NHTSA Enforcement Guidance Bulletin 2016-02: Safety-Related Defects and Automated Safety Technologies, 65705-65709 [2016-23010]

Agencies

• National Highway Traffic Safety Administration
• DEPARTMENT OF TRANSPORTATION

[Federal Register Volume 81, Number 185 (Friday, September 23, 2016)]
[Notices]
[Pages 65705-65709]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2016-23010]


-----------------------------------------------------------------------

DEPARTMENT OF TRANSPORTATION

National Highway Traffic Safety Administration

[Docket No. NHTSA-2016-0040]


NHTSA Enforcement Guidance Bulletin 2016-02: Safety-Related 
Defects and Automated Safety Technologies

AGENCY: National Highway Traffic Safety Administration (NHTSA), 
Department of Transportation.

ACTION: Final notice.

-----------------------------------------------------------------------

SUMMARY: Automotive technology is at a moment of rapid change and may 
evolve farther in the next decade than in the previous 45-plus year 
history of the Agency. As the automobile industry moves toward fully 
automated (self-driving) vehicles and other innovative mobility 
solutions, NHTSA seeks to facilitate the advance of automated 
technologies that currently present safety improvements and that, in 
the future, are likely to improve safety and decrease the number of 
crashes, traffic fatalities, and serious injuries on U.S. roadways. 
NHTSA is commanded by Congress to protect the safety of the driving 
public against unreasonable risks of harm that may occur because of

[[Page 65706]]

the design, construction, or performance of a motor vehicle or motor 
vehicle equipment, and to mitigate risks of harm, including risks that 
may be emerging or contingent. As NHTSA has always done when evaluating 
new vehicle technologies, the Agency will be guided by its statutory 
mission, the laws it is obligated to enforce, and the benefits of the 
emerging automated safety technologies appearing on U.S. roadways.
    NHTSA has broad enforcement authority under existing statutes and 
regulations to address existing and emerging automated safety 
technologies. This Enforcement Guidance Bulletin sets forth NHTSA's 
current views on its enforcement authority--including its view that 
when vulnerabilities in automated safety technology or equipment pose 
an unreasonable risk to safety, those vulnerabilities constitute a 
safety-related defect--and suggests guiding principles and best 
practices for motor vehicle and equipment manufacturers in this 
context.

FOR FURTHER INFORMATION CONTACT: Justine Casselle or Elizabeth 
Mykytiuk, Office of the Chief Counsel, National Highway Traffic Safety 
Administration, at (202) 366-2992.

SUPPLEMENTARY INFORMATION:

I. Executive Summary
II. Legal and Policy Background
    A. NHTSA's Enforcement Authority Under the Safety Act
    B. Determining the Existence of a Defect
    C. Determining an Unreasonable Risk to Safety
III. Guidance and Recommended Best Practices: Safety-Related 
Defects, Unreasonable Risk, and Automated Safety Technologies

