. See 49 CFR part 573. Any manufacturer or supplier that fails to do so may be subject to civil penalties. See 49 U.S.C. 30165(a). NHTSA is charged with reducing deaths, injuries, and economic losses resulting from motor vehicle crashes. See 49 U.S.C. 30101. Part of that mandate includes ensuring that motor vehicles and motor vehicle equipment, including automated safety technologies, perform in ways that ‘‘protect[] the public against unreasonable risk of accidents occurring because of the design, construction, or performance of a motor vehicle, and against unreasonable risk of death or injury in an accident.’’ 49 U.S.C. 30102(a)(8). This responsibility also includes the nonoperational safety of a motor vehicle. Id. In pursuit of these safety objectives, and in the absence of adequate action by the manufacturer, NHTSA is authorized to determine that a motor vehicle or motor vehicle equipment is defective and that the defect poses an unreasonable risk to safety. See 49 U.S.C. 30118(b) and (c)(1). B. Determining the Existence of a Defect Under the Safety Act, a ‘‘defect’’ includes ‘‘any defect in performance, construction, a component, or material of a motor vehicle or motor vehicle equipment.’’ 49 U.S.C. 30102(a)(2). This includes a defect in design. See Wheels, 518 F.2d at 436. A defect in an item of motor vehicle equipment (including E:\FR\FM\23SEN1.SGM 23SEN1 sradovich on DSK3GMQ082PROD with NOTICES 65708 Federal Register / Vol. 81, No. 185 / Friday, September 23, 2016 / Notices hardware, software, and other electronic systems) may be considered a defect of the motor vehicle itself. See 49 U.S.C. 30102(b)(1)(F). Congress intended the Safety Act to represent a ‘‘commonsense’’ approach to safety and courts have followed that approach in determining what constitutes a ‘‘defect.’’ See, e.g., Wheels, 518 F.2d at 436. For this reason, a defect determination does not require an engineering explanation or root cause, but instead ‘‘may be based exclusively on the performance record of the component.’’ Wheels, 518 F.2d at 432 (‘‘[A] determination of a ‘defect’ does not require any predicate of a finding identifying engineering, metallurgical, or manufacturing failures.’’). Thus, a motor vehicle or item of motor vehicle equipment contains a defect ‘‘if it is subject to a significant number of failures in normal operation, including failures either occurring during specified use or resulting from owner abuse (including inadequate maintenance) that is reasonably foreseeable (ordinary abuse).’’ 3 Wheels, 518 F.2d at 427. A ‘‘significant number of failures’’ is merely a ‘‘non-de minimus’’ quantity; it need not be a ‘‘substantial percentage of the total.’’ Wheels, 518 F.2d at 438 n.84. Whether there have been a ‘‘significant number of failures’’ is a fact-specific inquiry that includes considerations such as: the failure rate of the component in question; the failure rates of comparable components; the importance of the component to the safe operation of the vehicle; and the severity of harm to the vehicle and/or occupant caused by the failure. Id. at 427. In addition, where appropriate, the determination of the existence of a defect may depend upon the failure rate in the affected class of vehicles compared to that of other peer vehicles. See United States v. Gen. Motors Corp., 841 F.2d 400, 412 (D.C. Cir. 1988) (‘‘X-Cars’’). The Agency relies on the performance record of a vehicle or component in making a defect determination where the engineering or root cause of a failure is unknown. See Wheels, 518 F.2d at 432. Where, however, the engineering or root cause is known, the Agency need not proceed with analyzing the performance record. See id.; see also United States v. Gen. Motors Corp., 565 3 ‘‘The protection afforded by the [Safety] Act was not limited to careful drivers who fastidiously observed speed limits and conscientiously complied with manufacturer’s instructions on vehicle maintenance and operation. . . . [the statute provides] an added area of safety to an owner who is lackadaisical, who neglects regular maintenance . . .’’ Wheels, 518 F.2d at 434. VerDate Sep<11>2014 18:22 Sep 22, 2016 Jkt 238001 F.2d 754, 758 (D.C. Cir. 1977) (‘‘Carburetors’’) (finding a defect to be safety-related if it ‘‘results in hazards as potentially dangerous as sudden engine fire, and where there is no dispute that at least some such hazards . . . can definitely be expected to occur in the future.’’). For software or other electronic systems, for example, when the engineering or root cause of the hazard is known, a defect exists regardless of whether there have been any actual performance failures. C. Determining an Unreasonable Risk to Safety In order to support a recall, a defect must be related to motor vehicle safety. United States v. General Motors Corp., 561 F.2d 923, 928–29 (D.C. Cir. 1977) (‘‘Pitman Arms’’). In the context of the Safety Act, ‘‘motor vehicle safety’’ refers to an ‘‘unreasonable risk of accidents’’ and an ‘‘unreasonable risk of death or injury in an accident.’’ 49 U.S.C. 30102(a)(8). Thus, while the defect analysis has generally entailed a retrospective look at how many failures have occurred (see, e.g., Wheels and Pitman Arms), the safety-relatedness question is forward-looking, and concerns hazards that may arise in the future. See, e.g., Carburetors, 565 F.2d at 758. In general, for a defect to present an ‘‘unreasonable risk,’’ there must be a likelihood that it will cause or be associated with a ‘‘non-negligible’’ number of crashes, injuries, or deaths in the future. See, e.g., Carburetors, 565 F.2d at 759. This prediction of future hazards is called a ‘‘risk analysis.’’ See, e.g., Pitman Arms, 561 F.2d at 924 (Leventhal, J., dissenting) (‘‘GM presented a ‘risk analysis’ which predicts the likely number of future injuries or deaths to be expected in the remaining service life of the affected models’’). A forward-looking risk analysis is compelled by the purpose of the Safety Act, which ‘‘is not to protect individuals from the risks associated with defective vehicles only after serious injuries have already occurred; it is to prevent serious injuries stemming from established defects before they occur.’’ Carburetors, 565 F.2d at 759 (emphasis added). However, in some circumstances, a crash, injury, or death need not occur for a defect to be considered to pose an unreasonable risk. If the hazard is sufficiently serious, and at least some harm, however small, is expected to occur in the future, the risk may be deemed unreasonable. Carburetors, 565 F.2d at 759 (‘‘In the context of this case . . . even an ‘exceedingly small’ number of injuries from this admittedly PO 00000 Frm 00087 Fmt 4703 Sfmt 4703 defective and clearly dangerous carburetor appears to us ‘unreasonably large.’’’). In other words, where a defect presents a ‘‘clearly’’ or ‘‘potentially dangerous’’ hazard, and where ‘‘at least some such hazards’’—even an ‘‘exceedingly small’’ number—will occur in the future, that defect is necessarily safety-related. See id. at 754. This is so regardless of whether any injuries have already occurred, or whether the projected number of failures/injuries in the future is trending down. See id. at 759. Moreover, a defect may be considered ‘‘per se’’ safetyrelated if it causes the failure of a critical component; causes a vehicle fire; causes a loss of vehicle control; or suddenly moves the driver away from steering, accelerator, and brake controls—regardless of how many injuries or accidents are likely to occur in the future. See Carburetors, 565 F.2d 754 (engine fires); Pitman Arms, 561 F.2d 923 (loss of control); United States v. Ford Motor Co., 453 F. Supp. 1240 (D.D.C. 1978) (‘‘Wipers’’) (loss of visibility); United States v. Ford Motor Co., 421 F. Supp. 1239, 1243–1244 (D.D.C. 1976) (‘‘Seatbacks’’) (loss of control). Similarly, where a defect ‘‘is systematic and is prevalent in a particular class [of motor vehicles or equipment], . . . this is prima facie an unreasonable risk.’’ Pitman Arms, 561 F.2d at 929. III. Guidance and Recommended Best Practices: Safety-Related Defects, Unreasonable Risk, and Automated Safety Technologies Consistent with the foregoing background, NHTSA’s enforcement authority concerning safety-related defects in motor vehicles and motor vehicle equipment extends and applies equally to current and emerging automated safety technologies. This includes fully automated (self-driving) vehicles. Where a fully automated (selfdriving) vehicle or other automated safety technology causes crashes or injuries, or poses other safety risks, the Agency will evaluate such technology through its investigative authority to determine whether the technology presents an unreasonable risk to safety. Similarly, should the Agency determine that a fully automated (self-driving) vehicle or other automated safety technology has manifested a safetyrelated defect, and a manufacturer fails to act, NHTSA will exercise its enforcement authority to the fullest extent. To avoid violating Safety Act requirements and standards, manufacturers of current and emerging automated safety technologies are E:\FR\FM\23SEN1.SGM 23SEN1 sradovich on DSK3GMQ082PROD with NOTICES Federal Register / Vol. 81, No. 185 / Friday, September 23, 2016 / Notices strongly encouraged to take steps to proactively identify and resolve safety concerns before their products are available for use on U.S. roadways, and to discuss such actions with NHTSA. The Agency recognizes that most automated safety technologies heavily involve electronic systems (such as hardware, software, sensors, global positioning systems (GPS) and vehicleto-vehicle (V2V) safety communications systems). The Agency acknowledges that the increased use of electronic systems in motor vehicles and motor vehicle equipment may raise new and different safety concerns. However, the complexities of these systems do not diminish manufacturers’ duties under the Safety Act. Both motor vehicle manufacturers and motor vehicle equipment manufacturers remain responsible for ensuring that their vehicles and equipment are free of safety-related defects and noncompliances, and do not otherwise pose an unreasonable risk to safety. Manufacturers are also reminded that they remain responsible for promptly reporting to NHTSA any safety-related defects or noncompliances, as well as timely notifying owners and dealers of the same. In assessing whether a motor vehicle or item of motor vehicle equipment poses an unreasonable risk to safety, NHTSA considers the vehicle component or system involved, the likelihood of the occurrence of a hazard, the potential frequency of a hazard, the severity of hazard to the vehicle and occupant, known engineering or root cause, and other relevant factors. Where a threatened hazard is substantial (e.g., fire or stalling), low potential frequency may not carry as much weight in NHTSA’s analysis. NHTSA may weigh the above factors, and other relevant factors, differently depending on the circumstances of the particular underlying matter