safety management plan final - cflsmartroads.com

Safety Management Plan

SAFETY MANAGEMENT PLAN Central Florida’s AV Testbed Pilot Deployment

CENTRAL FLORIDA AUTOMATED VEHICLE PARTNERSHIP

9/22/17


i | P a g e

Executive Summary

The Central Florida Automated Vehicle Partnership (CFAVP) has developed an automated proving ground for its participating facilities. These facilities represent the future expansion of a partnership showcasing and sharing findings on local, regional, and national platforms; with the goal of advancing technologies in support of future mobility and transportation safety. The CFAVP offers a multitude of advantages:

1) A unique multidisciplinary, multimodal partnership providing investment and long‐term operation of the proving ground;

2) A three‐tiered approach to leverage the resources for testing and deploying at various sites to meet industries’ and US DOT’s long‐term needs;

3) An environment that attracts 65 million visitors each year to educate them on the benefits of AV technology and to promote user acceptance.

The three‐tiered approach will provide a platform to share data by providing step by step directions and highlighting the progression of testing of every mode of transportation, from simulation to open road testing. The University of Central Florida (UCF), FAMU‐FSU College of Engineering (FAMU‐FSU) and Florida Polytechnic University (Florida Poly) carry an array of research and simulation programs. Tier 1 leverages these programs and provides research, simulation and automated vehicle testing development. UCF and Florida Poly have developed testing practices through the implementation of these systems.

The second tier is the use of controlled facilities within the testbed. One of the future controlled transportation technology test facilities in Central Florida is SunTrax, which is currently under construction. This technologically advanced facility offers a 2.25‐mile oval track. The track is equipped with infrastructure for roadside units (RSUs) and tolling devices. The infield is devoted to controlling automated and connected vehicle (CV) testing for urban environments. In addition, the National Aeronautics and Space Administration (NASA) has provided a second controlled testing facility at the Kennedy Space Center (KSC), which offers the ideal controlled environment with a vast roadway network and secure access. KSC can also conduct extreme environment testing for significant weather events and unusual roadway conditions.

The third tier of the testing is the open deployment, which involves Central Florida highways, roadways, and transit routes. The City of Orlando, Central Florida Expressway Authority (CFX), and Florida Department of Transportation (FDOT) share support of limited‐access highways, arterials and collectors in Central Florida. Other open deployment means of testing come in the form of bus rapid transit (BRT) (such as LYMMO), commuter rail (SunRail), regional transit (LYNX) and non‐vehicular commuting (such as Juice Bike Share) located in the City of Orlando. The following illustrates the tiers and partnerships.

Simulation and Testing Closed Environments Open Environments


ii | P a g e

Table of Contents

Acknowledgements ....................................................................................................................................... v

Acronyms ..................................................................................................................................................... vi

1 Introduction .......................................................................................................................................... 1

2 Central Florida’s Proving Grounds ............................................................................................................. 2

3 Central Florida Automated Vehicle Partnership ....................................................................................... 3

3.1 Designated Safety Officer .................................................................................................................. 3

3.2 Commitment to Sharing and Community of Practice ........................................................................ 3

3.3 Data Collection and Data Sharing ...................................................................................................... 3

4 Summary of Central Florida’s Automated Vehicle Test Bed Tiers ........................................................ 5

4.1 Tier 1 ‐ Labs ................................................................................................................................... 5

4.2 Tier 2 ‐ Closed Environment .......................................................................................................... 6

4.3 Tier 3 ‐ Open Environment ............................................................................................................ 7

5 Levels of Automation ............................................................................................................................ 8

5.1 Defining the Society of Automotive Engineers (SAE) Levels of Automation ................................ 8

5.2 Defining the Driver ........................................................................................................................ 9

5.3 NHTSA Identifies Highly Automated Vehicles (HAV) .................................................................. 10

5.4 Defining Driver Liability ............................................................................................................... 10

6 State and Federal Legislation .............................................................................................................. 11

6.1 Florida Legislation ....................................................................................................................... 11

6.2 Florida Regulations ..................................................................................................................... 12

6.3 Federal Bills ................................................................................................................................. 12

6.4 US DOT AV Policy ........................................................................................................................ 13

7 State of the Practice ............................................................................................................................ 14

7.1 Conceivable Benefits ........................................................................................................................ 14

7.2 Potential Challenges ......................................................................................................................... 15

7.3 Current Status Quo ..................................................................................................................... 16

8 Safety Risk Process and Approach ...................................................................................................... 16

8.1 Introduction ................................................................................................................................ 16

8.2 The Approach .............................................................................................................................. 16

8.3 Safety Risk Control ...................................................................................................................... 18

8.4 Safety Risk Monitoring ................................................................................................................ 18

9 Safety Development Process .............................................................................................................. 19


iii | P a g e

9.1 Introduction ................................................................................................................................ 19

9.2 System Level ................................................................................................................................ 19

9.3 Application Level ......................................................................................................................... 20

9.4 Identified Safety Scenarios ......................................................................................................... 20

9.5 Applying to Current Processes .................................................................................................... 20

10 Risk Assessment .................................................................................................................................. 21

10.1 Introduction ................................................................................................................................ 21

10.2 Analysis of Probability ................................................................................................................. 21

10.3 Analysis of Potential Impact ........................................................................................................ 22

10.4 Analysis of Controllability ........................................................................................................... 22

10.5 ASIL Determination Matrix.......................................................................................................... 24

11 Safety Operational Concept ................................................................................................................ 29

11.1 Functional Safety Requirements ................................................................................................. 29

11.2 Safety Management Responsibilities .......................................................................................... 29

11.3 Safety Reviews ............................................................................................................................ 29

11.4 Safety Incident Reporting ........................................................................................................... 30

11.5 Emergency Responder Coordination .......................................................................................... 31

12 Safety Analysis and Threat Assessment Plan ...................................................................................... 32

12.1 Identification and Classification of Safety Critical Events ........................................................... 32

12.2 Identified System Safety and Threats ......................................................................................... 32

13 Safety Stakeholders ............................................................................................................................ 34

13.1 Identify Safety Response Stakeholders ....................................................................................... 34

13.2 Existing Response Plans .............................................................................................................. 35

14 Project Deliverables ............................................................................................................................ 36

15 Performance Measures ....................................................................................................................... 37

15.1 Background ................................................................................................................................. 37

15.2 Types of Performance Measures ................................................................................................ 37

15.2.1 Quantitative Performance Measures.......................................................................................... 37

15.2.2 Qualitative Performance Measures ............................................................................................ 37

16 Glossary ............................................................................................................................................... 38

17 Reference Documents ......................................................................................................................... 40


iv | P a g e

List of Tables

Table 10‐1 ‐ ASIL Decomposition (Source ISO 26262) ................................................................................ 23

Table 10‐2 ‐ Summary of Safety Risk Assessment ...................................................................................... 26

Table 13‐1 – Safety Response Stakeholders ............................................................................................... 34

Table 17‐1 – References .............................................................................................................................. 40

List of Figures

Figure 2‐1 ‐ Dedicated Proposed AV Grounds .............................................................................................. 2

Figure 4‐1 – SunTrax Test Facility ................................................................................................................. 6

Figure 8‐1 ‐ Safety Risk Process .................................................................................................................. 18

Figure 9‐1 ‐ Safety Management Plan Development Process (Source: USDOT Guidance Summary on Safety Management Plan) ...................................................................................................................................... 19

Figure 9‐2 ‐ Applying to Current Processes (Source: National Instruments) .............................................. 20

Figure 10‐1 ‐ ASIL Process (Source: National Instruments) ........................................................................ 21

Figure 10‐2 ‐ ASIL Ratings (Source: National Instruments) ......................................................................... 25

Figure 12‐1 – Security Applications ............................................................................................................ 32

Appendix A ‐ SMP Checklist(s) for Central Florida’s AV Testbed (Includes Supplemental Checklists)

Appendix B ‐ Safety Review Template

Appendix C ‐ Incident Report Form

Appendix D ‐ Federal Automated Vehicles Policy

Appendix E ‐ AV Testing License (Sample of Nevada’s Department of Motor Vehicles)


v | P a g e

Acknowledgements

Endorsement and Commitment to the Teaming Partners and USDOT for the Central Florida Automated Vehicle.

Buddy Dyer, City of Orlando, Mayor

Jim Boxold, former Florida Department of Transportation, Secretary

Steve Martin, Florida Department of Transportation, District 5 Secretary

Diane Gutierrez‐Scaccetti, Florida’s Turnpike Enterprise, Executive Director and CEO

Laura Kelley, Central Florida Expressway Authority, Executive Director

L.K. Nandam, Florida Department of Transportation, District 1 Secretary

Dr. Randy K. Avent, Florida Polytechnic University, President

Dr. John C. Hitt, University of Central Florida, President

Dean J. Murray Gibson PhD, FAMU‐FSU, College of Engineering

Edward L. Johnson, LYNX, Executive Officer

Harold W. Barley, Metroplan Orlando, Executive Director

James E. Harrison, Orange County, Assistant OC Administrator

Philip N. Brown, Greater Orlando Aviation Authority, Executive Director

Don Fisher, Osceola County Manager

Melony M. Bell, Polk County Commissioner, District 2

Bob Kamm, Space Coast Transportation Planning Organization, Executive Director

Thomas O. Engler, NASA, Director, Center Planning and Development


vi | P a g e

Acronyms

AAM .................................................................................................................. Active Arterial Management

AASHTO ............................................................ American Association of State Highway and Transportation

ADS ....................................................................................................................... Automated Driving System

AIS ............................................................................................................................ Abbreviated Injury Scale

ASIL ............................................................................................................ Automotive Safety Integrity Level

AV .................................................................................................................................... Automated Vehicles

BRT ...................................................................................................................................... Bus Rapid Transit

CFAVP ................................................................................... Central Florida Automated Vehicle Partnership

CFX ...................................................................................................... Central Florida Expressway Authority

D1 ...................................................................................................................................................... District 1

D5 ...................................................................................................................................................... District 5

DATP ........................................................................................................... Driver Assistive Truck Platooning

DOT ................................................................................................................ Department of Transportation

DSO......................................................................................................................... Designated Safety Officer

DVI ............................................................................................................................. Driver‐Vehicle Interface

DMV ................................................................................................................ Department of Motor Vehicle

FACERS ........................................... Florida Association of County Engineers and Roadway Superintendent

FAMU ..................................................................................Florida A&M University‐Florida State University

FAST................................................................................................. Fixing America’s Surface Transportation

FAV ........................................................................................................ Florida Automated Vehicle Program

FDHSM ............................................................... Florida Department of Highway Safety and Motor Vehicle

FDLE................................................................................................ Florida Department of Law Enforcement

FDOT ................................................................................................... Florida Department of Transportation

Florida Poly ..................................................................................................... Florida Polytechnic University

FTE ..................................................................................................................... Florida’s Turnpike Enterprise

FHP .............................................................................................................................. Florida Highway Patrol

FHWA .......................................................................................................... Federal Highway Administration

FMVSS ……………………………………………………………...……… .................... Federal Motor Vehicle Safety Standard

GAO ……………………………………………………………...…………………… ................. Government Accountability Office

GHG ...................................................................................................................................... Greenhouse Gas

HAV ........................................................................................................ Highly‐Automated Vehicle Systems

HMI ……………………………………………………………………….……………… ........................... Human‐Machine Interface


vii | P a g e

IIHS .................................................................................................... Insurance Institute for Highway Safety

IRB ........................................................................................................................ Institutional Review Board

ISO ........................................................................................ International Organization for Standardization

IST .................................................................................................... Institute for Simulation and Technology

ITE ........................................................................................................ Institute of Transportation Engineers

ITS .............................................................................................................. Intelligent Transportation System

ITS America ............................................................................. Intelligent Transportation Society of America

KSC .............................................................................................................................. Kennedy Space Center

LIDAR .................................................................................................................. Light Detection and Ranging

MUTCD ....................................................................................... Manual on Uniform Traffic Control Devices

NASA ................................................................................... National Aeronautics and Space Administration

NCHRP ............................................................................. National Cooperative Highway Research Program

NHTSA ................................................................................. National Highway Traffic Safety Administration

ODD ..................................................................................................................... Operational Design Domain

OEDR ........................................................................................... Object and Event Detection and Response

OEM ......................................................................................................... Original Equipment Manufacturer

RDE ............................................................................................................. US DOT Research Data Exchange

RSU ............................................................................................................................................ Roadside Unit

RTMC ................................................................................................... Regional Traffic Management Center

SAE ..............................................................................................................Society of Automotive Engineers

TRB ................................................................................................................ Transportation Research Board

USDOT ..................................................................................... United States Department of Transportation

UCF ..................................................................................................................... University of Central Florida


1 | P a g e

1 Introduction

This safety plan is for the deployment of the Designation of Automated Vehicles Proving Grounds Pilot in Central Florida. Automated Vehicles (AV) offer safety and mobility that are valuable to the driver, passenger, and the overall community at large. For the last 50 years, the U.S. Department of Transportation has been dedicated to saving lives by refining the way Americans move using multi‐mode methods of transportation. The National Highway Traffic Safety Administration (NHTSA), has carried out their mission to constantly embrace new technologies that improve the safety of all methods of transportation. Seat belts, air bags, child seats, and anti‐lock brakes were developed in the private sector and distributed to the nation’s driving public through NHTSA’s Safety Programs and regulatory authority; ultimately, saving hundreds of thousands of lives. Despite these great strides in the safety arena, in 2015, thirty‐five thousand people died on U.S. roadways. Ninety‐four percent of those

crashes were identified as bad human judgment or human operational error.1 One of the major goals set forth by AVs is to address and mitigate the overwhelming majority of crashes by removing the human element altogether. AVs, through technology, have the potential to dramatically decrease the number of crashes tied to human choices and behaviors.2

The advantages of AVs do not stop with safety. Innovation through AV has the potential to alter and improve personal mobility, and open doors to the disabled, elderly populations, communities where car ownership is costly or those who prefer not to drive. Cities have begun to reconsider how public transit is provided through AV.