I. Executive Summary

    Recent and continuing advances in automotive technology have great 
potential to generate significant safety benefits. Today's motor 
vehicles are increasingly equipped with electronics, sensors, and 
computing power that enable automated safety technologies, including 
technologies such as forward-collision warning, automatic-emergency 
braking, and lane-keeping assist, which have the potential to 
dramatically enhance safety. New technologies may not only prevent 
drivers from crashing, but may even do some or all of the driving for 
them. The potential safety implications of such technologies are vast. 
Importantly, as these technologies become more widespread, 
manufacturers must ensure their safe development and implementation.
    On April 1, 2016, NHTSA published a proposed Enforcement Guidance 
Bulletin setting forth an overview of the Agency's enforcement 
authority under the Safety Act and its present views on certain 
enforcement subjects and issues. See Docket No. NHTSA-2016-0040. 
Recognizing the public interest in this topic and the safety concerns 
associated with automated safety technologies, the Agency solicited 
public comment before issuing a final Enforcement Guidance Bulletin. In 
response to the request for comment, the Agency received thirty-five 
(35) public submissions. Although some comments were submitted after 
the stated closing date of May 2, 2016, all comments submitted to the 
docket were considered in formulating this final Guidance.
    In response to various comments suggesting that NHTSA give 
additional review to issues associated with certain software and 
cybersecurity, the Agency has decided to focus this Guidance solely on 
how its enforcement authority relates to automated safety technologies, 
including fully automated (self-driving) vehicles. Thus, comments 
related to cybersecurity will be addressed in future interpretations 
and guidance. However, this does not mean that cybersecurity is outside 
of NHTSA's authority. Manufacturers of motor vehicles and motor vehicle 
equipment must continue to follow the requirements of the Safety Act, 
including those related to cybersecurity.
    The Agency received twenty-eight (28) comments that specifically 
addressed automated safety technologies from a wide variety of 
stakeholders and members of the public. Many commenters supported the 
proposed Enforcement Guidance Bulletin, noting that it adequately 
explained NHTSA's existing authority and how that authority extends to 
automated safety technologies. Some commenters opined that guidance 
should not be viewed as a substitute for traditional rulemaking or the 
establishment of performance standards. One commenter suggested that 
manufacturers be required to engage in constant monitoring and 
reporting, due to the possibility of certain systems showing no outward 
sign of a defect and the increased possibility of defects resulting 
from two systems failing to correctly interact. Another suggested 
replacement of NHTSA's existing enforcement model with a more flexible 
approach after implementing new standards. None of the alternative 
approaches described in this paragraph are foreclosed by this Guidance. 
NHTSA remains open to consideration of those and other options.
    Traditionally, only after new technology is developed and proven 
does the Agency establish new safety standards. This approach has 
yielded enormous safety benefits, but one limitation of this approach 
is that it takes time. Strong safety regulations and standards are a 
vital piece of NHTSA's safety mission and the Agency will engage in 
rulemaking related to automated safety technologies in the future. This 
Guidance serves in part as a reminder that even before such rulemaking 
occurs, NHTSA currently has enforcement authority to address safety 
risks as they arise.
    A number of commenters urged the Agency, when developing guidance 
and regulations, to not provide immunity to manufacturers for the 
consequences of failures of automated safety technologies simply 
because a manufacturer introduces them to the U.S. public. This 
Guidance is limited to setting forth an overview of NHTSA's enforcement 
authority over automated safety technologies and, therefore, is not 
intended to provide such legal immunity.
    Other commenters suggested that while automated safety technologies 
may facilitate increased safety, manufacturers should ensure that over 
the lifespan of the vehicle such technologies themselves do not create 
unreasonable risks to safety due to predictable abuse or impractical 
recalibration requirements. The Agency agrees. Unreasonable risks due 
to predictable abuse or impractical recalibration requirements may 
constitute safety-related defects. See United States v. Gen. Motors 
Corp., 518 F.2d 420, 427 (D.C. Cir. 1975) (``Wheels''). Manufacturers 
have a continuing obligation to proactively identify and mitigate such 
safety risks. This includes safety risks discovered after the vehicle 
and/or equipment has been in safe operation.
    Finally, some commenters suggested that the Agency had 
misinterpreted its authority over certain motor vehicle equipment. Some 
further questioned whether software and certain devices constitute 
motor vehicle equipment.
    NHTSA's authority over motor vehicle equipment, in its many forms, 
is expressed unequivocally in the Safety Act. Because some non-
traditional motor vehicle equipment manufacturers may not fully 
recognize their responsibilities under the Safety Act, this Guidance 
aims to increase awareness of NHTSA's enforcement authority over motor 
vehicle equipment in all of its various forms.\1\ This

[[Page 65707]]

Guidance is not an attempt to alter the relationship between motor 
vehicle and equipment manufacturers and their suppliers, or their 
respective responsibilities under the Safety Act. However, 
manufacturers and suppliers at all levels should be aware of their 
respective Safety Act obligations.
---------------------------------------------------------------------------

    \1\ The Agency anticipates publishing additional guidance at a 
later date, further clarifying the criteria the Agency considers 
when determining whether certain devices constitute motor vehicle 
equipment.
---------------------------------------------------------------------------