at issue. Software installed in or on a motor vehicle—which is motor vehicle equipment—presents its own unique safety risks. Because software often interacts with a motor vehicle’s critical systems (i.e., systems encompassing critical control functions such as braking, steering, or acceleration), the operation of those systems can be substantially altered by after-market software updates. Software located outside the motor vehicle could also be used to affect and control a motor vehicle’s critical systems.4 Under either 4 NHTSA intends to publish an interpretation clarifying in further detail the Agency’s criteria for determining whether a portable device or portable application is an ‘‘accessory’’ to a motor vehicle at a later date. VerDate Sep<11>2014 18:22 Sep 22, 2016 Jkt 238001 circumstance, if software (whether or not it purports to have a safety-related purpose) creates or introduces an unreasonable safety risk to motor vehicle systems, then that safety risk constitutes a defect compelling a recall. While the Agency acknowledges that manufacturers are not required to design motor vehicles or motor vehicle equipment that ‘‘never fail,’’ manufacturers should consider developing systems such that should an electrical, electronic, mechanical, or software failure occur, the vehicle or equipment can still be operated in a manner to mitigate the risks from such failures. Furthermore, with the increased introduction of current and emerging automated safety technologies, manufacturers should take steps necessary to ensure that any such technology introduced to U.S. roadways accounts for the driver’s ease of use and any foreseeable misuse that may occur, particularly in circumstances that require driver interaction while a vehicle is in operation. A system design or configuration that fails to take into account and safeguard against the consequences of reasonably foreseeable driver distraction or error may present an unreasonable risk to safety. For example, an unconventional electronic gearshift assembly that lacks detents or other tactile cues that provide gear selection feedback makes it more likely that a driver may attempt to exit a vehicle with the mistaken belief that the vehicle is in park. If the vehicle’s design does not guard against this foreseeable driver error by providing an effective warning or (for instance) immobilizing the vehicle when the driver’s door is opened, the design may present an unreasonable risk to safety. Similarly, a semi-autonomous driving system that allows a driver to relinquish control of the vehicle while it is in operation but fails to adequately account for reasonably foreseeable situations where a distracted or inattentive driver-occupant must retake control of the vehicle at any point may also be an unreasonable risk to safety. Additionally, where a software system is expected to last the life of the vehicle, manufacturers should take care to provide secure updates as needed to keep the system functioning. Conversely, if a manufacturer fails to provide secure updates to a software system and that failure results in a safety risk, NHTSA may consider such a safety risk to be a safety-related defect compelling a recall. Motor vehicle and motor vehicle equipment manufacturers have a continuing obligation to proactively identify safety concerns and mitigate the PO 00000 Frm 00088 Fmt 4703 Sfmt 4703 65709 risks of harm. If a manufacturer discovers or is otherwise made aware of any safety-related defects, noncompliances, or other safety risks after the vehicle and/or equipment (including automated safety technology) has been in safe operation, then it should promptly contact the appropriate NHTSA personnel to determine the necessary next steps. Where a manufacturer fails to adequately address a safety concern, NHTSA, when appropriate, will address that failure through its enforcement authority. Applicability/Legal Statement: This Enforcement Guidance Bulletin sets forth NHTSA’s current views on its enforcement authority and the topic of automated safety technology, and suggests guiding principles and best practices to be utilized by motor vehicle and equipment manufacturers in this context. This Bulletin is not a final agency action and is intended as guidance only. This Bulletin does not have the force or effect of law. This Bulletin is not intended, nor can it be relied upon, to create any rights enforceable by any party against NHTSA, the U.S. Department of Transportation, or the United States. These recommended practices do not establish any defense to any violations of the Safety Act, or regulations thereunder, or violation of any statutes or regulations that NHTSA administers. This Bulletin may be revised without notice to reflect changes in the Agency’s views and analysis, or to clarify and update text. Authority: 49 U.S.C. 30101–30103, 30116– 30121, 30166; delegation of authority at 49 CFR 1.95 and 49 CFR 501.8. Issued: September 20, 2016. Paul A. Hemmersbaugh, Chief Counsel. [FR Doc. 2016–23010 Filed 9–22–16; 8:45 am] BILLING CODE 4910–59–P DEPARTMENT OF TRANSPORTATION National Highway Traffic Safety Administration [Docket No. NHTSA–2016–0091] Reports, Forms, and Record Keeping Requirements National Highway Traffic Safety Administration (NHTSA), Department of Transportation (DOT). ACTION: Request for public comment on proposed collection of information. AGENCY: Before a Federal agency may collect certain information from the public, it must receive approval from SUMMARY: E:\FR\FM\23SEN1.SGM 23SEN1