Guidance, rather than rulemaking, is being used in order to speed the delivery of an initial regulatory framework and best practices to guide manufactures and other entities in the safe design, development, testing, and deployment of AVs through policy. In the following pages, the task of facilitating the safe introduction and deployment of AVs as a part of Central Florida Automated Vehicle Partnership (CFAVP) is discussed.

1https://www.nhtsa.gov/equipment/safety‐technologies 2https://www.nhtsa.gov/equipment/safety‐technologies


2 | P a g e

2 Central Florida’s Proving Grounds

The three‐tiered approach to testing at the Partnership’s facilities provides a testing region with capabilities to accurately test every aspect of AV technologies. From simulation/emulation at state of the art universities (also known as our Tier 1 approach), to controlled “test track” facilities offering extreme environmental and controlled scenario testing (Tier 2), to multimodal public facilities (Tier 3), the Central Florida AV Proving Ground offers the most comprehensive testing arenas. Utilizing these multi‐tiered diverse testing platforms allow for reduced risk by providing a step by step environment where OEMs can work their way up through each tier (as needed). Having these capabilities within one proving ground creates a more systematic solution for best safety practices and validation of automated transportation technology. The following figure outlines the proposed proving grounds in detail, demonstrating the eligibility, capability, commitments, readiness, and overall compliance of the Central Florida AV Proving Ground.3 Please note that the proving grounds have also been expanded to include Florida Turnpike’s Mainline.

Figure 2‐1 ‐ Dedicated Proposed AV Grounds

3http://www.cityoforlando.net/news/wp‐content/uploads/sites/48/2017/01/Proposal_Desig_AV_Proving_Grounds_2016_12_21_FINAL.pdf


3 | P a g e

3 Central Florida Automated Vehicle Partnership

The Central Florida Automated Vehicles Proving Grounds Pilot is governed by the Central Florida Automated Vehicle Partnership (CFAVP), whose primary founding members include the City of Orlando, Florida Department of Transportation (Districts 1 & 5 and Florida’s Turnpike Enterprise), Central Florida Expressway Authority (CFX), UCF, Florida Poly, FAMU‐FSU, NASA, KSC, and LYNX.

3.1 Designated Safety Officer

The CFAVP will identify a DSO that will oversee the implementation of this Safety Management Plan.

3.2 Commitment to Sharing and Community of Practice

As demonstrated in the Partnership’s members’ previous and ongoing research and testing efforts, the concept of sharing data, results, and best practices is considered a standard practice. A major requirement of the Designated Proving Ground is an open and sharing mindset to advance automated technology, safety practices, and enhance mobility. The Partnership is, and will remain, committed to this Community of Practice.

Partnership members have demonstrated an extensive history and commitment to sharing information and best practices to regional and national organizations such as the US Department of Transportation (DOT) and its research programs/offices, Transportation Research Board (TRB), National Cooperative Highway Research Program (NCHRP), American Association of State Highway and Transportation (AASHTO), Intelligent Transportation Society of America (ITS America), International Bridge, Tunnel, and Turnpike Association (IBTTA), Institute of Transportation Engineers (ITE) and many others. The Partnership will continue and accelerate this commitment with US DOT and its program offices and share non‐proprietary data with the US DOT Research Data Exchange (RDE).

3.3 Data Collection and Data Sharing

The overall goal of the CFAVP is to increase safety and transform mobility for all modes of transportation. The Partnership includes some of the leading institutions and developers of AV technology, providing the opportunity for testing in multiple environments that simulate conditions for extraordinary events. The implications and understandings that can be gathered from this type of research are invaluable to the development of best practices and planning policy to support the innovation and development of AV technology. Using agency and jurisdictional partners, the disseminated testing results, conclusions and best practices can be shared via agency channels throughout the State of Florida. The results can also be easily shared through our Partnership members’ affiliations with national transportation research institutions such as USDOT, TRB, NCHRP, AASHTO, ITS America, IBTTA, and others. This Partnership will remain committed to the common goal of procuring the understanding of the technology as it develops into the future. Leading Central Florida academic institutions have agreed to join the Partnership to further expand the capabilities of the proving ground. Florida Poly is working with FDOT, Florida’s Turnpike Enterprise (FTE) and SunTrax to provide comprehensive testing scenarios for software, hardware and physical objective testing. As a part of the Partnership’s research and extensive resources available for carrying out programs to advance AV technology, Florida Poly is proposing a comprehensive scenario testing solution which holds the following properties:


4 | P a g e

Realistic Input: Using existing video streams, Florida Poly will be able to seed realistic test generation engines using core game engine technology.

• Pseudo‐Random Test Generation: Using realistic seeds, Florida Poly technology can build pseudo‐random test scenarios which can not only accelerate the test generation process, but generate tests without the bias typically involved with manual test generation.

• Data Mining: Using data mining, Florida Poly can automatically determine the mean “good” behavior based on some statistical population drivers, thus deriving the criteria for success. This is a technique used in natural language processing systems.

• Successful Coverage Analysis: Using signature analysis, these test scenarios can be cataloged and tracked. This capability provides regulators with a framework to start setting up certification test suites for vehicles.

• Invariant to Test Setup: The unit under test, in this environment, can be a real car (hardware‐in‐loop or simulator), a simulation model of the vehicle, or the sensor systems. This innovative flow combines experience Florida Poly has in fields such as game design, vision processing, hardware verification and coverage analysis.

The benefits and positive characteristics of this technology for the Community of Practice and USDOT include:

1. Complementary to Physical Track and Simulation Investments: Florida Poly’s technology is complementary to Physical Track investments that can be used for characterization and diagnostics purposes for the generated scenarios.

2. Regulatory Framework for Certification: For the first time, regulators can have a language for measuring scenario coverage. In addition, automakers will have knowledge of whether their various generations of vehicles actually improve safety. That is: Is the next generation at least as good as the previous version?

3. Growing Knowledge Base: Finally, crashes will still occur, but this system has the capability to absorb new test cases as seeds and automatically build related situations in an automated fashion.

CFAVP benefits & positive

characteristics include

complementary investments,

regulatory framework and

a growing knowledge

base


5 | P a g e

4 Summary of Central Florida’s Automated Vehicle Test Bed Tiers

4.1 Tier 1 ‐ Labs

University of Central Florida

The University of Central Florida (UCF) provides transportation simulation labs and testing practices that are state of the art. UCF is home to the Institute for Simulation and Technology (IST), an internationally recognized research institute that focuses on advancing human‐centered modeling and simulation technology. The IST plays a critical component in both the connected vehicle

environment and automated vehicle advancements from Society of Automotive Engineers (SAE) Level 2 to SAE Level 5 technologies, which are

categorized later is this document. UCF is currently creating an AV simulator to provide education to senior citizens across the state. These participants will use the simulator and UCF/FDOT will record the feedback and reactions. UCF’s dedication to increase vehicle safety is their driving force behind aiding in the development of automated vehicle technologies.

Florida Polytechnic University

Florida Polytechnic University, also known as Florida Poly, is dedicated to the principle that innovation occurs when research and creativity are applied to real‐world challenges. Their facilities offer highly technical labs and learning spaces and seek opportunities to work side by side with car manufacturers to keep Florida Poly on the edge of innovation. The University will offer Autonomous Systems and Self‐Driving Vehicle curriculum for students to develop the skill sets for real‐world exposure.

By partnering with FDOT and FTE to develop SunTrax, students will be dedicated to research, development and testing concepts such as

connected vehicles and automated vehicles. SunTrax is further discussed in Section 4.2. In addition to conceptual operations, Florida Poly is offering students comprehensive scenario testing while addressing the unique challenges for scenario testing in automated vehicles.

FAMU‐FSU (FAMU‐FSU)

The Florida A&M University – Florida State University College of Engineering is the joint engineering school of Florida State University and Florida A&M University. FAMU‐FSU will provide additional engineering research support and additional resources for the CFAVP.


6 | P a g e

4.2 Tier 2 ‐ Closed Environment

Tier 2 offers closed environments for controlled testing at the following facilities:

SunTrax

SunTrax is currently under construction and is scheduled to open for testing in the Fall of 2018. The oval track includes infrastructure such as shelters, buildings, gantry structures (tolling) and a variety of mounting locations for road side units and tolling equipment. The facility was designed specifically around multiple scenarios such as single lane, multiple lanes, and parallel toll and express lanes. The facility offers an opportunity for national and international certification for automated vehicle and tolling technologies for testing. Hands‐on training in the automated vehicle laboratory spaces will provide the next generation of professionals a unique opportunity for knowledge building of these technologies. The areas of research include but are not limited to the following:

1. Safety standards for environment

2. Vehicular and pedestrian safety impacts

3. Data Management

4. Cyber Security

5. Equipment Testing

Figure 4‐1 illustrates the robust track with all its features.

Figure 4‐1 – SunTrax Test Facility


7 | P a g e

NASA, Kennedy Space Center

The Kennedy Space Center, under the operations of NASA, can test equipment such as sensors under extreme environments for the OEM’s to analyze. This allows researchers and OEMs to understand how software and hardware will react in extreme environments within a closed setting with minimal risk or safety implications. NASA’s grounds also provide both urban and rural environments for manufacturers to use for scenario testing (i.e. private roads). These facilities accommodate a variety of environmental hazards such as flooding, smoke/smog, fog and heavy rain to give manufacturers real‐world testing in a controlled environment with little risk.

4.3 Tier 3 ‐ Open Environment

Tier 3 offers open environments for live testing on limited access facilities and arterials with the intent of allowing testing with other related traffic, bicycles, pedestrians, etc.

Interstate and Expressway Corridors (I‐4, Florida’s Turnpike Mainline, SR 528 and SR 540)

The public roadways dedicated to the Central Florida’s Test Bed are I‐4, Florida’s Turnpike Mainline, SR 528 and SR 540. These limited access, high‐speed facilities are operated and maintained by FDOT Districts One and Five, FTE and CFX. There are 85 center line miles starting at SunTrax/Florida Poly to Port Canaveral along I‐4 and SR 528. Of these 85 miles, 24 miles include the I‐4 Ultimate Project (Scheduled to be completed in 2022). Approximately 200 more miles of center line miles are also available on other facilities. The environments of these roadways include: toll expressways, express lanes (future), freeway sections, construction zones and a variety of different levels of congestion and travel conditions. This tier offers automated vehicles exposure to complex limited access roadways with varying ingress and egress merging operations and construction operations. These public roadways offer the OEMs a great opportunity to test vehicle platooning, work zone safety applications, express bus operations, and highway maintenance operations.

City of Orlando Central Business District (LYNX, Bus Rapid Transit)

The City of Orlando is committed to ensuring the safety and reliability of the transportation network for all users by utilizing AV technology. Coordinating with LYNX, a third‐tier open deployment testing site on the Bus Rapid Transit (BRT) routes within Orlando’s central business district will serve as an automated transit vehicle proving facility.

The multimodal nature of travel of Downtown Orlando consists of heavy volumes of vehicles monitored by an extensive system of sensors and traffic control systems, connected through a Transportation Management Center. A high volume of pedestrians and cyclists also utilize the city’s trail infrastructure, which includes the city’s bike‐sharing program.


8 | P a g e

This urban core environment provides the ideal environment for open deployment testing to analyze all modes of travel experience in downtown: vehicle, transit, freight, pedestrian, and bicycle.

5 Levels of Automation

5.1 Defining the Society of Automotive Engineers (SAE) Levels of

Automation

There are multiple definitions for various levels of automation and for some time there has been the need for standardization to aid clarity and consistency. Therefore, SAE adopted the following definitions.

SAE Level 0: The human driver does everything, no automation;

SAE Level 1: An automated system on the vehicle can sometimes assist the human driver by conducting some parts of the driving task such as cruise control;

SAE Level 2: An automated system on the vehicle can actually conduct some parts of the driving task, while the human continues to monitor the driving environment and performs the rest of the driving task such as control of both the vehicle’s speed and lane position;

SAE Level 3: An automated system can both actually conduct some parts of the driving task and monitor the driving environment in some instances, but the human driver must be ready to take back control when the automated system requests. This is to be said to be Conditional Automation. Many of the highest safety risks can occur within Level 3. This is typically due to issues associated with driver engagement;

SAE Level 4: An automated system can conduct the driving task and monitor the driving environment, and the human need not take back control, but the automated system can operate only in certain environments and under certain conditions. This is said to be Highly Automated but not Fully Automated; and

SAE Level 5: The automated system can perform all driving tasks, under all conditions that a human driver could perform them. This is said to be fully automated. All dynamic driving task under all roadway conditions to include environmental conditions are managed by the machine. There is not human interaction.


9 | P a g e

5.2 Defining the Driver

For the purpose of this plan, the human operator of an AV ‐ when it is not operating in a fully automated mode (level 5) ‐ is what we call the driver. The driver of any vehicle is a person who drives or is in actual physical control of a vehicle.

The Florida Vehicle Code and other laws governing driving allow for automated testing or deployment; that a determinative definition of “driver” should be set by law, rather than be modified by policy; preferably following national standards that evidence an understanding of how Automated Driving Systems (ADS) function.

During AV testing where an operator is either in the vehicle or remotely controlling the vehicle, there are two drivers: the operator and the ADS. Unless prescribed by regulation, the ADS serves as the driver when the ADS is engaged and performing the driving for the vehicle. The operator or human element is the driver when the ADS is disengaged. The following are items required of the automated vehicle tester:

1. The automated vehicle tester must certify that the operator is able to safely engage, detect, monitor and disengage the ADS reliably.

2. Approval to test should require that the operator be able to mediate situations where the ADS experiences a system interruption or other problems, rendering the ADS unable to safely make the driving task with minimal risk.


10 | P a g e

3. The ADS serves as the driver during automated vehicle testing, where there is no operator present in either the vehicle or tasked with remote oversight of the vehicle.

4. Each automated vehicle tester must ensure that the ADS is able to achieve a minimal risk condition, in the event the ADS experiences a system interruption or other problems.