    NHTSA acknowledges the complexity of this evolving landscape. 
Nonetheless, NHTSA has been charged by Congress to protect the safety 
of the driving public against unreasonable risks of harm that may arise 
because of the design, construction, or performance of a motor vehicle 
or motor vehicle equipment. To fulfill that responsibility and 
accomplish its mission, the Agency must take steps to mitigate risks of 
harm, including risks that may result from automated safety 
technologies. This Guidance lays out a high-level overview of NHTSA's 
enforcement authority to evaluate and address safety risks of motor 
vehicle technologies. To the extent the Agency may need additional 
expertise to adequately evaluate such safety risks, NHTSA will take the 
necessary steps (as it has in the past) to meet those needs.
    Based on the Agency's consideration of all comments submitted in 
this proceeding; to aid in the successful development and deployment of 
automated safety technologies; to protect the public from potential 
defects associated with automated safety technologies that pose an 
unreasonable risk to safety; and as informed by the Agency's judgment 
and expertise, NHTSA now publishes this Enforcement Guidance Bulletin 
setting forth the Agency's current view of its enforcement authority 
and principles guiding its exercise of that authority. This includes 
guiding principles and best practices for use by motor vehicle and 
equipment manufacturers. NHTSA is not here establishing a binding set 
of rules, nor is the Agency suggesting that one particular set of 
practices applies in all situations. The Agency recognizes that best 
practices may vary depending on circumstances, and manufacturers remain 
free to choose the solution that best fits their needs while satisfying 
the demands of automotive safety.

II. Legal and Policy Background

A. NHTSA's Enforcement Authority Under the Safety Act

    The National Traffic and Motor Vehicle Safety Act, as amended 
(``Safety Act''), 49 U.S.C. 30101 et seq., provides the basis and 
framework for NHTSA's enforcement authority over motor vehicle and 
motor vehicle equipment defects and noncompliances with federal motor 
vehicle safety standards (FMVSS). This authority includes 
investigations, administrative proceedings, civil penalties, and other 
civil enforcement actions. While fully automated (self-driving) 
vehicles and other automated safety technologies may modify motor 
vehicle and equipment design, NHTSA's statutory enforcement authority 
is sufficiently general and flexible to keep pace with such innovation. 
The Agency has the authority to respond to a safety problem posed by 
new technologies in the same manner it is able to respond to safety 
problems posed by more established automotive technology and equipment, 
such as carburetors, the powertrain, vehicle control systems, and 
forward collision warning systems--by determining the existence of a 
defect that poses an unreasonable risk to motor vehicle safety and 
ordering the manufacturer to conduct a recall. See 49 U.S.C. 30118(b). 
This enforcement authority applies notwithstanding the presence or 
absence of an FMVSS for any particular type of advanced equipment or 
technology. See, e.g., United States v. Chrysler Corp., 158 F.3d 1350, 
1351 (D.C. Cir. 1998) (NHTSA ``may seek the recall of a motor vehicle 
either when a vehicle has `a defect related to motor vehicle safety' or 
when a vehicle `does not comply with an applicable motor vehicle safety 
standard.' '').\2\
---------------------------------------------------------------------------

    \2\ A manufacturer's obligation to recall motor vehicles and 
motor vehicle equipment determined to have a safety-related defect 
is separate and distinct from its obligation to recall motor 
vehicles and motor vehicle equipment that fail to comply with an 
applicable FMVSS. See 49 U.S.C. 30120.
---------------------------------------------------------------------------