Agencies

[Federal Register Volume 81, Number 185 (Friday, September 23, 2016)]
[Notices]
[Pages 65705-65709]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2016-23010]


-----------------------------------------------------------------------

DEPARTMENT OF TRANSPORTATION

National Highway Traffic Safety Administration

[Docket No. NHTSA-2016-0040]


NHTSA Enforcement Guidance Bulletin 2016-02: Safety-Related 
Defects and Automated Safety Technologies

AGENCY: National Highway Traffic Safety Administration (NHTSA), 
Department of Transportation.

ACTION: Final notice.

-----------------------------------------------------------------------

SUMMARY: Automotive technology is at a moment of rapid change and may 
evolve farther in the next decade than in the previous 45-plus year 
history of the Agency. As the automobile industry moves toward fully 
automated (self-driving) vehicles and other innovative mobility 
solutions, NHTSA seeks to facilitate the advance of automated 
technologies that currently present safety improvements and that, in 
the future, are likely to improve safety and decrease the number of 
crashes, traffic fatalities, and serious injuries on U.S. roadways. 
NHTSA is commanded by Congress to protect the safety of the driving 
public against unreasonable risks of harm that may occur because of

[[Page 65706]]

the design, construction, or performance of a motor vehicle or motor 
vehicle equipment, and to mitigate risks of harm, including risks that 
may be emerging or contingent. As NHTSA has always done when evaluating 
new vehicle technologies, the Agency will be guided by its statutory 
mission, the laws it is obligated to enforce, and the benefits of the 
emerging automated safety technologies appearing on U.S. roadways.
    NHTSA has broad enforcement authority under existing statutes and 
regulations to address existing and emerging automated safety 
technologies. This Enforcement Guidance Bulletin sets forth NHTSA's 
current views on its enforcement authority--including its view that 
when vulnerabilities in automated safety technology or equipment pose 
an unreasonable risk to safety, those vulnerabilities constitute a 
safety-related defect--and suggests guiding principles and best 
practices for motor vehicle and equipment manufacturers in this 
context.

FOR FURTHER INFORMATION CONTACT: Justine Casselle or Elizabeth 
Mykytiuk, Office of the Chief Counsel, National Highway Traffic Safety 
Administration, at (202) 366-2992.

SUPPLEMENTARY INFORMATION:

I. Executive Summary
II. Legal and Policy Background
    A. NHTSA's Enforcement Authority Under the Safety Act
    B. Determining the Existence of a Defect
    C. Determining an Unreasonable Risk to Safety
III. Guidance and Recommended Best Practices: Safety-Related 
Defects, Unreasonable Risk, and Automated Safety Technologies

I. Executive Summary

    Recent and continuing advances in automotive technology have great 
potential to generate significant safety benefits. Today's motor 
vehicles are increasingly equipped with electronics, sensors, and 
computing power that enable automated safety technologies, including 
technologies such as forward-collision warning, automatic-emergency 
braking, and lane-keeping assist, which have the potential to 
dramatically enhance safety. New technologies may not only prevent 
drivers from crashing, but may even do some or all of the driving for 
them. The potential safety implications of such technologies are vast. 
Importantly, as these technologies become more widespread, 
manufacturers must ensure their safe development and implementation.
    On April 1, 2016, NHTSA published a proposed Enforcement Guidance 
Bulletin setting forth an overview of the Agency's enforcement 
authority under the Safety Act and its present views on certain 
enforcement subjects and issues. See Docket No. NHTSA-2016-0040. 
Recognizing the public interest in this topic and the safety concerns 
associated with automated safety technologies, the Agency solicited 
public comment before issuing a final Enforcement Guidance Bulletin. In 
response to the request for comment, the Agency received thirty-five 
(35) public submissions. Although some comments were submitted after 
the stated closing date of May 2, 2016, all comments submitted to the 
docket were considered in formulating this final Guidance.
    In response to various comments suggesting that NHTSA give 
additional review to issues associated with certain software and 
cybersecurity, the Agency has decided to focus this Guidance solely on 
how its enforcement authority relates to automated safety technologies, 
including fully automated (self-driving) vehicles. Thus, comments 
related to cybersecurity will be addressed in future interpretations 
and guidance. However, this does not mean that cybersecurity is outside 
of NHTSA's authority. Manufacturers of motor vehicles and motor vehicle 
equipment must continue to follow the requirements of the Safety Act, 
including those related to cybersecurity.
    The Agency received twenty-eight (28) comments that specifically 
addressed automated safety technologies from a wide variety of 
stakeholders and members of the public. Many commenters supported the 
proposed Enforcement Guidance Bulletin, noting that it adequately 
explained NHTSA's existing authority and how that authority extends to 
automated safety technologies. Some commenters opined that guidance 
should not be viewed as a substitute for traditional rulemaking or the 
establishment of performance standards. One commenter suggested that 
manufacturers be required to engage in constant monitoring and 
reporting, due to the possibility of certain systems showing no outward 
sign of a defect and the increased possibility of defects resulting 
from two systems failing to correctly interact. Another suggested 
replacement of NHTSA's existing enforcement model with a more flexible 
approach after implementing new standards. None of the alternative 
approaches described in this paragraph are foreclosed by this Guidance. 
NHTSA remains open to consideration of those and other options.
    Traditionally, only after new technology is developed and proven 
does the Agency establish new safety standards. This approach has 
yielded enormous safety benefits, but one limitation of this approach 
is that it takes time. Strong safety regulations and standards are a 
vital piece of NHTSA's safety mission and the Agency will engage in 
rulemaking related to automated safety technologies in the future. This 
Guidance serves in part as a reminder that even before such rulemaking 
occurs, NHTSA currently has enforcement authority to address safety 
risks as they arise.
    A number of commenters urged the Agency, when developing guidance 
and regulations, to not provide immunity to manufacturers for the 
consequences of failures of automated safety technologies simply 
because a manufacturer introduces them to the U.S. public. This 
Guidance is limited to setting forth an overview of NHTSA's enforcement 
authority over automated safety technologies and, therefore, is not 
intended to provide such legal immunity.
    Other commenters suggested that while automated safety technologies 
may facilitate increased safety, manufacturers should ensure that over 
the lifespan of the vehicle such technologies themselves do not create 
unreasonable risks to safety due to predictable abuse or impractical 
recalibration requirements. The Agency agrees. Unreasonable risks due 
to predictable abuse or impractical recalibration requirements may 
constitute safety-related defects. See United States v. Gen. Motors 
Corp., 518 F.2d 420, 427 (D.C. Cir. 1975) (``Wheels''). Manufacturers 
have a continuing obligation to proactively identify and mitigate such 
safety risks. This includes safety risks discovered after the vehicle 
and/or equipment has been in safe operation.
    Finally, some commenters suggested that the Agency had 
misinterpreted its authority over certain motor vehicle equipment. Some 
further questioned whether software and certain devices constitute 
motor vehicle equipment.
    NHTSA's authority over motor vehicle equipment, in its many forms, 
is expressed unequivocally in the Safety Act. Because some non-
traditional motor vehicle equipment manufacturers may not fully 
recognize their responsibilities under the Safety Act, this Guidance 
aims to increase awareness of NHTSA's enforcement authority over motor 
vehicle equipment in all of its various forms.\1\ This