5. The automated tester must guarantee that the automated vehicle will provide immediate notification to the tester that it has entered a minimal risk condition.

6. The automated vehicle tester must use a procedure established by the CFAVP to provide notification to law enforcement.

5.3 NHTSA Identifies Highly Automated Vehicles (HAV)

The NHTSA recognizes the automated vehicle when the ADS is engaged as the driver. The Operational Design Domain (ODD) concept, Object and Event Detection and Response (OEDR), and associated tests and validation methods discussed in the guidance (In Appendix D) are primarily focused on HAV systems (those classified as SAE Level 3, Level 4, and Level 5). This is because HAV systems should be designed to perform the complete driving task and monitor the environment within their ODD without any expectation of involvement by a human driver.4 NHTSA has recognized that the ADS in test vehicles are vehicles without steering wheels, pedals, etc. As such, these ADS test vehicles can be considered the “driver” for certain purpose under the Federal Motor Vehicle Safety Standards, 49 U.S.C. § 301. NHTSA also recommends that states deem the AV to be the “driver” under state law when engaged in fully automated vehicle mode. The main goal of the automated vehicle tester is to create an ADS that can navigate the vehicle without human interaction.

5.4 Defining Driver Liability

When the automated driving system is not engaged, then the human operator who is licensed by law ‐ if seated in the automated vehicle with traditional vehicle controls such as steering wheel, pedal, brake pedal, etc. ‐ is liable. That person will follow the rules of the road.

When fully deployed, and falling within the manufacturer’s warranties, the responsibility and liability for AV faults and crashes may fall on the manufacturers of the vehicle or technology, as a part of the product’s liability. However, the owner of the vehicle has some level of liability. Manufacturer warranties are provided for only a period of time and it’s the owner’s responsibility to meet or exceed the expectation of upholding the maintenance requirements. Therefore, both the owner and the manufacturer have potential liability. Determining who is responsible for traditional criminal and civil liability in an AV crash situation will be determined on a case by case basis over time.

4https://www.fenderbender.com/ext/resources/pdfs/f/e/d/Federal_Automated_Vehicles_Policy(1).pdf


11 | P a g e

6 State and Federal Legislation

6.1 Florida Legislation

House Bill 1207: Vehicle with Autonomous Technology

On April 13, 2012, Florida’s Governor approved and signed HB 1207. This bill allows for testing of autonomous vehicles on public roadways. Currently, legislation is not needed to allow for the FDOT sponsored pilot projects that are underway. House Bill 1207 defines autonomous technologies and autonomous vehicles as it pertains to testing. This bill does not prohibit or specifically regulate the testing or operation of AV technologies, making it easy for OEMs to test on Central Florida’s selected roadways. This bill specifies a person who possesses a valid Driver’s License to be a legal operator (driver) of an automated vehicle.

Prior to the start of testing in Florida, the entity performing the testing must submit to the Department of Highway Safety and Motor Vehicle (FDHSMV) an instrument of insurance, surety bond, or proof of self‐ insurance acceptance to the Department in the amount of $5 million.

The law states that the original manufacturer of a vehicle converted by a third party into an autonomous vehicle shall not be liable in, and shall have a defense, if any person is injured due to an alleged vehicle defect caused by the conversion, unless the alleged defect was present in the vehicle as originally manufactured.

An autonomous vehicle registered in Florida must continue to meet federal standards and regulations for a motor vehicle. The vehicle must have a means to engage and disengage the autonomous technology, which is easily accessible to the operator; have a means, inside the vehicle, to visually indicate when the vehicle is operating in autonomous mode; and have the means to alert the operator of the vehicles if a technology failure affecting the ability of the vehicle to safety operate autonomously is detected while the vehicle is operating in order to indicate to the operator to take control of the vehicle.5 Federal regulations generated by the NHTSA shall always supersede this section when found in conflict.

House Bill 7061: Transportation

On April 14, 2016, Florida’s Governor approved and signed HB 7061. This bill supports truck platooning in Florida, but specifically in Central Florida. FDOT, CFX and FTE will begin testing the Driver‐Assistive Truck Platooning (DATP) technology with the assistance of FDHSMV. This technology will be tested within CFAVP’s Tier 3 facilities. By the end of 2017, Florida’s Turnpike Enterprise is authorized to deploy and test this equipment in conjunction with Central Florida’s AV Pilot Project.

5https://www.flsenate.gov/Session/Bill/2012/1207/BillText/er/PDF

HB 1207 allows for testing of

autonomous vehicles on

public roadways


12 | P a g e

6.2 Florida Regulations

Florida has officially moved towards the use of AV. In 2016, Florida amended its AV statute, allowing any person with a valid driver's license (the “Operator”) to operate an AV on Florida roads. Importantly, the statute does not require the Operator to physically be in the vehicle. Rather, the autonomous technology must have a mechanism to either allow the Operator to take control of the vehicle if the autonomous technology fails, or cause the vehicle to come to a complete stop.

Notwithstanding any other provision of law to the contrary, when an AV as defined in s.316.003 as operating in autonomous mode, the autonomous technology as defined in s.316.003 shall be deemed to be validly licensed as required by this section.6

As of 2016, Florida Statues Title XXIII, Chapter 316: State Uniform Traffic Control Section 2 identifies what a vehicle equipped with autonomous technology looks like. The term “autonomous technology” means technology installed on a motor vehicle that has the capability to drive the vehicle on which the technology is installed without the active control or monitoring by a human operator. The term excludes a motor vehicle enabled with active safety systems or driver assistance systems, including, without limitation, a system to provide electronic blind spot assistance, crash avoidance, emergency braking, parking assistance, adaptive cruise control, lane keep assistance, lane departure warning, or traffic jam and queuing assistant, unless any such system alone or in combination with other systems enables the vehicle on which the technology is installed to drive without active control or monitoring by a human operator.7

The 2017 F.S. 316.85 AV; operation. (1) A person who possesses a valid driver license may operate an AV in autonomous mode on roads in this state if the vehicle is equipped with autonomous technology. (2) For purposes of this chapter, unless the context otherwise requires, a person shall be deemed to be the operator of an AV operating in autonomous mode when the person causes the vehicle’s autonomous technology to engage, regardless of whether the person is physically present in the vehicle while the vehicle is operating in autonomous mode.

Under the same statutes, it defines further the DATP technology as vehicle automation and safety technology that integrates sensor array, wireless vehicle‐to‐vehicle communications, active safety systems, and specialized software to link safety systems and synchronize acceleration and braking between two vehicles while leaving each vehicle’s steering control and systems command in the control of the vehicle’s driver.

6.3 Federal Bills

HR 3876 (114th): Autonomous Vehicle Privacy Protection Act of 2015

This bill was introduced to the House to protect the consumer’s privacy during the development and use of AV technology.

This act was introduced in November of 2015 but was never enacted.

6http://www.insurancejournal.com/blogs/academy‐journal/2017/05/10/450412.htm 7http://www.leg.state.fl.us/STATUTES/index.cfm?App_mode=Display_Statute&URL=0300‐0399/0316/Sections/0316.003.html


13 | P a g e

HR 22: Fixing America’s Surface Transportation (FAST)

Introduced: January 6, 2015; 114th Congress, 2015‐2017

Status: Signed by the President on December 4, 2015.

This bill authorizes funds for Federal‐aid highways, highway safety programs, and transit programs, and other purposes. This bill was enacted to direct the Government Accountability Office (GAO) to assess the autonomous transportation technology policy developed by public entities in the U.S., an assessment of the organizational readiness of U.S. DOT to address autonomous vehicle technology challenges including consumer privacy protections, and recommended implementation paths for autonomous technology, applications, and policies. The CFAV Pilot deployment will help assist the GAO with any reports or shared information collected during the testing of AV.

The FAST Act establishes this program to fund eligible entities’ model deployment sites for large‐scale implementation and operation of a diverse set of advanced transportation technologies in various geographic regions. Program purposes are to reduce costs and improve return on investments, deliver environmental benefits through increased mobility, improve transportation system operations, improve safety, improve collection and dissemination of real‐time information, monitor transportation assets, deliver economic benefits, and accelerate deployment of connected/autonomous vehicle technologies.8

6.4 US DOT AV Policy

Under current law, manufacturers bear the responsibility to self‐certify that all of the vehicles they manufacture for use on public roadways comply with all applicable Federal Motor Vehicle Safety Standards (FMVSS). Therefore, if a vehicle is compliant within the existing FMVSS regulatory framework and maintains a conventional vehicle design, there is currently no specific federal legal barrier to an AV being offered for sale.9 DOT anticipates that manufacturers and other entities planning to test and deploy AVs will use this Guidance, industry standards and best practices to ensure that their systems will be reasonably safe under real‐world conditions. This Guidance highlights important areas that manufacturers and other entities designing AV systems should be considering and addressing as they design, test, and deploy AVs. For guidance in manufacturing, designing, regulations and planning automated systems for testing in the United States, refer to NHTSA’s Vehicle Performance Guidance for Automated Vehicles, found in Appendix D. This Guidance is intended for vehicles that are tested and deployed for use on public roadways. For use on public roadways, automated vehicles must meet all applicable FMVSS. If a manufacturer or other entity wishes to test or operate a vehicle that would not meet applicable safety standards, “[t]he Agency encourages manufacturers to, when appropriate, seek use of NHTSA’s exemption authority to field test fleets that can demonstrate the safety benefits of fully autonomous vehicles.10

The federal policy for AV is issued as a guidance for OEM and not rule‐making. This primarily focuses on HAVs and lower level automation. The policies covered are as followed: Vehicle Performance Guidance for AV, Model State Policies, and Current/Modern Regulatory Tools.

8 https://www.fhwa.dot.gov/fastact/summary.cfm 9https://www.fenderbender.com/ext/resources/pdfs/f/e/d/Federal_Automated_Vehicles_Policy(1).pdf 10http://www.nhtsa.gov/staticfiles/rulemaking/pdf/Autonomous‐Vehicles‐Policy‐Update‐2016.pdf


14 | P a g e

7 State of the Practice

7.1 Conceivable Benefits

AV technologies offer benefits in a variety of ways, from economic to environmental. First and foremost, AVs hold promise in increasing passenger safety. While the potential benefits of fully automated vehicles hold promise, even early technologies have helped reduce crashes, with features such as dynamic braking, forward collison and lane departure warnings, blind spot assists, and adaptive headlights assisting drivers on roads today. The Insurance Institute for Highway Safety (IIHS) estimates that if all vehicles on our roads today adopted these features, nearly a third of vehicles crashes could be prevented.

A plurality (40.1%) of crashes occur as a result of recognition errors, such as inadequate surveillance, with decision errors (37.0%) falling not far behind.11 Level 1 and 2 technologies (See Section 2) can help reduce the crashes, and fully automated vehicles have the potential to do far more to help save tens of thousands of lives annually in the U.S. alone. Other forms of transportation such as bicycles, trains and airplanes have significantly lowered death rates per mile traveled, but cars are still the most popular method of transportation for most people.

In addition to increasing public safety, AV technologies can also increase mobility for several disadvantaged populations. Level 4 technologies (See Section 5) that don’t require a human driver could dramatically enhance mobility for the blind, disabled, children (under legal driving age) and the elderly. Tech companies working on AV technologies are aware of how their efforts could serve these people, as evidenced by Google’s 2012 YouTube video, depicting its autonomous car transporting Steve Mahan, who is 95% blind.12 Benefits to these disadvantaged groups include increased personal independence, greater access to essential services, reduced isolation, and feelings of empowerment.

Furthermore, AV technologies can make a positive social and environmental impact. Road congestion can be a major issue, with traffic jams costing drivers many hours of their lives. According to Inrix data from 2016, drivers in Orlando spent 7 percent of their driving time and an average of 31.7 hours in traffic last year. This ranked 28th out of 240 major cities in the US. Orlando’s ranking as compared to the entire world becomes 148th out of 1,064 cities13.

AV technologies can allow automobiles to be routed along the best route possible in order to save time in traffic jams, not to mention time saved through the possibility of drivers engaged in other

11https://groups.csail.mit.edu/mac/classes/6.805/student‐papers/fall14‐papers/Autonomous_Vehicle_Technologies.pdf 12http://www.youtube.com/watch?v=cdgQpa1pUUE 13http://www.orlandoweekly.com/Blogs/archives/2017/02/22/new‐study‐says‐orlandos‐traffic‐is‐one‐of‐the‐worlds‐worst


15 | P a g e

activities when using Level 4 AV technologies. Congested traffic imposes a range of social costs—including wasted time, excess fuel consumption, increased emission of local air pollutants and greenhouse gases, driver stress, diminished quality of life, and reduced economic efficiency. While many of these costs are hard to quantify, it is clear that the total costs associated with congestion are substantial.14 Furthermore, in an ideal world where Level 4 AVs are the norm, crashes happen at a minimal rate and cars can be built much lighter. Thus, the amount of gas required to operate them would decrease significantly as well. While AV technology is certainly not the only solution to pollution, environmental benefits are an often ignored positive byproduct of investment in AV technologies that may be important to note.

Overall, the number of automobile crashes in the United States has been gradually declining, but the astounding number of fatalities and injuries still pose a major public health problem. One can imagine an ideal world where technology has improved to the point where our vehicles are automated and crashes do not occur. Over time, integration of autonomous vehicle technology into our society will save millions of lives and billions of dollars in property damage and public health costs. Some research paper estimates that even “at 10% market penetration, the technology has the potential to save over 1,000 lives per year and offer tens of billions of dollars in economic gains.”15 Ultimately, lives saved are the biggest potential benefit to the AV technology.

Some of the other benefits of AV technology may include increased safety, reduced congestion, increased lane utilization, real‐time route optimization, less energy consumption which lower fuel consumed, improved mobility for at risk driving, advanced warning of traffic incidents or road risks, and a decrease in impaired drivers.