    Under the Safety Act, NHTSA has authority over motor vehicles, 
equipment included in or on a motor vehicle at the time of delivery to 
the first purchaser (i.e., original equipment), and motor vehicle 
replacement equipment. See 49 U.S.C. 30102(a)-(b). Motor vehicle 
equipment is broadly defined to include ``any system, part, or 
component of a motor vehicle as originally manufactured'' and ``any 
similar part or component manufactured or sold for replacement or 
improvement of a system, part, or component.'' 49 U.S.C. 
30102(a)(7)(A)-(B). The Safety Act also gives NHTSA jurisdiction over 
after-market improvements, accessories, or additions to motor vehicles. 
See 49 U.S.C. 30102(a)(7)(B). All devices ``manufactured, sold, 
delivered, or offered to be sold for use on public streets, roads, and 
highways with the apparent purpose of safeguarding users of motor 
vehicles against risk of accident, injury, or death'' are similarly 
subject to NHTSA's enforcement authority. 49 U.S.C. 30102(a)(7)(C).
    With respect to current and emerging automated motor vehicle safety 
technologies, NHTSA considers such technologies (including systems and 
equipment) to be motor vehicle equipment, whether they are offered to 
the public as part of a new motor vehicle (as original equipment) or as 
an after-market replacement(s) of or improvement(s) to original 
equipment. NHTSA also considers software (including, but not 
necessarily limited to, the programs, instructions, code, and data used 
to operate computers and related devices), and after-market software 
updates, to be motor vehicle equipment within the meaning of the Safety 
Act. Software that enables devices not located in or on the motor 
vehicle to connect to the motor vehicle or its systems could, in some 
circumstances, also be considered motor vehicle equipment. Accordingly, 
a manufacturer of current and emerging automated safety technologies, 
whether it is the supplier of the equipment or the manufacturer of a 
motor vehicle on which the equipment is installed, has an obligation to 
notify NHTSA of any and all safety-related defects. See 49 CFR part 
573. Any manufacturer or supplier that fails to do so may be subject to 
civil penalties. See 49 U.S.C. 30165(a).
    NHTSA is charged with reducing deaths, injuries, and economic 
losses resulting from motor vehicle crashes. See 49 U.S.C. 30101. Part 
of that mandate includes ensuring that motor vehicles and motor vehicle 
equipment, including automated safety technologies, perform in ways 
that ``protect[] the public against unreasonable risk of accidents 
occurring because of the design, construction, or performance of a 
motor vehicle, and against unreasonable risk of death or injury in an 
accident.'' 49 U.S.C. 30102(a)(8). This responsibility also includes 
the nonoperational safety of a motor vehicle. Id. In pursuit of these 
safety objectives, and in the absence of adequate action by the 
manufacturer, NHTSA is authorized to determine that a motor vehicle or 
motor vehicle equipment is defective and that the defect poses an 
unreasonable risk to safety. See 49 U.S.C. 30118(b) and (c)(1).

B. Determining the Existence of a Defect

    Under the Safety Act, a ``defect'' includes ``any defect in 
performance, construction, a component, or material of a motor vehicle 
or motor vehicle equipment.'' 49 U.S.C. 30102(a)(2). This includes a 
defect in design. See Wheels, 518 F.2d at 436. A defect in an item of 
motor vehicle equipment (including

[[Page 65708]]

hardware, software, and other electronic systems) may be considered a 
defect of the motor vehicle itself. See 49 U.S.C. 30102(b)(1)(F).
    Congress intended the Safety Act to represent a ``commonsense'' 
approach to safety and courts have followed that approach in 
determining what constitutes a ``defect.'' See, e.g., Wheels, 518 F.2d 
at 436. For this reason, a defect determination does not require an 
engineering explanation or root cause, but instead ``may be based 
exclusively on the performance record of the component.'' Wheels, 518 
F.2d at 432 (``[A] determination of a `defect' does not require any 
predicate of a finding identifying engineering, metallurgical, or 
manufacturing failures.''). Thus, a motor vehicle or item of motor 
vehicle equipment contains a defect ``if it is subject to a significant 
number of failures in normal operation, including failures either 
occurring during specified use or resulting from owner abuse (including 
inadequate maintenance) that is reasonably foreseeable (ordinary 
abuse).'' \3\ Wheels, 518 F.2d at 427.
---------------------------------------------------------------------------