[[Page 65707]]

Guidance is not an attempt to alter the relationship between motor 
vehicle and equipment manufacturers and their suppliers, or their 
respective responsibilities under the Safety Act. However, 
manufacturers and suppliers at all levels should be aware of their 
respective Safety Act obligations.
---------------------------------------------------------------------------

    \1\ The Agency anticipates publishing additional guidance at a 
later date, further clarifying the criteria the Agency considers 
when determining whether certain devices constitute motor vehicle 
equipment.
---------------------------------------------------------------------------

    NHTSA acknowledges the complexity of this evolving landscape. 
Nonetheless, NHTSA has been charged by Congress to protect the safety 
of the driving public against unreasonable risks of harm that may arise 
because of the design, construction, or performance of a motor vehicle 
or motor vehicle equipment. To fulfill that responsibility and 
accomplish its mission, the Agency must take steps to mitigate risks of 
harm, including risks that may result from automated safety 
technologies. This Guidance lays out a high-level overview of NHTSA's 
enforcement authority to evaluate and address safety risks of motor 
vehicle technologies. To the extent the Agency may need additional 
expertise to adequately evaluate such safety risks, NHTSA will take the 
necessary steps (as it has in the past) to meet those needs.
    Based on the Agency's consideration of all comments submitted in 
this proceeding; to aid in the successful development and deployment of 
automated safety technologies; to protect the public from potential 
defects associated with automated safety technologies that pose an 
unreasonable risk to safety; and as informed by the Agency's judgment 
and expertise, NHTSA now publishes this Enforcement Guidance Bulletin 
setting forth the Agency's current view of its enforcement authority 
and principles guiding its exercise of that authority. This includes 
guiding principles and best practices for use by motor vehicle and 
equipment manufacturers. NHTSA is not here establishing a binding set 
of rules, nor is the Agency suggesting that one particular set of 
practices applies in all situations. The Agency recognizes that best 
practices may vary depending on circumstances, and manufacturers remain 
free to choose the solution that best fits their needs while satisfying 
the demands of automotive safety.

II. Legal and Policy Background

A. NHTSA's Enforcement Authority Under the Safety Act

    The National Traffic and Motor Vehicle Safety Act, as amended 
(``Safety Act''), 49 U.S.C. 30101 et seq., provides the basis and 
framework for NHTSA's enforcement authority over motor vehicle and 
motor vehicle equipment defects and noncompliances with federal motor 
vehicle safety standards (FMVSS). This authority includes 
investigations, administrative proceedings, civil penalties, and other 
civil enforcement actions. While fully automated (self-driving) 
vehicles and other automated safety technologies may modify motor 
vehicle and equipment design, NHTSA's statutory enforcement authority 
is sufficiently general and flexible to keep pace with such innovation. 
The Agency has the authority to respond to a safety problem posed by 
new technologies in the same manner it is able to respond to safety 
problems posed by more established automotive technology and equipment, 
such as carburetors, the powertrain, vehicle control systems, and 
forward collision warning systems--by determining the existence of a 
defect that poses an unreasonable risk to motor vehicle safety and 
ordering the manufacturer to conduct a recall. See 49 U.S.C. 30118(b). 
This enforcement authority applies notwithstanding the presence or 
absence of an FMVSS for any particular type of advanced equipment or 
technology. See, e.g., United States v. Chrysler Corp., 158 F.3d 1350, 
1351 (D.C. Cir. 1998) (NHTSA ``may seek the recall of a motor vehicle 
either when a vehicle has `a defect related to motor vehicle safety' or 
when a vehicle `does not comply with an applicable motor vehicle safety 
standard.' '').\2\
---------------------------------------------------------------------------

    \2\ A manufacturer's obligation to recall motor vehicles and 
motor vehicle equipment determined to have a safety-related defect 
is separate and distinct from its obligation to recall motor 
vehicles and motor vehicle equipment that fail to comply with an 
applicable FMVSS. See 49 U.S.C. 30120.
---------------------------------------------------------------------------