7.2 Potential Challenges

As with any new technology or social undertaking, AV brings forth a variety of new challenges. First, satisfactory sensor technology needs to be developed. Light Detection and Ranging (LIDAR), optical sensors, RADAR, etc. are a few of the sensors currently being used by AVs. These technologies are being used to handle tricky conditions, such as when lane markers are obsured. Furthermore, drivers will need to absorb part of the costs of these additional technologies. In addition to tangible costs, concerns have been raised about privacy, ethics, social norms, and security. This plan focuses more on safety and

does not address these concerns, but they should be noted as challenges to consider.

Another challenge faced by AVs is public acceptance. A survey conducted by the University of Michigan concluded that, while most Americans have heard of autonomous vehicles (70.9%) and have a positive impression of them (56.3%), they are also at least somewhat concerned (61.6%) with driving or riding in a vehicle with Level 3 self‐driving technology and even more concerned

14http://www.rand.org/content/dam/rand/pubs/research_reports/RR400/RR443‐1/RAND_RR443‐1.pdf 15Preparing a nation for autonomous vehicles: http://www.enotrans.org/wp‐content/uploads/wpsc/downloadables/AV‐paper.pdf


16 | P a g e

(66.8%) with Level 4 technology.16 It’s important to keep public opinion in mind when determining AV policy and integration plans.

AVs face the challenge of living up to their own “hype.” Several auto manufacturers have publicly stated that Level 3 autonomous cars will be developed by 2020 or earlier. A big challenge that the Original Equipment Manufacturers (OEM’s) face in front of them is the gigantic leap between Level 2 and Level 3 technology.

Other challenges to consider are laws and regulations, implementation costs, security and privacy, education, data storage limitations, weather interference to equipment, and diminishing driver skills.

7.3 Current Status Quo

AV technology has been advancing over the past decade, but more testing, specifically on a more varied set of roads (Tier 2‐Closed Deployment Testing and Tier 3‐Open Deployment Testing) and with varying weather conditions, is necessary for technology to advance to the next level. Tech companies have been urging policymakers to create regulations and legislation which will be discussed later in this plan.

Most car companies working on autonomous vehicles have established Level 2 technologies. Level 2 features, such as lane keeping systems and automated braking, have been built by most OEMs, that drivers can buy today.17 There is, however, a huge gap between driver‐assisted Level 2 and fully automated Level 3 technology, and the public doesn’t yet realize the difference. Generally speaking, “autonomous vehicles” and “self‐driving cars” are terms that evoke images of Level 3, Level 4 and Level 5.

8 Safety Risk Process and Approach

8.1 Introduction

This section describes the safety risk process for the CFAVP Pilot Deployment and procedures that will be used to manage safety risks.

8.2 The Approach

The CFAVP Pilot Deployment will take a structured approach to identifying the safety risks and mitigating those risks to help ensure the safety of the participants. This approach is on‐going as the pilot program proceeds from planning to design and implementation to operations and maintenance, and it is likely that new safety risks will be identified and the safety risks currently identified will either be mitigated completely or their status will change. The process developed and utilized by the CFAVP will result in a risk assessment table being created by the vendor tester (See later in this document) and continuously updated and mitigation efforts identified and implemented throughout the project as needed.

16http://deepblue.lib.umich.edu/bitstream/handle/2027.42/108384/103024.pdf?sequence=1&isAllowed=y 17http://www.ford.com/services/assets/Brochure?make=Ford&model=Explorer&year=2014&postalCode=1111 0


17 | P a g e

The safety risk approach that has been developed and implemented is based on the following core principles:

Safety risks are identified, assessed and controlled

Team members are involved in the safety management process

Technical experts are involved in the process of identification and assessment

Safety risks and control measures are constantly monitored, and regularly reviewed

All team members, participants, contractors, and emergency response agencies will be informed of safety procedures

All equipment, software, process, and interfaces are compliant with applicable regulations and tested before deployment

An overview of the safety risk process is shown in Figure 8‐1. The safety risk process begins with identifying a potential safety scenario that may occur as part of the CFAVP Pilot Deployment. A risk assessment is then performed for each safety scenario. The risk assessment assigns a level of risk associated with each safety scenario. The safety scenarios developed and the risk assessment performed for the CFAVP Pilot are included within this document. If the safety scenario is rated as low risk, standard safety management practices are required to be followed. If the safety scenario is rated as medium or high risk, measures are taken to eliminate and/or minimize the risk utilizing the steps detailed in Figure 8‐1. The safety management procedures for the identified safety scenarios for the CFAVP Pilot are detailed in this document. If additional safety scenarios are identified during any phase of the CFAVP Pilot deployment, this safety risk process will be complete for each new safety scenario identified.


18 | P a g e

Figure 8‐1 ‐ Safety Risk Process

8.3 Safety Risk Control

The CFAVP Pilot Deployment partners have performed a preliminary safety risk analysis that is the basis of our initial mitigation strategy. The CFAVP team will manage and control each potential risk by taking all practicable steps to eliminate or minimize their potential impact. Controls may reduce the significance of a potential risk or the likelihood of it causing harm to participants or others. All of the identified safety risks have been added to the project risk assessment to ensure that each safety risk is identified, tracked, the potential impacts considered, and the necessary steps taken to implement the response plan at the appropriate time during the schedule. The DSO will provide status updates on their assigned risks in the monthly status team meetings when the team meets. Upon the completion of the project, during the closing process, the Project Manager and DSO will analyze each risk as well as the safety risk management process. Based on this analysis, the Project Manager, System Development team, and DSO will identify any improvements that can be made to the risk management process for future projects to be shared. These improvements will be captured as part of the “lessons learned” knowledge base.

The CFAVP Partners will need to use the Automotive Safety Integrity Level (ASIL) process to determine the level of safety risk associated with the deployment. ASIL is a risk classification scheme defined by International Organization for Standardization (ISO) 26262. A risk assessment table, including each potential safety scenario, their identified ASILs, and risk response plans are included in Table 10‐2.

8.4 Safety Risk Monitoring

The effectiveness of the safety risk controls will be monitored to identify and mitigate any unforeseen shortfalls. To ensure that safety risk controls are effective and new safety risks are identified, the following items will be done:

Quarterly checks during operations on the equipment, software, interfaces, and process

Seeking information from participants

Reporting and reviewing all identified incidents

Identify Safety Risk

Low Risk: Adhere to Quality Management Standard Process

Medium/High Risk

1) Eliminate if possible

2) Develop a risk plan

3) Notify the CFAVP

4) Apply safety measures

5) Monitor the risk

Hazard Assessment


19 | P a g e

Keeping up to date with best practices and lessons learned

Coordination with other AV deployed sites

Coordination with identified emergency response agencies

Internal reviews

Regular safety communications and updates with the CFAVP team

Safety risk monitoring will be tracked and documented utilizing three primary methods. The first type of monitoring deals with the communication and coordination with various parties and agencies. This will be documented during the coordination meetings through meeting minutes. Safety reviews, such as periodic checks and internal reviews, will be documented utilizing the methods detailed within this document and the Safety Review document included in Appendix B. Incidents involving any AV will use the form in Appendix C and will be reviewed by the DSP and team during these meetings.

9 Safety Development Process

9.1 Introduction

The Development Process of the Safety Management Plan follows the process defined in the USDOT guidelines: 1) Identify safety scenarios at both system level and application level as defined in the Concept of Operations, 2) Assess the level of risk for each safety scenario, and 3) Develop a safety operational concept for each scenario if it is identified as medium/high risk. Figure 9‐1 illustrates this process.

Figure 9‐1 ‐ Safety Management Plan Development Process (Source: USDOT Guidance Summary on Safety Management Plan)

9.2 System Level

Safety Scenarios identified at the system level may apply to the entire deployment area or specific tiers. The system level safety scenarios include: power outage, communication failure, external malicious impacts on the system; heavy storms; hurricanes; smog, fog, emergency evacuation; wild fires and special events.


20 | P a g e

9.3 Application Level

Safety scenarios identified at the application level apply to the specific application selected and deployed. The application level safety scenarios include: bus rapid transit signal priority, signal progression, incorrect warnings, LYNX warning, improper installation, vehicle crashes, pedestrian detection, driver distraction, and driver misconception.

9.4 Identified Safety Scenarios

The intent of the safety scenarios is to identify and document potential safety risks associated with the CFAVP Deployment through a systematic analysis process that includes system hardware, software, interfaces, human behavior factors, intended applications, operational environment, weather conditions, external factors, data security, user abilities, and infrastructure. The scenarios take into account the entire life of the project and are categorized as either system level or application level. The potential safety impacts of each scenario are then documented so that mitigation measures may be developed. An initial analysis identified twenty scenarios for the CFAVP Deployment. Please note that this list is not intended to be all‐inclusive (see Table 10‐2) and is to function as an example for future vehicle testers.

9.5 Applying to Current Processes

One of the main challenges in implementing a new standard like ISO 26262 is applying it to current processes. Typically, with a new standard, pilot projects are used to show the implementation of the standard and the effects that it has on current processes. The results so far seem promising in that ISO 26262 appears to adapt well to current safety concepts in the industry.

It is important for companies looking to implement ISO 26262 to understand that the goal is to analyze risk early in the development process, establish the appropriate safety requirements, and fulfill these requirements by testing during development.18

Figure 9‐2 ‐ Applying to Current Processes (Source: National Instruments)

18http://www.ni.com/white‐paper/13647/en/#toc6


21 | P a g e

10 Risk Assessment

10.1 Introduction The intent of the risk assessment is to identify potential safety risks and analyze methods of response to eliminate safety risks from the design, or minimize the risks to the fullest extent possible. This can be achieved by reducing the probability of the safety risk occurring or minimizing the safety impact if exposure does occur.

An Automotive Safety Integrity Level (ASIL) is a risk classification scheme defined by ISO 26262. An ASIL was determined for all the safety scenarios identified. To determine the appropriate ASIL level, the Exposure (E) level, the Severity (S) Level, and the Controllability (C) Level for each safety scenario are assessed using the descriptions below. The evaluation takes into account any increased risk that road users such as drivers, passengers, bicyclist, pedestrians or transit riders may experience as part of the CFAVP Deployment. Figure 10‐1 depicts the ASIL Classification procedure.

Figure 10‐1 ‐ ASIL Process (Source: National Instruments)

It should be noted that the risk assessment is an on‐going effort throughout the life of the CFAVP Deployment. The CFAVP DSO will be responsible for ensuring the deployment is continuously monitored to determine if the safety risks identified in the initial risk assessment have been accurately classified or fully mitigated. Additionally, if new safety risks are identified, the DSO will ensure that they are assessed through the safety risk process detailed within this document, added to the safety risk assessment in Table 10‐2, and appropriately classified.

10.2 Analysis of Probability Exposure is defined as the probability of exposure to the situation associated with the safety scenario. To assign the appropriate exposure level for a scenario, the likelihood of the safety risk occurring is determined. There are four ASIL levels of exposure:

E1: Extremely low probability

E2: Low probability

E3: Medium Probability

E4: High Probability


22 | P a g e

For the CFAVP Deployment, the probability of exposure for each scenario was based on the frequency that similar events have occurred for similar equipment, conditions, and/or occurrences within the deployment area. For example, the number of cases per year that the deployment area typically experiences a heavy storm, hurricane, evacuation, special events, power outages, communication failures, etc. Also, for similar devices and systems, the frequency of security failures, device errors, or system malfunctions was considered.

10.3 Analysis of Potential Impact

Severity is defined as the direct harm inflicted upon a person as a result of the safety scenario. To assign the appropriate severity level for a scenario, the potential level of injury is determined. There are four ASIL levels of severity:

S0: No injuries

S1: Light and moderate injuries

S2: Severe and life‐threatening injuries‐survival probable

S3: Life‐threatening injuries‐survival uncertain

For the CFAVP deployment, the severity for each scenario was based on the level of injury most likely to be sustained as a result. This was based on historical trends for the deployment area. These preliminary ratings will be vetted for reasonableness and completeness with local safety stakeholders and those who are most familiar with the existing and planned operation, once the design and operational details have been determined as part of our on‐going safety management. It is recommended that during the vetting process, the KABCO scale be used to be consistent with the State Safety Office and FHWA categories of injury:

K: Fatality

A: Incapacitating Injury

B: Non‐Incapacitating Injury

C: Possible Injury

O: Property Damage Only

10.4 Analysis of Controllability Controllability is defined as the ability to control the safety scenario once the person is exposed to the safety risk. To assign the appropriate controllability level for a scenario, the level of control we hold over the potential situation is determined. There are three ASIL levels of controllability:

C1: Simply controllable

C2: Normally controllable

C3: Difficult to control or uncontrollable

In the CFAVP deployment, the controllability for each scenario was based on the overall level of control over the outcome for each scenario. While weather events, evacuations, congestion, special events, security attacks, malfunctions, device failures, or outages cannot be prevented; mitigation measures and response plans are under the control CFAVP’s ability to exert influence and affect the outcome of each safety scenario. The combination of these determines the level of controllability assigned.


23 | P a g e

These three dimensions were utilized to assign an ASIL to each safety scenario. Table 10‐1 depicts the method used to perform the ASIL decomposition.

Table 10‐1 ‐ ASIL Decomposition (Source ISO 26262)

Severity Levels Probability of Exposure

Controllability through the Driver

Simply Controllable

(C1)

Normally Controllable (C2)

Uncontrollable (C3)

No Injuries (S0)

Extremely Low Probability (E1)

QM QM QM

Low probability (E2) QM QM QM

Medium Probability (E3)

QM QM QM

High Probability (E4) QM QM QM

Light and Moderate Injuries(S1)


QM QM QM

Low probability (E2) QM QM QM


QM QM ASIL A

High Probability (E4) QM ASIL A ASIL B

Severe and Life‐Threatening‐

Survival Probable (S2)


QM QM QM

Low probability (E2) QM QM ASIL A


QM ASIL A ASIL B

High Probability (E4) ASIL A ASIL B ASIL C

Life‐Threatening‐

Survival Uncertain (S3)


QM QM ASIL A

Low Probability (E2) QM ASIL A ASIL B


ASIL A ASIL B ASIL C

High Probability (E4) ASIL B ASIL C ASIL D

Where:

Quality Management (QM) = standard quality/safety management is sufficient

ASIL x = measures according to ASIL x are to be applied to achieve safety goals

ASIL D represents likely potential for severity life‐threatening or fatal injury in the event of a malfunction and requires the highest level of assurance that the dependent safety goals are sufficient and have been achieved. ASIL D is noteworthy because of the elevated risk it represents


24 | P a g e

and the exceptional rigor required in development. Any product able to comply with ASIL D requirements would, by default, also comply with any lower level.