    \3\ ``The protection afforded by the [Safety] Act was not 
limited to careful drivers who fastidiously observed speed limits 
and conscientiously complied with manufacturer's instructions on 
vehicle maintenance and operation. . . . [the statute provides] an 
added area of safety to an owner who is lackadaisical, who neglects 
regular maintenance . . .'' Wheels, 518 F.2d at 434.
---------------------------------------------------------------------------

    A ``significant number of failures'' is merely a ``non-de minimus'' 
quantity; it need not be a ``substantial percentage of the total.'' 
Wheels, 518 F.2d at 438 n.84. Whether there have been a ``significant 
number of failures'' is a fact-specific inquiry that includes 
considerations such as: the failure rate of the component in question; 
the failure rates of comparable components; the importance of the 
component to the safe operation of the vehicle; and the severity of 
harm to the vehicle and/or occupant caused by the failure. Id. at 427. 
In addition, where appropriate, the determination of the existence of a 
defect may depend upon the failure rate in the affected class of 
vehicles compared to that of other peer vehicles. See United States v. 
Gen. Motors Corp., 841 F.2d 400, 412 (D.C. Cir. 1988) (``X-Cars'').
    The Agency relies on the performance record of a vehicle or 
component in making a defect determination where the engineering or 
root cause of a failure is unknown. See Wheels, 518 F.2d at 432. Where, 
however, the engineering or root cause is known, the Agency need not 
proceed with analyzing the performance record. See id.; see also United 
States v. Gen. Motors Corp., 565 F.2d 754, 758 (D.C. Cir. 1977) 
(``Carburetors'') (finding a defect to be safety-related if it 
``results in hazards as potentially dangerous as sudden engine fire, 
and where there is no dispute that at least some such hazards . . . can 
definitely be expected to occur in the future.''). For software or 
other electronic systems, for example, when the engineering or root 
cause of the hazard is known, a defect exists regardless of whether 
there have been any actual performance failures.

C. Determining an Unreasonable Risk to Safety

    In order to support a recall, a defect must be related to motor 
vehicle safety. United States v. General Motors Corp., 561 F.2d 923, 
928-29 (D.C. Cir. 1977) (``Pitman Arms''). In the context of the Safety 
Act, ``motor vehicle safety'' refers to an ``unreasonable risk of 
accidents'' and an ``unreasonable risk of death or injury in an 
accident.'' 49 U.S.C. 30102(a)(8). Thus, while the defect analysis has 
generally entailed a retrospective look at how many failures have 
occurred (see, e.g., Wheels and Pitman Arms), the safety-relatedness 
question is forward-looking, and concerns hazards that may arise in the 
future. See, e.g., Carburetors, 565 F.2d at 758.
    In general, for a defect to present an ``unreasonable risk,'' there 
must be a likelihood that it will cause or be associated with a ``non-
negligible'' number of crashes, injuries, or deaths in the future. See, 
e.g., Carburetors, 565 F.2d at 759. This prediction of future hazards 
is called a ``risk analysis.'' See, e.g., Pitman Arms, 561 F.2d at 924 
(Leventhal, J., dissenting) (``GM presented a `risk analysis' which 
predicts the likely number of future injuries or deaths to be expected 
in the remaining service life of the affected models''). A forward-
looking risk analysis is compelled by the purpose of the Safety Act, 
which ``is not to protect individuals from the risks associated with 
defective vehicles only after serious injuries have already occurred; 
it is to prevent serious injuries stemming from established defects 
before they occur.'' Carburetors, 565 F.2d at 759 (emphasis added).
    However, in some circumstances, a crash, injury, or death need not 
occur for a defect to be considered to pose an unreasonable risk. If 
the hazard is sufficiently serious, and at least some harm, however 
small, is expected to occur in the future, the risk may be deemed 
unreasonable. Carburetors, 565 F.2d at 759 (``In the context of this 
case . . . even an `exceedingly small' number of injuries from this 
admittedly defective and clearly dangerous carburetor appears to us 
`unreasonably large.'''). In other words, where a defect presents a 
``clearly'' or ``potentially dangerous'' hazard, and where ``at least 
some such hazards''--even an ``exceedingly small'' number--will occur 
in the future, that defect is necessarily safety-related. See id. at 
754. This is so regardless of whether any injuries have already 
occurred, or whether the projected number of failures/injuries in the 
future is trending down. See id. at 759. Moreover, a defect may be 
considered ``per se'' safety-related if it causes the failure of a 
critical component; causes a vehicle fire; causes a loss of vehicle 
control; or suddenly moves the driver away from steering, accelerator, 
and brake controls--regardless of how many injuries or accidents are 
likely to occur in the future. See Carburetors, 565 F.2d 754 (engine 
fires); Pitman Arms, 561 F.2d 923 (loss of control); United States v. 
Ford Motor Co., 453 F. Supp. 1240 (D.D.C. 1978) (``Wipers'') (loss of 
visibility); United States v. Ford Motor Co., 421 F. Supp. 1239, 1243-
1244 (D.D.C. 1976) (``Seatbacks'') (loss of control). Similarly, where 
a defect ``is systematic and is prevalent in a particular class [of 
motor vehicles or equipment], . . . this is prima facie an unreasonable 
risk.'' Pitman Arms, 561 F.2d at 929.