    Under the Safety Act, NHTSA has authority over motor vehicles, 
equipment included in or on a motor vehicle at the time of delivery to 
the first purchaser (i.e., original equipment), and motor vehicle 
replacement equipment. See 49 U.S.C. 30102(a)-(b). Motor vehicle 
equipment is broadly defined to include ``any system, part, or 
component of a motor vehicle as originally manufactured'' and ``any 
similar part or component manufactured or sold for replacement or 
improvement of a system, part, or component.'' 49 U.S.C. 
30102(a)(7)(A)-(B). The Safety Act also gives NHTSA jurisdiction over 
after-market improvements, accessories, or additions to motor vehicles. 
See 49 U.S.C. 30102(a)(7)(B). All devices ``manufactured, sold, 
delivered, or offered to be sold for use on public streets, roads, and 
highways with the apparent purpose of safeguarding users of motor 
vehicles against risk of accident, injury, or death'' are similarly 
subject to NHTSA's enforcement authority. 49 U.S.C. 30102(a)(7)(C).
    With respect to current and emerging automated motor vehicle safety 
technologies, NHTSA considers such technologies (including systems and 
equipment) to be motor vehicle equipment, whether they are offered to 
the public as part of a new motor vehicle (as original equipment) or as 
an after-market replacement(s) of or improvement(s) to original 
equipment. NHTSA also considers software (including, but not 
necessarily limited to, the programs, instructions, code, and data used 
to operate computers and related devices), and after-market software 
updates, to be motor vehicle equipment within the meaning of the Safety 
Act. Software that enables devices not located in or on the motor 
vehicle to connect to the motor vehicle or its systems could, in some 
circumstances, also be considered motor vehicle equipment. Accordingly, 
a manufacturer of current and emerging automated safety technologies, 
whether it is the supplier of the equipment or the manufacturer of a 
motor vehicle on which the equipment is installed, has an obligation to 
notify NHTSA of any and all safety-related defects. See 49 CFR part 
573. Any manufacturer or supplier that fails to do so may be subject to 
civil penalties. See 49 U.S.C. 30165(a).
    NHTSA is charged with reducing deaths, injuries, and economic 
losses resulting from motor vehicle crashes. See 49 U.S.C. 30101. Part 
of that mandate includes ensuring that motor vehicles and motor vehicle 
equipment, including automated safety technologies, perform in ways 
that ``protect[] the public against unreasonable risk of accidents 
occurring because of the design, construction, or performance of a 
motor vehicle, and against unreasonable risk of death or injury in an 
accident.'' 49 U.S.C. 30102(a)(8). This responsibility also includes 
the nonoperational safety of a motor vehicle. Id. In pursuit of these 
safety objectives, and in the absence of adequate action by the 
manufacturer, NHTSA is authorized to determine that a motor vehicle or 
motor vehicle equipment is defective and that the defect poses an 
unreasonable risk to safety. See 49 U.S.C. 30118(b) and (c)(1).

B. Determining the Existence of a Defect

    Under the Safety Act, a ``defect'' includes ``any defect in 
performance, construction, a component, or material of a motor vehicle 
or motor vehicle equipment.'' 49 U.S.C. 30102(a)(2). This includes a 
defect in design. See Wheels, 518 F.2d at 436. A defect in an item of 
motor vehicle equipment (including

[[Page 65708]]

hardware, software, and other electronic systems) may be considered a 
defect of the motor vehicle itself. See 49 U.S.C. 30102(b)(1)(F).
    Congress intended the Safety Act to represent a ``commonsense'' 
approach to safety and courts have followed that approach in 
determining what constitutes a ``defect.'' See, e.g., Wheels, 518 F.2d 
at 436. For this reason, a defect determination does not require an 
engineering explanation or root cause, but instead ``may be based 
exclusively on the performance record of the component.'' Wheels, 518 
F.2d at 432 (``[A] determination of a `defect' does not require any 
predicate of a finding identifying engineering, metallurgical, or 
manufacturing failures.''). Thus, a motor vehicle or item of motor 
vehicle equipment contains a defect ``if it is subject to a significant 
number of failures in normal operation, including failures either 
occurring during specified use or resulting from owner abuse (including 
inadequate maintenance) that is reasonably foreseeable (ordinary 
abuse).'' \3\ Wheels, 518 F.2d at 427.
---------------------------------------------------------------------------

    \3\ ``The protection afforded by the [Safety] Act was not 
limited to careful drivers who fastidiously observed speed limits 
and conscientiously complied with manufacturer's instructions on 
vehicle maintenance and operation. . . . [the statute provides] an 
added area of safety to an owner who is lackadaisical, who neglects 
regular maintenance . . .'' Wheels, 518 F.2d at 434.
---------------------------------------------------------------------------

    A ``significant number of failures'' is merely a ``non-de minimus'' 
quantity; it need not be a ``substantial percentage of the total.'' 
Wheels, 518 F.2d at 438 n.84. Whether there have been a ``significant 
number of failures'' is a fact-specific inquiry that includes 
considerations such as: the failure rate of the component in question; 
the failure rates of comparable components; the importance of the 
component to the safe operation of the vehicle; and the severity of 
harm to the vehicle and/or occupant caused by the failure. Id. at 427. 
In addition, where appropriate, the determination of the existence of a 
defect may depend upon the failure rate in the affected class of 
vehicles compared to that of other peer vehicles. See United States v. 
Gen. Motors Corp., 841 F.2d 400, 412 (D.C. Cir. 1988) (``X-Cars'').
    The Agency relies on the performance record of a vehicle or 
component in making a defect determination where the engineering or 
root cause of a failure is unknown. See Wheels, 518 F.2d at 432. Where, 
however, the engineering or root cause is known, the Agency need not 
proceed with analyzing the performance record. See id.; see also United 
States v. Gen. Motors Corp., 565 F.2d 754, 758 (D.C. Cir. 1977) 
(``Carburetors'') (finding a defect to be safety-related if it 
``results in hazards as potentially dangerous as sudden engine fire, 
and where there is no dispute that at least some such hazards . . . can 
definitely be expected to occur in the future.''). For software or 
other electronic systems, for example, when the engineering or root 
cause of the hazard is known, a defect exists regardless of whether 
there have been any actual performance failures.