The level QM represents no hazards associated with the given application, so the management of safety requirements is not relevant. This is not to say that no controls are required in the development of the product. Even if there are no hazards, there may still be business risk and other risks to manage, and there may be other applicable customer and regulatory requirements for QM such as state regulations that are listed within this document.

10.5 ASIL Determination Matrix

Table 10‐2 provides a safety and threat analysis for the CFAVP deployment identifying risk description, the likely impacts of each scenario, the risk response plan, and overall ASIL determination for each risk. The likely impact of each scenario is provided on a case‐by‐case basis. Please note that this list is not intended to be all‐inclusive. To help the institutional review board (IRB) to understand the risk assessment of scenario using the ISO 26262, the following section provides the rational for determining the Severity, Exposure, and Controllability rating. The purpose of the IRB is to assure that appropriate steps are taken to protect the rights and welfare of humans participating as subjects in a research study. Severity level 0 means that no injuries will result from the scenario, or will result in abbreviated injury scale (AIS) 0 and less than 10% probability of AIS 1‐6. Severity level 1 (S1) indicates light and moderate injuries or more than 10% probability of AIS 1‐6 and not S2 or S3. Severity level 2 indicates severe injuries, possibly life‐threatening, or survival probably may result from a risk scenario with more than 10% probability of AIS 3‐6 and not S3. Severity Level 3 (S3) are life‐threatening injuries (survival uncertain) or fatal injuries with a likelihood of 10% of AIS 5‐6.

Exposure used in Table 10‐2 is defined as the probability of a human’s exposure to a hazard in terms of time and location in particular scenarios during expectable (mis)use case. Exposure level 0 (E0) meant that the scenario will never happen, probability is 0%. Exposure level 1 (E1) has a very low probability, or may happen less often than once a year. E2 have a very low probability, may happen a few times a year, or may occur less than 1% of average operating time. E3 has a medium occurrence probability, may happen once or more a month, or has 1%‐10% occurrence of average operating time. E4 has a high probability of almost every drive or greater than 10 % of average operating time.

Controllability is defined as the probability of being able to withdraw oneself from the severity impact, thereby avoiding or alleviating the injury, once exposure to a hazard. Controllable in general is defined as level 0 (C0). Controllability level 1 (C1) is a scenario that is simply controllable by 99% or more of all drivers. C2 is normally controllable by 90% or more by all drivers while C3 is difficult to control or uncontrollable by more than 90% of all drivers.

The number used in the risk register column, which is the associated risk assessment, corresponds to the overall risk register developed as part of the project management plan and maintained by the CFAVP team.


25 | P a g e

Figure 10‐2 ‐ ASIL Ratings (Source: National Instruments)

There are four ASIL ratings identified: ASIL A, ASIL B, ASIL C, ASIL D. Safety risks that are identified as QM, or “Quality Management,” do not require specific mitigation measures to be developed. These require a standard quality management system. Safety risks that are determined to be ASIL D have the highest safety risk and need the highest level of mitigation measures, while those that receive ratings of ASIL A have the lowest level of testing requirements per ISO 26262. Using the methodology illustrated above, none of the potential safety scenarios were classified as ASIL hazard events, therefore, generally accepted quality management practices to be performed are detailed within this document and include provisions for equipment procurement, device installation, a fail‐safe system mode, quality training, safety management, safety reviews, and safety incident reporting and tracking.

Examples of the safety risk process have been developed. These examples are detailed in Table 10‐2. This Table is not intended to be all inclusive, but is to demonstrate how the associated safety impacts anticipated, the safety risk response plan developed, the ASIL dimensions assigned, and the resulting ASIL rating can be used.


26 | P a g e

Table 10‐2 ‐ Summary of Safety Risk Assessment

1Applica

tion

Leve

lBus Rapid Transit Sign

al P

riority m

alfunction

Increase

d route tim

es. Riders m

ay

be stranded lo

nge

r than

anticipated with no alternate

transp

ortation.

1) C

onduct a review to verify its in compliance

.

2) D

ocu

ment le

ssons learned.

3) Coordinate with Safety Officer.

4) R

epair problems that affected the m

alfunction

S0 E2 C1

2Applica

tion

Leve

lSign

al m

alfunctioning

Safety of n

earby road use

r:

pedestrian, b

icyclist, b

us transit,

other road use

rs. A

V m

ight need

drive

r to take

ove

r co

ntrols.

1) C

onduct a review to verify the signals are in

compliance

.

2) D

ocu

ment le

ssons learned.


4) R


alfunction

S1 E2 C1

3System

Leve

lV2V Communication Antenna m

alfunctions

Impacts to the truck platooning

deploym

ent when the drive

rless

truck's antenna m

alfunctions

1) Ensu

re safety fa

ilove

r is activated.

2) Test newer antennas

3) D

ocu

ment le

ssons learned.


5) R

epair antenna by replacing if nece

ssary

S3 E2 C1

4System

Leve

l

A heavy storm

or hurricane resu

lts in damage

to V2I e

quipment

Safety of p

articipant and other

road use

rs to in

clude pedestrians

1) System reports will h

ave

to be conducted to determ

ine any

system outage

s.

2) Immediately notify the Safety Officer.

3) R

epair any of the device

s nece

ssary.

S1 E2 C2

5System

Leve

l

Communication fa

ilure or power outage

cause

a system, a

pplica

tion, o

r se

nso

r to go

down or not se

nd tim

ely needed in

form

ation.

The drive

r of the AV is still in

control o

f the vehicle and will

need to assess the situation to

determ

ine how to react

1) C

onduct a review.

2) D

ocu

ment le

ssons learned.


4) R


alfunction to m

itigate

reoccurrence

S1 E2 C1

6System

Leve

l

External M

alicious attack im

pacting se

curity.

A device

is behaving differently due to

someone hacking into the system

This does not pose

a potential

seve

rity or dange

r to others. Th

e

drive

r at all tim

es has co

ntrol o

f

the vehicle when nece

ssary and

does not pose

any hazards to their

surroundings

1) D

eve

lop smart applica

tions to m

aintain data in

tegrity. Log

problems.

2) D

ocu

ment lessons learned.

3) Establish

better firewalls that are compliant to in

dustry

standards.

4) R

eview lo

gs to find points of e

ntry and weakn

esses. Verify no

backdoors are ava

ilable and periodically do audits to tighten up

secu

rity m

easu

res.

S0 E3 C1

7Applica

tion

Leve

l

The AV Tester has a m

isperception of h

ow the

system works. D

rive

r exp

ects ve

hicle to take

control a

nd ave

rt a threat

Safety conce

rns for the testing

participant, nearby drive

rs, a

nd

pedestrians

1) This will n

eed to be id

entified in

the drive

rs training plan fo

r how

to handle hazards or debris scenarios

S2 E2 C1

8System

Leve

l

Loose

equipment on vehicle or truck platoon

fleet

Safety of test participant and

nearby roadway use

rs. Could

cause

drive

r distraction causing

an accident

1) Include le

ssons learned to design

for when in

stalling.

2) A

lways conduct design

review in

stallations

S2 E3 C2ASIL

ID #

Leve

lSa

fety Risk Description

Likely Im

pacts

Safety Risk Plan


27 | P a g e

9Applica

tion

Leve

lSe

nso

r of A

utonomous Vehicle m

alfunctions

Safety of n

earby road use

r and

test participant

1) Include le

ssons learned to design

for when in

stalling.

2) A

lways conduct design

review in

stallations

3) N

otify Safety Officer

S3

E3

C3

10System

Leve

l

Vehicle does not pass Tier 2 demonstration

phase

Safety of the testing participant

and nearby road use

rs.

1) Ensu

re that before testing on the open deploym

ent the vehicles

pass tier 2 before entering tier 3.

S3

E2

C1

11System

Leve

lLe

vel 4

or Le

vel 5

automation progression

Safety of p


road use

rs to in

clude pedestrians

1) Leve

l 4 and Leve

l 5 automation need to be tested in

tier 1 and tier

2 before entering tier 3.

2) A

ll le

ssons learned are to be docu

mented fo

r future testing.

S1

E1

C1

12System

Leve

l

An emergency eve

nt or hurricane resu

lts in

eva

cuation

Safety of the participant and

nearby road use

rs.

1) Safety Officer to coordinate and open communication channel

with la

w enforcement, CFA

VP and AV Testers.

2) Ensu

re they understand emergency eva

cuation plan.

3) Look to postpone testing.

S1

E1

C1

13System

Leve

l

Events in

downtown Orlando such

as so

ccer

games, eve

nts at the arena, b

owl games, fo

ot

race

s that resu

lt in

unusu

al road closu

res and

different traffic flows

Safety to participant and nearby

road use

rs, including pedestrians.

Pending which le

vel o

f testing

drive

rs m

ay have

control o

f

vehicle and will n

eed to assess

the situation and react

appropriately.

1) Leve

l 3 and below will h

ave

the ability to take

control o

f the

vehicle during these

tim

es, but test will n

eed to occur for leve

l 4 and

5 fo

r circumstance

s when roadways change

(closu

res, patterns) a

random tim

es.

2) D

ocu


S2

E2

C1

14Applica

tion

Leve

l

Any device

installed in

side or outside a

vehicle m

ay detach

and cause

damage

or

harm

during an accident.

Safety of the participant. A m

inor

increase

to potential injury due to

the size and weight of the device

.

1) D

uring tier 1 testing ve

rify in

stallation before deploym

ent.

2) Include le

ssons learned and a checklist when verifying ve

hicle.

S1

E1

C1

15Applica

tion

Leve

l

The test vehicle and participant are in

volved

in any crash

, causing injury.

Safety of the participant and

nearby road use

rs in

cluding

transit riders and pedestrians.

Leve

l 3 and below allow fo

r the

drive

r to take

control o

f the

vehicle.

1) P

erform

a thorough

insp

ection which will include reviews,

previous testing and checklists.

2) The drive

r, pedestrian or road use

r is to notify the Safety Officer at

the tim

e of the in

cident.

3) Follow in

cident report protoco

l.

S1

E2

C2

16Applica

tion

Leve

l

The detection at the pedestrian crossings

malfunction with the applica

tions of A

V.

Safety of p

edestrian. Fa

ilure to

issu

e a warning may resu

lt in

a

pedestrian‐vehicle collision. Leve

l

3 vehicles ca

n be take

n control o

f

but higher leve

ls will n

eed to be

tested in

open deploym

ents.

1) Lessons learned from close

d deploym

ents will n

eed to be

followed.

2) Incident Report Form

s are to be filled out and give to the Safety

Officer for review.

S2

E2

C1

ASIL

ID #

Leve

lSafety Risk Description

Like

ly Impacts

Safety Risk Plan


28 | P a g e

17System

Leve

lLe

vel 4

and 5 vehicles in open deploym

ents

Safety of the testing participant

and nearby road use

rs, to in

clude

transit riders and pedestrians.

1) A

ll le

vel 4

and le

vel 5

automation will h

ave

to be tested

adequately on a close

d deploym

ent (tier 2) b

efore graduating to an

open deploym

ent (tier 3).

2) W

hen vehicles are ready for open deploym

ent a le

tter must be

sent to the Safety Officer.

S2

E2

C2

18System

Leve

lConstruction zones have

change

d.

Safety of p


road use

rs to in

clude construction

workers, law enforcement and

Engineers

1) D

uring testing an AV has to pass testing obstacles requiring them

to m

eet co

nstruction and M

OT ch

ange

s. Each

vehicle is certified to

adapt to these

new conditions and traffic patterns.

S1

E1

C1

19Applica

tion

Leve

l

The drive

r reacts to an AV warning by taking

ove

r co

ntrol in an undesirable swerve or hard

brake

causing a crash

Safety of the test participant,

pedestrian and transit rider.

1) A

V Tester is to adhere to M

UTC

D and Florida Law.

2) D

ocu


3) The Safety Officer is to the notified im

mediately.

4) Incident Report is to be filled out for review.

5) P

ossible new in

terface

s need in

stalled and/or more testing on a

close

d deploym

ent system (Tier 2).

S2

E2

C2

20System

Leve

l

The drive

r has to do a complete system

shutdown or system take

ove

r.

Safety to participant and nearby

road use

rs

1) Lessons learned are to be docu

mented.

2) A

review of the system lo

gs to see why the vehicle m

alfunctioned.

3) A

n im

mediate m

aintained/check‐up needs to be conducted to

ensu

re the safety of the participant and all roadway use

rs.

S1

E1

C1

ID #

Leve

lSafety Risk Description

Likely Im

pacts

Safety Risk Plan

ASIL


29 | P a g e

11 Safety Operational Concept

11.1 Functional Safety Requirements

This section defines the functional safety requirements for the CFAVP Deployment. These are requirements to ensure safe operation of the application and the actions to be taken within the deployment to reduce the likelihood and potential impacts defined in the safety scenarios. Since some of the safety scenarios identified result in ASIL QM, specific safety requirements are not necessary for each scenario. Standard quality management procedures will be followed in these cases. In general, a demonstration phase will occur (as applicable) to show that the system is functional and an operations phase for actual testing. The Tiers in which these phases will occur will be determined during the application process.