III. Guidance and Recommended Best Practices: Safety-Related Defects, 
Unreasonable Risk, and Automated Safety Technologies

    Consistent with the foregoing background, NHTSA's enforcement 
authority concerning safety-related defects in motor vehicles and motor 
vehicle equipment extends and applies equally to current and emerging 
automated safety technologies. This includes fully automated (self-
driving) vehicles. Where a fully automated (self-driving) vehicle or 
other automated safety technology causes crashes or injuries, or poses 
other safety risks, the Agency will evaluate such technology through 
its investigative authority to determine whether the technology 
presents an unreasonable risk to safety. Similarly, should the Agency 
determine that a fully automated (self-driving) vehicle or other 
automated safety technology has manifested a safety-related defect, and 
a manufacturer fails to act, NHTSA will exercise its enforcement 
authority to the fullest extent.
    To avoid violating Safety Act requirements and standards, 
manufacturers of current and emerging automated safety technologies are

[[Page 65709]]

strongly encouraged to take steps to proactively identify and resolve 
safety concerns before their products are available for use on U.S. 
roadways, and to discuss such actions with NHTSA. The Agency recognizes 
that most automated safety technologies heavily involve electronic 
systems (such as hardware, software, sensors, global positioning 
systems (GPS) and vehicle-to-vehicle (V2V) safety communications 
systems). The Agency acknowledges that the increased use of electronic 
systems in motor vehicles and motor vehicle equipment may raise new and 
different safety concerns. However, the complexities of these systems 
do not diminish manufacturers' duties under the Safety Act. Both motor 
vehicle manufacturers and motor vehicle equipment manufacturers remain 
responsible for ensuring that their vehicles and equipment are free of 
safety-related defects and noncompliances, and do not otherwise pose an 
unreasonable risk to safety. Manufacturers are also reminded that they 
remain responsible for promptly reporting to NHTSA any safety-related 
defects or noncompliances, as well as timely notifying owners and 
dealers of the same.
    In assessing whether a motor vehicle or item of motor vehicle 
equipment poses an unreasonable risk to safety, NHTSA considers the 
vehicle component or system involved, the likelihood of the occurrence 
of a hazard, the potential frequency of a hazard, the severity of 
hazard to the vehicle and occupant, known engineering or root cause, 
and other relevant factors. Where a threatened hazard is substantial 
(e.g., fire or stalling), low potential frequency may not carry as much 
weight in NHTSA's analysis. NHTSA may weigh the above factors, and 
other relevant factors, differently depending on the circumstances of 
the particular underlying matter at issue.
    Software installed in or on a motor vehicle--which is motor vehicle 
equipment--presents its own unique safety risks. Because software often 
interacts with a motor vehicle's critical systems (i.e., systems 
encompassing critical control functions such as braking, steering, or 
acceleration), the operation of those systems can be substantially 
altered by after-market software updates. Software located outside the 
motor vehicle could also be used to affect and control a motor 
vehicle's critical systems.\4\ Under either circumstance, if software 
(whether or not it purports to have a safety-related purpose) creates 
or introduces an unreasonable safety risk to motor vehicle systems, 
then that safety risk constitutes a defect compelling a recall.
---------------------------------------------------------------------------