C. Determining an Unreasonable Risk to Safety

    In order to support a recall, a defect must be related to motor 
vehicle safety. United States v. General Motors Corp., 561 F.2d 923, 
928-29 (D.C. Cir. 1977) (``Pitman Arms''). In the context of the Safety 
Act, ``motor vehicle safety'' refers to an ``unreasonable risk of 
accidents'' and an ``unreasonable risk of death or injury in an 
accident.'' 49 U.S.C. 30102(a)(8). Thus, while the defect analysis has 
generally entailed a retrospective look at how many failures have 
occurred (see, e.g., Wheels and Pitman Arms), the safety-relatedness 
question is forward-looking, and concerns hazards that may arise in the 
future. See, e.g., Carburetors, 565 F.2d at 758.
    In general, for a defect to present an ``unreasonable risk,'' there 
must be a likelihood that it will cause or be associated with a ``non-
negligible'' number of crashes, injuries, or deaths in the future. See, 
e.g., Carburetors, 565 F.2d at 759. This prediction of future hazards 
is called a ``risk analysis.'' See, e.g., Pitman Arms, 561 F.2d at 924 
(Leventhal, J., dissenting) (``GM presented a `risk analysis' which 
predicts the likely number of future injuries or deaths to be expected 
in the remaining service life of the affected models''). A forward-
looking risk analysis is compelled by the purpose of the Safety Act, 
which ``is not to protect individuals from the risks associated with 
defective vehicles only after serious injuries have already occurred; 
it is to prevent serious injuries stemming from established defects 
before they occur.'' Carburetors, 565 F.2d at 759 (emphasis added).
    However, in some circumstances, a crash, injury, or death need not 
occur for a defect to be considered to pose an unreasonable risk. If 
the hazard is sufficiently serious, and at least some harm, however 
small, is expected to occur in the future, the risk may be deemed 
unreasonable. Carburetors, 565 F.2d at 759 (``In the context of this 
case . . . even an `exceedingly small' number of injuries from this 
admittedly defective and clearly dangerous carburetor appears to us 
`unreasonably large.'''). In other words, where a defect presents a 
``clearly'' or ``potentially dangerous'' hazard, and where ``at least 
some such hazards''--even an ``exceedingly small'' number--will occur 
in the future, that defect is necessarily safety-related. See id. at 
754. This is so regardless of whether any injuries have already 
occurred, or whether the projected number of failures/injuries in the 
future is trending down. See id. at 759. Moreover, a defect may be 
considered ``per se'' safety-related if it causes the failure of a 
critical component; causes a vehicle fire; causes a loss of vehicle 
control; or suddenly moves the driver away from steering, accelerator, 
and brake controls--regardless of how many injuries or accidents are 
likely to occur in the future. See Carburetors, 565 F.2d 754 (engine 
fires); Pitman Arms, 561 F.2d 923 (loss of control); United States v. 
Ford Motor Co., 453 F. Supp. 1240 (D.D.C. 1978) (``Wipers'') (loss of 
visibility); United States v. Ford Motor Co., 421 F. Supp. 1239, 1243-
1244 (D.D.C. 1976) (``Seatbacks'') (loss of control). Similarly, where 
a defect ``is systematic and is prevalent in a particular class [of 
motor vehicles or equipment], . . . this is prima facie an unreasonable 
risk.'' Pitman Arms, 561 F.2d at 929.

III. Guidance and Recommended Best Practices: Safety-Related Defects, 
Unreasonable Risk, and Automated Safety Technologies

    Consistent with the foregoing background, NHTSA's enforcement 
authority concerning safety-related defects in motor vehicles and motor 
vehicle equipment extends and applies equally to current and emerging 
automated safety technologies. This includes fully automated (self-
driving) vehicles. Where a fully automated (self-driving) vehicle or 
other automated safety technology causes crashes or injuries, or poses 
other safety risks, the Agency will evaluate such technology through 
its investigative authority to determine whether the technology 
presents an unreasonable risk to safety. Similarly, should the Agency 
determine that a fully automated (self-driving) vehicle or other 
automated safety technology has manifested a safety-related defect, and 
a manufacturer fails to act, NHTSA will exercise its enforcement 
authority to the fullest extent.
    To avoid violating Safety Act requirements and standards, 
manufacturers of current and emerging automated safety technologies are