11.2 Safety Management Responsibilities

The DSO serves as the Safety Manager with the responsibility of the ongoing overall safety management, including safety coordination for the following key areas:

Leadership and direction in safety procedures;

Ensuring compliance with applicable regulations and the Safety Management Plan;

Incorporating safety into design, deployment and operational phases;

Guidance for equipment procurement and acceptance, if necessary;

Oversight for testing or any certifications;

Safety leadership for updates;

Operational safety and monitoring;

Safety documentation and training;

Maintaining and updating safety processes and the Safety Management Plan; and

Safety coordination with all CFAVP, first responders and other entities.

11.3 Safety Reviews

Safety reviews support the focus on safety, ensure compliance with the Safety Management Plan, and identify opportunities to improve safety. Regular assessments help to identify any new safety risk and develop the appropriate control measures.

When the CFAVP team conducts safety reviews, the team will ensure that:

Reviews are conducted by the appropriate technical experts and team members;

Opportunities for improvement are identified;

Outcomes are communicated to the team;

Actions arising from reviews are implemented; and

On‐going monitoring is maintained to ensure that our operations comply with the Safety Management Plan.


30 | P a g e

There are two phases as a part of CFAVP Testbed. The first is the Demonstration Phase. This phase consists of testing the AV technology in a closed environment (Tier 1 and/or Tier 2) in order to establish that the technology is ready for open road testing (Tier 3). It is understood that some AV technology may already have been adequately demonstrated in the past. Therefore, this information may be presented to the CFAVP for consideration in lieu of completing the Demonstration Phase.

Upon completion of the Demonstration Phase, the Operation Phase may begin. The operation phase consists of open road testing and may be supervised and/or unsupervised at the discretion of the CFAVP. Tier 3 will be used for this type of testing.

Reviews will be conducted at the following key points:

Safety review for each phase to determine if there are any impacts to the safety risk assessment and to ensure that any risks that can be mitigated through that deliverable are included;

Safety review of the design;

Safety review before each phase, see Appendix A (Demonstration and Operation);

System security review before each phase (Demonstration and Operation);

Equipment, software and process check during operation (Demonstration and Operation);

Regular safety communication and updates (Demonstration and Operation);

Safety investigation after an incident (Operation);

Following a critical event or significant change that may impact safety (Demonstration and Operation);

After a complaint of a safety nature is received from participants, team members, or others (Operation);

Following a change in the applicable standards and codes of practices (Demonstration and Operation); and

11.4 Safety Incident Reporting The intent of a safety incident reporting process is to identify improvements that can be made to prevent a recurrence of that incident. The following safety incident reporting policy will be followed:

Safety incidents will be reported and recorded by the participants and/or team members using the Incident Report Form in Appendix C.

Participants will receive guidance on safety reporting during their training.

Safety incidents will be investigated and the underlying causes identified.

Serious harm incidents will prompt a review of the SMP.

A regular review of all safety incidents occurs to identify any trends.

Incident: If an incident occurs involving a participant, the appropriate law enforcement and emergency services are notified immediately by the Regional Traffic Management Center (RTMC).


31 | P a g e

Emergency/Immediate Response: Immediate response is taken by the appropriate agencies in accordance with their procedures.

Incident Report: All safety incidents are reported to the CFAVP team and documented with an incident form, including any safety complaints from participants or other affected road users.

Safety Reviewer: All documented safety incidents are reviewed by the DSO; all relevant team members are included in the review.

Action: When the review identifies an unforeseen safety risk that is not adequately controlled, immediate action must be taken. The Safety Risk Process is used to identify the appropriate controls for any new safety scenarios identified. The resulting mitigation measures are implemented and recorded.

Communicate: The DSO will ensure relevant details of each incident are communicated to the team members as soon as practical. Any changes to procedures will then be incorporated into the Safety Management Plan and communicated to the team members.

11.5 Emergency Responder Coordination

Agencies within the State of Florida and local cities have their own emergency response plans for various events, such as severe incidents, natural disasters, or planned events. Table 13‐1 lists the corresponding Safety Response Stakeholder and their jurisdictional boundaries.

The pilot deployment team will coordinate with emergency responders on what actions are expected from both the agencies and the deployment program (i.e. DSO) in response to the emergency situations identified in this safety management plan.


32 | P a g e

12 Safety Analysis and Threat Assessment Plan

The main goal of the Safety Analysis and Threat Assessment Plan is to guide the deployment team in designing a safety critical system to eliminate hazards to mitigate the risks if they do occur. The following set of safety scenarios have been identified in relation to the applications and technologies for AV deployments. The safety scenarios included an analysis of likelihood and potential impacts as well as mitigation plans.

12.1 Identification and Classification of Safety Critical Events The safety scenarios are defined based on system and application levels. The safety scenario identification considers the implications of the geographical and weather related to the Central Florida region.

12.2 Identified System Safety and Threats

This section identifies safety threats and risks that impact deployed AV systems. These threats and risks include communication, security, power outages, the impact of other events outside the AV system, and potential safety risks beyond single application concept and driver perception. Today’s drivers, even before the evolution of AV, face these challenges of safety and security threats from hackers. As the AV technology progresses, the increase of security will be on the rise.

Communications

Communication failure is considered as a generic system‐level scenario that may be applied to each tier. The Open Deployment tier has some sections that may have greater implications on the performance of the AV communication needed. While there are many types of communication failures that could be intentional or accidental, the result is the same: drivers and the Regional Traffic Management Center (RTMC) lose or have delayed messages. To help mitigate the communications, links are monitored to reduce the length of outage while the vehicles maintains a log to attempt to resend unreceived relevant messages further down the road traveled.

Figure 12‐1 – Security Applications


33 | P a g e

Security

Malicious attacks and hacks within the network can expose the AV technologies (See Figure 12‐1 on the previous page). The following are examples of security failures:

a. A vehicle that is misbehaving due to someone hacking into the system.

b. Someone steals the technology of any AV tester and uses it for his or her personal gain.

c. Someone hacks into the network to collect data for technological gains.

Lack of car maintenance

The team will establish a time table using mileage so Preventative Maintenance on Level 3 through Level 5 is completed before entering a Tier 3 facility.

Impacts outside the AV system

Severe weather, major crashes, HAZMAT incidents, and evacuations are identified as factors that may have safety implications during testing. Understanding emergency response plans will help in the safety and success of the deployment.

Antenna or sensor malfunctioning

Potential safety risks increase if an antenna malfunction. A system fail safe will be available remotely in case an operator is not present.

User perceptions

There’s a misconception among the public and AV technologies. Public outreach will occur with testing results so the community can be educated to accept and grow alongside the program. Once simulation and closed deployment results conclude, it will be beneficial to provide qualitative performance measures to the US DOT, State DOT and NHTSA for publication.

Operational and functional safety

According to the definition in ISO 26262, a functional safety requirement is a safety requirement implemented by a safety‐related system or technologies in order to achieve or maintain a safe state for the item; taking into account that a determined hazardous event or other unforeseen events may cause the system to become dysfunctional.


34 | P a g e

13 Safety Stakeholders This section identifies the parties responsible for responding to the identified safety incidents within the area of Tier 2 (Closed Deployment) and Tier 3 (Open Deployment). The DSO will be responsible for ensuring these safety response stakeholders are informed about the deployment activities, protocols, and timelines. This will occur through the safety risk monitoring activities detailed within this document.

13.1 Identify Safety Response Stakeholders The following safety response stakeholders have been identified below.

Table 13‐1 – Safety Response Stakeholders

Agency Jurisdiction Response Hours

Florida Highway Patrol (FHP) Troop K SR 91; SR 570; SR 528 24x7

Florida Highway Patrol (FHP) Troop C I‐4 24x7

Florida Highway Patrol (FHP) Troop D I‐4 24x7

Florida Highway Patrol (FHP) CFX Troop SR 528 24x7

City of Orlando Police Department I‐4 24x7

City of Orlando Fire Department I‐4 24x7

Osceola County Fire Department I‐4 24x7

Brevard County Fire Department SR 528 24x7

Polk County Fire Department I‐4; SR 570 24x7

Orange County Fire Department I‐4; SR 528 24x7

Winter Park Police Department I‐4 24x7

Winter Park Fire Department I‐4 24x7

Maitland Police Department I‐4 24x7

Maitland Fire Department I‐4 24x7

NASA Federal Law Enforcement NASA Property 24x7

Florida’s Turnpike TMC

Department of Transportation RTMC: D5

SR 528; SR 570; SR 91

I‐4; SR 528; SR; 91

24x7

Department of Transportation TMC: D1 I‐4; SR 570 24x7

FDOT Traffic Ops District 1 and 5 All SR and Interstates M‐F 8am‐5:30pm

I‐4 Ultimate Service Patrol I‐4 24x7

LYNX Road Rangers I‐4 Sun‐Thurs: 6am‐12am; F‐Saturday: 6am‐3:30am


35 | P a g e

13.2 Existing Response Plans Collisions

If a participant vehicle or a pedestrian participant is involved in a crash or collision, the parties will be directed to follow existing Florida law. If appropriate, 911 will be called for emergency response. The Central Florida area has all emergency services available 24x7 for crashes within their specific jurisdictional boundaries. The Traffic Management Centers, Service Patrols and FDOT Roadway Maintenance provide support to assist law enforcement and the FDOT around the clock. In the event that a crash occurs with an AV, the DSO will be notified immediately so that an inspection of the AV can be performed. The incident will be tracked and detailed in the Incident Report Form (see Appendix C). All crashes that occur with any AV being tested will be evaluated during periodic safety assessments, and overall trends will also be analyzed to determine if any new mitigation measures need to be developed.

Special Event Traffic

The Central Florida area holds special events regularly that may cause unusually heavy traffic to be rerouted. These may only occur when congestion is substantially higher than normal in these areas (i.e. Downtown Orlando). The City of Orlando, along with law enforcement, is responsible for the majority of the event routing. These groups have existing detour plans that are followed for each event. During special events, the existing procedures will be followed and communication plans contained within this SMP will ensure coordination with the DSO. The communication plan will be followed to include all stakeholders and will ensure that the DSO and deployment team (to include AV Testers) are informed of all special events that may affect the testing.

Construction and MOT Shifts

Along with special events which impact routes, it is common for lane shifts or closures to occur during scheduled construction. Much like the special events, the existing procedures for media, FDOT, first responders, and AV Testers will be followed and communicated to ensure the team is fully aware ahead of time of these changes to the roadway. Three relevant websites to use for retrieving construction information are: http://i4ultimate.com/; https://fl511.com/; and http://cflsmartroads.com/

Emergency Evacuation

During emergency evacuations, all of the identified safety stakeholders may be involved to some extent in an Evacuation Plan for Central Florida. An open communication channel between the DSO, first responders, and CFAVP members will be established to ensure that the safety of the program comes first. If the emergency is determined to be high risk or life‐threatening, the AV testing will be temporarily suspended for the good of the program and community. It is likely the emergency evacuations may require the CFAVP members and first responders to utilize the majority of their resources (i.e. Hurricane Evacuation Plan). Therefore, testing operations will be postponed until further notice or upon the Safety Officer’s approval.


36 | P a g e

14 Project Deliverables The impact of the deployment through a set of key performance measures will be monitored and reported on a daily, weekly and monthly basis.

The intended action of the DSO and AV Testers in this deployment is to ensure accurate performance measures via data collected through an organized process which can be presented in a clear and concise way for future studies. Deliverables may include:

1. Safety Review Forms

2. Incident Report Form

3. Meeting minutes

4. Testing or simulations

5. Certifications of active testing participants

6. Insurance policy per testing participants


37 | P a g e

15 Performance Measures

15.1 Background Measuring the performance of a transportation system provides the means to quantify the progress made toward attaining established goals. This information can be used to improve an agency’s internal operations or communicated to decision‐makers to provide accountability for public expenditure as well as to the traveling public.

The CFAVP Deployments are expected to demonstrate improved performance in one or more of the following areas: Safety, mobility, reduce negative environmental impacts, public agency efficiency, travel time reliability, throughput, speed, reduced crashes, reduced crash rates, and reduced response time. It is the improved performance that would cause widespread adoption of AV applications by transportation agencies. The need to accurately measure the performance of the AV Pilot cannot be overemphasized.

To effectively conduct performance measurement, some fundamental terms and concepts must be well understood. These terms are briefly discussed below.

15.2 Types of Performance Measures

Performance measures can be categorized as either quantitative or qualitative, depending on the nature of the performance variable being measured. Both are briefly described below.

15.2.1 Quantitative Performance Measures

Quantitative performance measures provide numerical estimates as evidence of how a transportation system is performing. These numerical estimates can then be compared with established performance targets to determine the amount of progress/regress made in achieving those targets. These numerical estimates are usually verifiable and yield similar results with repeated trials, when everything else is kept constant. Quantitative performance measures can either be continuous or discrete. Examples for this project can be incidents versus miles driven or manual human take over versus miles driven. There are many performance measures that can be established as a team to highlight value and to provide shared data.

15.2.2 Qualitative Performance Measures

Qualitative performance measures represent the subjective perceptions and satisfaction levels of users or customers. They focus on people’s own experience and help transportation system managers understand how users/customers feel about the service. Although qualitative

performance measures are subjective in nature, they provide valuable complementary information to quantitative performance measures to help transportation system managers improve service delivery. Examples of qualitative performance measures include public perception (e.g. safety improves) and user satisfaction (Bus Rapid Transit or mobility).

Quantitative performance measures are numerical and

usually verifiable.

Qualitative performance measures are subjective and are based upon

perception.


38 | P a g e

16 Glossary

Abbreviated Injury Scale (AIS) ‐ An anatomical scoring system first introduced in 1969. Since this time, it has been revised and updated against survival so that it now provides a reasonably accurate was of ranking the severity of injury. The latest version is from 1990.

Automotive Safety Integrity Level (ASIL) ‐ Defined as a risk classification scheme created by ISO 26262.

Automated Driving System (ADS) ‐ The hardware and software that is collectively capable of performing all aspects of the dynamic driving task for a Highly‐Automated Vehicle (HAV).

Crash ‐ An unintended event resulting in fatality, injury or damage to a vehicle or property, involving one or more motor vehicles, on a roadway that is publicly maintained and open to the public for vehicular travel.