    \4\ NHTSA intends to publish an interpretation clarifying in 
further detail the Agency's criteria for determining whether a 
portable device or portable application is an ``accessory'' to a 
motor vehicle at a later date.
---------------------------------------------------------------------------

    While the Agency acknowledges that manufacturers are not required 
to design motor vehicles or motor vehicle equipment that ``never 
fail,'' manufacturers should consider developing systems such that 
should an electrical, electronic, mechanical, or software failure 
occur, the vehicle or equipment can still be operated in a manner to 
mitigate the risks from such failures. Furthermore, with the increased 
introduction of current and emerging automated safety technologies, 
manufacturers should take steps necessary to ensure that any such 
technology introduced to U.S. roadways accounts for the driver's ease 
of use and any foreseeable misuse that may occur, particularly in 
circumstances that require driver interaction while a vehicle is in 
operation. A system design or configuration that fails to take into 
account and safeguard against the consequences of reasonably 
foreseeable driver distraction or error may present an unreasonable 
risk to safety.
    For example, an unconventional electronic gearshift assembly that 
lacks detents or other tactile cues that provide gear selection 
feedback makes it more likely that a driver may attempt to exit a 
vehicle with the mistaken belief that the vehicle is in park. If the 
vehicle's design does not guard against this foreseeable driver error 
by providing an effective warning or (for instance) immobilizing the 
vehicle when the driver's door is opened, the design may present an 
unreasonable risk to safety. Similarly, a semi-autonomous driving 
system that allows a driver to relinquish control of the vehicle while 
it is in operation but fails to adequately account for reasonably 
foreseeable situations where a distracted or inattentive driver-
occupant must retake control of the vehicle at any point may also be an 
unreasonable risk to safety. Additionally, where a software system is 
expected to last the life of the vehicle, manufacturers should take 
care to provide secure updates as needed to keep the system 
functioning. Conversely, if a manufacturer fails to provide secure 
updates to a software system and that failure results in a safety risk, 
NHTSA may consider such a safety risk to be a safety-related defect 
compelling a recall.
    Motor vehicle and motor vehicle equipment manufacturers have a 
continuing obligation to proactively identify safety concerns and 
mitigate the risks of harm. If a manufacturer discovers or is otherwise 
made aware of any safety-related defects, noncompliances, or other 
safety risks after the vehicle and/or equipment (including automated 
safety technology) has been in safe operation, then it should promptly 
contact the appropriate NHTSA personnel to determine the necessary next 
steps. Where a manufacturer fails to adequately address a safety 
concern, NHTSA, when appropriate, will address that failure through its 
enforcement authority.
    Applicability/Legal Statement: This Enforcement Guidance Bulletin 
sets forth NHTSA's current views on its enforcement authority and the 
topic of automated safety technology, and suggests guiding principles 
and best practices to be utilized by motor vehicle and equipment 
manufacturers in this context. This Bulletin is not a final agency 
action and is intended as guidance only. This Bulletin does not have 
the force or effect of law. This Bulletin is not intended, nor can it 
be relied upon, to create any rights enforceable by any party against 
NHTSA, the U.S. Department of Transportation, or the United States. 
These recommended practices do not establish any defense to any 
violations of the Safety Act, or regulations thereunder, or violation 
of any statutes or regulations that NHTSA administers. This Bulletin 
may be revised without notice to reflect changes in the Agency's views 
and analysis, or to clarify and update text.

    Authority: 49 U.S.C. 30101-30103, 30116-30121, 30166; delegation 
of authority at 49 CFR 1.95 and 49 CFR 501.8.

    Issued: September 20, 2016.
Paul A. Hemmersbaugh,
Chief Counsel.
[FR Doc. 2016-23010 Filed 9-22-16; 8:45 am]
BILLING CODE 4910-59-P