[[Page 65709]]

strongly encouraged to take steps to proactively identify and resolve 
safety concerns before their products are available for use on U.S. 
roadways, and to discuss such actions with NHTSA. The Agency recognizes 
that most automated safety technologies heavily involve electronic 
systems (such as hardware, software, sensors, global positioning 
systems (GPS) and vehicle-to-vehicle (V2V) safety communications 
systems). The Agency acknowledges that the increased use of electronic 
systems in motor vehicles and motor vehicle equipment may raise new and 
different safety concerns. However, the complexities of these systems 
do not diminish manufacturers' duties under the Safety Act. Both motor 
vehicle manufacturers and motor vehicle equipment manufacturers remain 
responsible for ensuring that their vehicles and equipment are free of 
safety-related defects and noncompliances, and do not otherwise pose an 
unreasonable risk to safety. Manufacturers are also reminded that they 
remain responsible for promptly reporting to NHTSA any safety-related 
defects or noncompliances, as well as timely notifying owners and 
dealers of the same.
    In assessing whether a motor vehicle or item of motor vehicle 
equipment poses an unreasonable risk to safety, NHTSA considers the 
vehicle component or system involved, the likelihood of the occurrence 
of a hazard, the potential frequency of a hazard, the severity of 
hazard to the vehicle and occupant, known engineering or root cause, 
and other relevant factors. Where a threatened hazard is substantial 
(e.g., fire or stalling), low potential frequency may not carry as much 
weight in NHTSA's analysis. NHTSA may weigh the above factors, and 
other relevant factors, differently depending on the circumstances of 
the particular underlying matter at issue.
    Software installed in or on a motor vehicle--which is motor vehicle 
equipment--presents its own unique safety risks. Because software often 
interacts with a motor vehicle's critical systems (i.e., systems 
encompassing critical control functions such as braking, steering, or 
acceleration), the operation of those systems can be substantially 
altered by after-market software updates. Software located outside the 
motor vehicle could also be used to affect and control a motor 
vehicle's critical systems.\4\ Under either circumstance, if software 
(whether or not it purports to have a safety-related purpose) creates 
or introduces an unreasonable safety risk to motor vehicle systems, 
then that safety risk constitutes a defect compelling a recall.
---------------------------------------------------------------------------

    \4\ NHTSA intends to publish an interpretation clarifying in 
further detail the Agency's criteria for determining whether a 
portable device or portable application is an ``accessory'' to a 
motor vehicle at a later date.
---------------------------------------------------------------------------

    While the Agency acknowledges that manufacturers are not required 
to design motor vehicles or motor vehicle equipment that ``never 
fail,'' manufacturers should consider developing systems such that 
should an electrical, electronic, mechanical, or software failure 
occur, the vehicle or equipment can still be operated in a manner to 
mitigate the risks from such failures. Furthermore, with the increased 
introduction of current and emerging automated safety technologies, 
manufacturers should take steps necessary to ensure that any such 
technology introduced to U.S. roadways accounts for the driver's ease 
of use and any foreseeable misuse that may occur, particularly in 
circumstances that require driver interaction while a vehicle is in 
operation. A system design or configuration that fails to take into 
account and safeguard against the consequences of reasonably 
foreseeable driver distraction or error may present an unreasonable 
risk to safety.
    For example, an unconventional electronic gearshift assembly that 
lacks detents or other tactile cues that provide gear selection 
feedback makes it more likely that a driver may attempt to exit a 
vehicle with the mistaken belief that the vehicle is in park. If the 
vehicle's design does not guard against this foreseeable driver error 
by providing an effective warning or (for instance) immobilizing the 
vehicle when the driver's door is opened, the design may present an 
unreasonable risk to safety. Similarly, a semi-autonomous driving 
system that allows a driver to relinquish control of the vehicle while 
it is in operation but fails to adequately account for reasonably 
foreseeable situations where a distracted or inattentive driver-
occupant must retake control of the vehicle at any point may also be an 
unreasonable risk to safety. Additionally, where a software system is 
expected to last the life of the vehicle, manufacturers should take 
care to provide secure updates as needed to keep the system 
functioning. Conversely, if a manufacturer fails to provide secure 
updates to a software system and that failure results in a safety risk, 
NHTSA may consider such a safety risk to be a safety-related defect 
compelling a recall.
    Motor vehicle and motor vehicle equipment manufacturers have a 
continuing obligation to proactively identify safety concerns and 
mitigate the risks of harm. If a manufacturer discovers or is otherwise 
made aware of any safety-related defects, noncompliances, or other 
safety risks after the vehicle and/or equipment (including automated 
safety technology) has been in safe operation, then it should promptly 
contact the appropriate NHTSA personnel to determine the necessary next 
steps. Where a manufacturer fails to adequately address a safety 
concern, NHTSA, when appropriate, will address that failure through its 
enforcement authority.
    Applicability/Legal Statement: This Enforcement Guidance Bulletin 
sets forth NHTSA's current views on its enforcement authority and the 
topic of automated safety technology, and suggests guiding principles 
and best practices to be utilized by motor vehicle and equipment 
manufacturers in this context. This Bulletin is not a final agency 
action and is intended as guidance only. This Bulletin does not have 
the force or effect of law. This Bulletin is not intended, nor can it 
be relied upon, to create any rights enforceable by any party against 
NHTSA, the U.S. Department of Transportation, or the United States. 
These recommended practices do not establish any defense to any 
violations of the Safety Act, or regulations thereunder, or violation 
of any statutes or regulations that NHTSA administers. This Bulletin 
may be revised without notice to reflect changes in the Agency's views 
and analysis, or to clarify and update text.

    Authority: 49 U.S.C. 30101-30103, 30116-30121, 30166; delegation 
of authority at 49 CFR 1.95 and 49 CFR 501.8.

    Issued: September 20, 2016.
Paul A. Hemmersbaugh,
Chief Counsel.
[FR Doc. 2016-23010 Filed 9-22-16; 8:45 am]
BILLING CODE 4910-59-P