Deployment ‐ The use of an HAV by operators or employees or agents of an HAV Tester.

DMV ‐ A State‐level government agency that administers vehicle registration and driver licensing.

Driver ‐ The human operator of an HAV when it is not operating in a fully automated mode.

Driver Assist Features ‐ An active safety system or combination of systems for drivers assistance including but not limited to, electronic blind spot detection, crash avoidance warning, emergency braking, parking assistance, adaptive cruise control, lane keeping assistance, lane departure warning, or congestion and queuing assistance, where one or more of those systems, alone or in combination with any other system, does not enable the vehicle to perform the dynamic driving task without the active control or monitoring by a human operator.

Dynamic driving task ‐ The operational (steering, braking, accelerating, monitoring the vehicle and roadway) and tactical (responding to events, determining when to change lanes, turn, use signals, etc.) aspects of driving, but not the strategic (determining destinations) aspects of the driving task.

Full automation ‐ Full‐time performance by an automated driving system of all aspects of the dynamic driving task under all roadway and environmental conditions that can be managed by a human driver.

HAV Tester ‐ A person or organization who is contracted to conduct public testing of HAVs.

High automation ‐ The driving mode‐specific performance by an automated driving system of all aspects of the dynamic driving task, and if a human driver does not respond appropriately to a request to intervene, the automated driving system is able to achieve a minimal risk condition upon that failure to intervene.

Highly Automated Vehicle (HAV) ‐ Vehicles that contain systems referred to as Conditional (SAE‐Level 3), High (SAE‐Level 4) and full (SAE‐Level 5) Automation. These are systems that rely on the automation system (not on a human) to conduct the driving task.

HAV Systems ‐ A system is a combination of hardware and software that provides safety, comfort and convenience features to drivers. Automated driving systems are ones that perform a driving function by controlling and combining braking, throttle and steering functionality. In this document, an HAV system is one that is SAE Level 3 and higher where the system conducts the driving task.

Institutional Review Board (IRB) ‐ A committee that has been formally designed to approve, monitor, and review behavioral research involving humans.


39 | P a g e

ISO 26262 ‐ A functional safety standard, titled “Road vehicle‐ Functional safety.” Functional safety features form an integral part of each automotive product development phase, ranging from the specification, to design, implementation, integration, verification, validation, and production release.

LiDAR ‐ A device that is similar in operation to radar but emits pulsed laser light instead of microwaves.

Minimal Risk Condition ‐ A scenario where an automated driving system brings a vehicle to a safe stop or safe running condition because of an ADS system malfunction, a failed request for operator intervention, or other occurrence that prohibits the automated driving system from fully and completely performing the dynamic driving task.

Operation ‐ The driving of an HAV on a test road for the purpose of testing an automated driving system.

Operational Design Domain (ODD) ‐ The HAV Tester’s definition of the conditions in which the ADS, or the differing automated components thereof, is intended to operate with respect to roadway types, geographical location, speed range, lighting conditions for operation (day and/or night), weather conditions and other operational domain constraints, including a description of how the ADS provides for object and event detection and response under of normal driving scenarios, expected hazards (e.g., other vehicles, pedestrians), and unspecified events (e.g., emergency vehicles, temporary construction zones) that could occur within the operational domain.

Operator ‐ An individual employed by the HAV Tester who is able to take immediate manual or remote control of the HAV.

Person ‐ A natural person, firm, co‐partnership, association, or corporation.

Platooning ‐ Use of any equipment, device, or technology that allows a motor vehicle or series of motor vehicles to operate at some level of automation, while coupled or joined to a lead vehicle via a wireless connection in a caravan or motorcade.

Request to intervene ‐ A notification by the automated driving system to a human driver that he/she should promptly begin to resume performance of the dynamic driving task.

Safety Override Control, ADS ‐ A clearly marked and visible button, switch or manual input device in an HAV that allows the operator, passenger, or authorized law enforcement or first responder personnel to deactivate the ADS, either during testing operations, or as a result of a crash or in an emergency situation. This does not preclude the HAV Tester from providing multiple means, allowing the operator to override the automated driving system.

Test road ‐ The entire width between property lines or boundary lines of every way or place of which any part is open to the public for purpose of vehicular travel as a matter of right or custom.


40 | P a g e

17 Reference Documents

The following table lists the references used to develop the concepts in this document.

Table 17‐1 – References

# REFERENCE SOURCES

1 https://www.nhtsa.gov/equipment/safety‐technologies

2 https://www.nhtsa.gov/equipment/safety‐technologies

3 http://www.cityoforlando.net/news/wp‐content/uploads/sites/48/2017/01/Proposal_Desig_AV_Proving_Grounds_2016_12_21_FINAL.pdf

4 https://www.fenderbender.com/ext/resources/pdfs/f/e/d/Federal_Automated_Vehicles_Policy(1).pdf

5 https://www.flsenate.gov/Session/Bill/2012/1207/BillText/er/PDF

6 http://www.insurancejournal.com/blogs/academy‐journal/2017/05/10/450412.htm

7 http://www.leg.state.fl.us/STATUTES/index.cfm?App_mode=Display_Statute&URL=0300‐0399/0316/Sections/0316.003.html

8 https://www.fhwa.dot.gov/fastact/summary.cfm

9 https://www.fenderbender.com/ext/resources/pdfs/f/e/d/Federal_Automated_Vehicles_Policy(1).pdf

10 http://www.nhtsa.gov/staticfiles/rulemaking/pdf/Autonomous‐Vehicles‐Policy‐Update‐2016.pdf

11 https://groups.csail.mit.edu/mac/classes/6.805/student‐papers/fall14‐papers/Autonomous_Vehicle_Technologies.pdf

12 http://www.youtube.com/watch?v=cdgQpa1pUUE

13 http://www.orlandoweekly.com/Blogs/archives/2017/02/22/new‐study‐says‐orlandos‐traffic‐is‐one‐of‐the‐worlds‐worst

14 http://www.rand.org/content/dam/rand/pubs/research_reports/RR400/RR443‐1/RAND_RR443‐1.pdf

15 Preparing a nation for autonomous vehicles: http://www.enotrans.org/wp‐content/uploads/wpsc/downloadables/AV‐paper.pdf

16 http://deepblue.lib.umich.edu/bitstream/handle/2027.42/108384/103024.pdf?sequence=1&isAllowed=y

17 http://www.ford.com/services/assets/Brochure?make=Ford&model=Explorer&year=2014&postalCode=1111 0

18 http://www.ni.com/white‐paper/13647/en/#toc6


41 | P a g e

APPENDIX A

Appendix A: SMP Checklist for Central Florida’s AV Testbed

If an automated vehicle tester would like to participate in Central Florida’s AV Testbed, there are three tiers that can be used for testing consisting of multiple facilities as defined in the Safety Management Plan (SMP): Tier 1: Lab, Tier 2: Closed Environment, and Tier 3: Open Environment. The Central Florida AV Partnership (CFAVP) will also identify a Designated Safety Officer that will oversee any testing that is desired. There are two phases as a part of Central Florida’s AV Testbed. The first is the Demonstration Phase. This phase consists of testing the AV technology in a closed environment (Tier 1 and/or Tier 2) in order to establish that the technology is ready for open road testing (Tier 3). It is understood that some AV technology may already have been adequately demonstrated in the past. Therefore, this information may be presented to the CFAVP for consideration in lieu of completing the Demonstration Phase. Upon completion of the Demonstration Phase, the Operation Phase may begin. The operation phase consists of open road testing and may be supervised and/or unsupervised at the discretion of the CFAVP. Tier 3 will be used for this type of testing. For those Automated Vehicle Testers that are interested in participating, please provide the requirements and follow the procedures listed below. If an item is not applicable, please note in the application. Driver Requirements 1. The automated vehicle tester must certify that the operator is able to safely engage, detect, monitor

and disengage the Automated Driving System (ADS) reliably. Please provide certification. See Section 2.2 in the SMP.

2. Approval requires that the operator be able to mediate situations where the ADS experiences a system interruption or other problems, rendering the ADS unable to safely make the driving task with minimal risk. Please demonstrate that the operator is experienced and capable. See Section 2.2 in the SMP.

3. Each automated vehicle tester must ensure that the ADS is able to achieve a minimal risk condition, in the event the ADS experiences a system interruption or other problems. Please provide relevant information. See Section 2.2 in the SMP.

4. The automated tester must guarantee that the automated vehicle will provide immediate notification to the tester that it has entered a minimal risk condition. Please provide relevant information. See Section 2.2 in the SMP.

5. The automated vehicle tester must use a procedure established by the CFAVP to provide notification to law enforcement. The DSO will develop the procedure in conjunction with the automated vehicle tester. Please provide willingness to cooperate. See Section 2.2 in the SMP.

State and Federal Legislation Requirements 1. Prior to the start of testing in Florida, the entity performing the testing must submit to the Department

of Highway Safety and Motor Vehicle an instrument of insurance, surety bond, or proof of self‐insurance acceptance to the Department in the amount of $5 million. Please provide. See Section 3.1 in the SMP.

2. An autonomous vehicle registered in Florida must continue to meet federal standards and regulations for a motor vehicle. Please acknowledge and confirm. See Section 3.1 in the SMP.

3. The vehicle shall have a means to engage and disengage the autonomous technology which is easily accessible to the operator, have a means, inside the vehicle, to visually indicate when the vehicle is operating in autonomous mode, and have the means to alert the operator of the vehicles if a technology failure affecting the ability of the vehicle to safety operate autonomously is detected while the vehicle is operating autonomously in order to indicate to the operator to take control of the vehicle. Please provide information demonstrating compliance with the above. See Section 3.1 in the SMP.

Data Sharing Requirements 1. A major requirement of the Designated Proving Ground is an open and sharing mindset to advance

automated technology, safety practices, and enhance mobility. Please confirm willingness to provide information (non‐proprietary). See Section 5.2 in the SMP.

Safety Requirements

The safety risk approach that has been developed and implemented is based on the following core principles (See Section 8.2 in the SMP):

1. Safety risks are identified, assessed and controlled. 2. Team members are involved in the safety management process. 3. Technical experts are involved in the process of identification and assessment 4. Safety risks and control measures are constantly monitored, and regularly reviewed. 5. All team members, participants, contractors, and emergency response agencies will be informed of

safety procedures. 6. All equipment, software, process, and interfaces are compliant with applicable regulations and tested

before deployment.

Please demonstrate compliance with the above statements.

Safety Risk Monitoring

To ensure safety risk controls are effective and new safety risks are identified, the following items will be performed by the Automated Vehicle Tester during testing (See Section 8.4 in the SMP):

1. Periodic checks during operations on the equipment, software, interfaces, and process. 2. Information will be collected from participants 3. Reporting and reviewing incidents 4. Keeping up to date with best practices and lessons learned 5. Coordinate with other AV deployed sites 6. Coordination with identified emergency response agencies 7. Internal reviews 8. Regular safety communications and updates with the CFAVP team

Please confirm agreement with the above statements.

Safety Reviews

1. Safety reviews support the focus on safety, ensure compliance with the Safety Management Plan, and identify opportunities to improve safety. Regular assessments help to identify any new safety risk and develop the appropriate control measures. When the CFAVP team conducts safety reviews they will ensure that a list of requirements is being met. Please confirm willingness to cooperate and provide information during these reviews. See Section 12.3 in the SMP.

2. The safety incident reporting process is implemented to ensure incidents are being reported and are identified so improvements can be made. The following safety incident reporting policy will be followed. See Section 12.4 in the SMP:

Safety incidents will be reported and recorded by the participants and/or team members using the draft incident Report Form in Appendix B.

Participants will receive guidance on safety reporting during their training.

Safety incidents will be investigated and the underlying causes identified.

Serious harm incidents will prompt a review of the SMP.

A regular review of all safety incidents occurs to identify any trends.

Please confirm willingness to follow the above procedures.

Mitigate System Threats (See Section 13 in the SMP)

Please identify how each of the above will be mitigated:

1. Communication Failure 2. Security 3. Lack of Vehicle maintenance 4. Impacts outside the AV system 5. Handling antenna or sensor malfunction 6. Information Sharing for Public Consumption during Testing 7. Operational and Functional Safety Prevention

Performance Measures

Measuring the performance of a transportation system provides the means to quantify the progress made toward attaining established goals. Please identify the performance measures that will be identified during testing and confirm that this information will be provided to the CFAVP. (See Section 15.2 in the SMP)

1. Identify Quantitative Performance Measures 2. Identify Qualitative Performance Measures

Supplemental Checklists

Supplemental checklists are developed that are specific to a type of technology. If a supplemental checklist exists that is relevant, please provide.

Appendix A: SMP Supplemental Checklist for Truck Platooning Pilot Project

The Truck Platooning pilot project will be comprised of two components, a Demonstration Phase (As Applicable) and an Operational Phase. The contact person representing the State of Florida for this pilot project is Mr. Ed Hutchinson. Please send an email to Ed Hutchinson, Project Manager at [email protected].

For those testers who are interested in participating in the pilot project, please provide the minimal requirements and respond to the following application items listed below.

Administrative Requirements for Pilot Program

1. A permit will be issued to each participant for the operational phase of the pilot project. The Department will assist the participant in obtaining the necessary permit. Please confirm willingness to obtain.

2. Any legal trailer types are allowed. Please confirm legality of trailer. 3. Vehicles will be labeled so that other vehicles and monitoring staff can readily identify the trucks

as being capable of Driver Assistive Truck Platooning (DATP). Please provide labeling method (Pictures preferred).

Application Questions to Participate in Pilot Program – Please Respond (Identify as Not Applicable if not

relevant)

1. What aspects of DATP would you like to evaluate? 2. Would you like to present a demonstration and/or operation phases? 3. What type of freight operations (long haul, short haul) are of interest? 4. What area/highway segment are desired? 5. What dates are preferable to do the testing? 6. What time of day would you prefer to do the testing? 7. What duration/mileage is desired? 8. Would you be willing to operate in varying conditions, including but not limited to, sunny, dry,

wet/rainy, foggy and dark conditions? 9. With what range of traffic conditions (light, medium, heavy) and infrastructure configurations

(urban highway, rural highway, etc.) would you like to conduct the test? Do you seek a police escort or other methods to “cushion” your operations from regular traffic?

10. How would you suggest handling the question of “signing” of platooning, i.e. a placard on the truck tractor indicating a DATP‐capable vehicle, an indicator for when platooning is active, etc.?

11. What type of trailer configurations would you use? 12. What data would you be willing to provide at the conclusion of each Phase? 13. Are you willing to have selected data from your Phase analysis to be made part of a FDOT report?


42 | P a g e

APPENDIX B

Appendix B ‐ Safety Review Template

Name of the Reviewer: ____________________________ Date Reviewed:_____________________

What type of review? (document, deliverable, deployment, etc.)

Purpose: (General Safety Review, Deployment Review, Manufacturer Information Provided, Audit, Vehicle Check)

Version of the Risk Assessment that was used:

Risk Identification/Classification (ASIL) :

Review Notes:

Any safety issues identified? YES NO

If YES, Describe the issue and course of action?

Were any new safety issues identified that should be added to the safety risk process for the future? YES NO

If YES, What was the issue(s) identified

Has the Safety Officer been contacted to include and assess the risk? YES NO

Safety Review Sheet

Name (printed) Signature Date


43 | P a g e

APPENDIX C

Appendix C ‐ Incident Report Form DHSMV Crash Report Number:

__________________________

Information regarding the person who was involved in the incident

Name: Participant Team Member Public (circle one)

Mode of Travel (Personal Vehicle/Bus/Bicycle, Pedestrian):

Contact Information: Work: Mobile: Home:

What type of Incident was it?

Near Miss Collison Property Damage

When did the Incident happen?

Date: Time:

What were the weather conditions?

Dry Wet/Rain Windy Fog Sunny

Where did the incident happen?

Location:

What happened in the incident?

Description: (include details)

Was it in a construction zone? YES NO

Witnesses

Name: Contact Number: Email:

Witnesses

Name: Contact Number: Email:

Injuries Involved

Were there any serious injuries? YES NO

Did an ambulance get called? YES NO

Safety Officer to complete with Incident Information gathered

Were there any contribution factors involved in this incident? Could it have been avoided? YES NO

YES NO

Yes NO

Signature DateSafety Officer's Name (printed)

DSO to complete form

Any Other RecommendationsRecommendation of Action

Has the Risk management Process been completed for this safety

scenario? (circle one) YES

Is a review of the Safety Management Plan required?

Was the incident related to an AV technology error?


44 | P a g e

APPENDIX D

Federal Automated Vehicles Policy

Accelerating the Next Revolution In Roadway Safety

September 2016

1

TABLE OF CONTENTS

Introductory Message ............................................................................................................................... 3

Executive Summary .................................................................................................................................... 5

I. Vehicle Performance Guidance for Automated Vehicles .........................................11

II. Model State Policy ................................................................................................................. 37

III. NHTSA’s Current Regulatory Tools .................................................................................48

IV. Modern Regulatory Tools ...................................................................................................68

Glossary .........................................................................................................................................................83

Appendix I: NHTSA’s Current Regulatory Tools .............................................................................87

Appendix II: Regulatory Tools Used by FAA .....................................................................................95

Appendix III: Next Steps ..........................................................................................................................99

Notes ...............................................................................................................................................103



2

3

INTRODUCTORY MESSAGE SECRETARY ANTHONY R. FOXX

U.S. DEPARTMENT OF TRANSPORTATION

Technology in transportation is not new. In fact, the airplane, the automobile, the train and the horse-drawn carriage all introduced new opportunities and new complications to the safe movement of people and goods.

As the digital era increasingly reaches deeper into transportation, our task at the U.S. Department of Transportation is not only to keep pace, but to ensure public safety while establishing a strong foundation such that the rules of the road can be known, under-stood, and responded to by industry and the public. The self-driving car raises more possibilities and more questions than perhaps any other transportation innovation under present discussion. That is as it should be. Possessing the potential to uproot personal mobility as we know it, to make it safer and even more ubiquitous than conven-tional automobiles and perhaps even more efficient, self-driving cars have become the archetype of our future transportation. Still, important concerns emerge. Will they fully replace the human driver? What ethical judgments will they be called upon to make? What socioeconomic impacts flow from such a dramatic change? Will they disrupt the nature of privacy and security?

Many of these larger questions will require longer and more thorough dialogue with government, industry, academia and, most importantly, the public.

As the Department charged with protecting the traveling public, we recognize three realities that necessitate this guidance. First, the rise of new technology is inevitable. Second, we will achieve more significant safety improvements by establishing an approach that translates our knowledge and aspirations into early guidance. Third, as this area evolves, the “unknowns” of today will become “knowns” tomorrow. We do not intend to write the final word on highly automated vehicles here. Rather, we intend to establish a foundation and a framework upon which future Agency action will occur.

To do so, we have consulted with industry leaders, experts in the field, State government, the traveling public and safety advocates, among others. They have offered their input as we have asked them to share what they know. We thank them and recognize that, as this is a constantly changing area, all of us will continue to evolve.

In addition to formally seeking public comment on this Policy, we also intend to conduct significant public outreach to seek input on our approach. We expect vigorous input and welcome it. Such feedback will inform our next update to this Policy, which we antic-ipate will be issued within one year and sooner if necessary and appropriate. We very much look forward to the dialogues that will emerge in the coming weeks and months and thank you in advance for helping us.


4

5

EXECUTIVE SUMMARY

For the last 50 years, the U.S. Department of Transportation (DOT) has been committed to saving lives and improving safety and efficiency in every way Americans move—by planes, trains, automobiles, bicycles, foot, and more. DOT, through the National Highway Traffic Safety Administration (NHTSA), has carried out that mission on U.S. roadways in part by consistently embracing new technologies that make driving, riding, biking, and walking safer. Twentieth century automobile technologies (such as seat belts, air bags, child seats, and antilock brakes)—developed in the private sector and brought to the nation’s driving public through NHTSA’s safety programs and regulatory authority—are responsible for saving hundreds of thousands of lives.1

Today, the automobile industry is on the cusp of a technological transformation that holds promise to catalyze an unprecedented advance in safety on U.S. roads and highways. The development of advanced automated vehicle safety technologies, including fully self-driving cars, may prove to be the greatest personal transportation revolution since the popularization of the personal automobile nearly a century ago.

For DOT, the excitement around highly automated vehicles (HAVs) starts with safety. Two numbers exemplify the need. First, 35,092 people died on U.S. roadways in 2015 alone. Second, 94 percent of crashes can be tied to a human choice or error.2 An important promise of HAVs is to address and mitigate that overwhelming majority of crashes. Whether through technology that corrects for human mistakes, or through technolo-gy that takes over the full driving responsibility, automated driving innovations could dramatically decrease the number of crashes tied to human choices and behavior. HAVs also hold a learning advantage over humans. While a human driver may repeat the same mistakes as millions before them, an HAV can benefit from the data and experience drawn from thousands of other vehicles on the road. DOT is also encouraged about the potential for HAV systems to use other complementary sensor technologies such as vehicle-to-vehicle (V2V) and vehicle-to-infrastructure (V2I) capabilities to improve system performance. These sensor technologies have their own potential to reduce the number and severity of crashes, and the inclusion of V2V and V2I capabilities could augment the safety and performance of HAV systems.

The benefits don’t stop with safety. Innovations have the potential to transform personal mobility and open doors to people and communities—people with disabilities, aging populations, communities where car ownership is prohibitively expensive, or those who prefer not to drive or own a car—that today have limited or impractical options. Cities will reconsider how space is utilized and how public transit is provided. Infrastructure capacity could be increased without pouring a single new truck load of concrete. HAVs may also have the potential to save energy and reduce air pollution from transportation through efficiency and by supporting vehicle electrification.


6

Recognizing this great potential, this Policy sets out an ambitious approach to accelerate the HAV revolution. The remarkable speed with which increasingly complex HAVs are evolving challenges DOT to take new approaches that ensure these technol-ogies are safely introduced (i.e., do not introduce significant new safety risks), provide safety benefits today, and achieve their full safety potential in the future. To meet this challenge, we must rapidly build our expertise and knowledge to keep pace with developments, expand our regulatory capability, and increase our speed of execution.

This Policy is an important early step in that effort. We are issuing this Policy as agency guidance rather than in a rulemaking in order to speed the delivery of an initial regula-tory framework and best practices to guide manufacturers and other entities in the safe design, development, testing, and deployment of HAVs. In the following pages, we divide the task of facilitating the safe introduction and deployment of HAVs into four sections:

• Vehicle Performance Guidance for Automated Vehicles

• Model State Policy

• NHTSA’s Current Regulatory Tools

• New Tools and Authorities

1. Vehicle Performance Guidance for Automated Vehicles

The Vehicle Performance Guidance for Automated Vehicles (or “Guidance”) section outlines best practices for the safe pre-deployment design, development and testing of HAVs prior to commercial sale or operation on public roads. This Guidance defines “deployment” as the operation of an HAV by members of the public who are not the employees or agents of the designer, developer, or manufacturer of that HAV.

This Guidance is intended to be an initial step to further guide the safe testing and deploy-ment of HAVs. It sets DOT’s expectations of industry by providing reasonable practices and procedures that manufacturers, suppliers, and other entities should follow in the immediate short term to test and deploy HAVs. The data generated from these activities should be shared in a way that allows government, industry, and the public to increase their learning and understanding as technology evolves but protects legitimate privacy and competitive interests.

7

2. Model State Policy

Today, a motorist can drive across state lines without a worry more complicated than, “did the speed limit change?” The integration of HAVs should not change that ability. Similarly, a manufacturer should be able to focus on developing a single HAV fleet rather than 50 different versions to meet individual state requirements.

State governments play an important role in facilitating HAVs, ensuring they are safely deployed, and promoting their life-saving benefits. The Model State Policy confirms that States retain their traditional responsibilities for vehicle licensing and registration, traffic laws and enforcement, and motor vehicle insurance and liability regimes. Since 2014, DOT has partnered with the American Association of Motor Vehicle Administrators (AAMVA) to explore HAV policies. This collaboration was one of the bases for the Model State Policy framework presented here and identifies where new issues fit within the existing federal/state structure. The shared objective is to ensure the establishment of a consistent national framework rather than a patchwork of incompatible laws.

3. NHTSA’s Current Regulatory Tools

NHTSA will continue to exercise its available regulatory authority over HAVs using its existing regulatory tools: interpretations, exemptions, notice-and-comment rulemak-ing, and defects and enforcement authority. NHTSA has the authority to identify safety defects, allowing the Agency to recall vehicles or equipment that pose an unreasonable risk to safety even when there is no applicable Federal Motor Vehicle Safety Standard (FMVSS).

To aid regulated entities and the public in understanding the use of these tools (including the introduction of new HAVs), NHTSA has prepared a new information and guidance document. This document provides instructions, practical guidance, and assistance to entities seeking to employ those tools. Furthermore, NHTSA has stream-lined its review process and is committing to issuing simple HAV-related interpretations in 60 days, and ruling on simple HAV-related exemption requests in six months.3 NHTSA will publish the section—which has wider application beyond HAVs—in the Federal Register for public review, comment and use.

4. New Tools and Authorities

The more effective use of NHTSA’s existing regulatory tools will help to expedite the safe introduction and regulation of new HAVs. However, because today’s governing statutes and regulations were developed when HAVs were only a remote notion, those tools may not be sufficient to ensure that HAVs are introduced safely, and to realize the full safety


8

promise of new technologies. The speed with which HAVs are advancing, combined with the complexity and novelty of these innovations, threatens to outpace the Agency’s conventional regulatory processes and capabilities.

This challenge requires DOT to examine whether the way DOT has addressed safety for the last 50 years should be expanded to realize the safety potential of automated vehicles over the next 50 years.

Therefore, this section identifies potential new tools, authorities and regulatory structures that could aid the safe and appropriately expeditious deployment of new technologies by enabling the Agency to be more nimble and flexible. There will always be an important role for standards and testing protocols based on careful scientific research and developed through the give-and-take of an open public process. It is likely that additional regulatory tools along with new expertise and research will be needed to allow the Agency to more quickly address safety challenges and speed the responsible deployment of lifesaving technology.

Public Comment

Although most of this Policy is effective immediately upon publication, DOT is also seeking public comment on the entire Policy. While the Agency sought input from various stakeholders during the development of the Policy, it recognizes that not all interested people had a full opportunity to provide such input. Moreover, while this Policy is intended as a starting point that provides needed initial guidance to industry, government, and consumers, it will necessarily evolve over time to meet the changing needs and demands of improved safety and technology. Accordingly, DOT expects and intends this Policy and its guidance to be iterative, changing based on public comment; the experience of the agency, manufacturers, suppliers, consumers, and others; and further technological innovation. DOT intends to revise and refine the Policy periodically to reflect such experience, innovation, and public input. Although it would not be practical to set a specific time for the next iteration, DOT expects to issue the first revised, follow-on Policy sometime within the next year, and at roughly annual intervals thereafter.

A critical input to the continuing development of this HAV Policy is the public notice-and-comment process. Along with this initial Policy, NHTSA is issuing a Request for Comment (RFC) on the Policy, which is available at www.nhtsa.gov/AV, or in the docket for this Policy, NHTSA-2016-0090. That RFC will be open for sixty (60) days. NHTSA will analyze the public comments received during that period and address significant comments in the next revision of this Policy.

9

Conclusion

The content of this Policy is the product of significant input from stakeholders across the spectrum of voices from the traveling public, traffic safety professionals, researchers, industry, government, the disabled community and others. As technology develops, more data becomes available and new ideas are brought forth, DOT will adapt and supplement this Policy. Within the next year, DOT intends to produce an updated version of this Policy incorporating new data, lessons learned from experience with applying this guidance, and stakeholder input.

New vehicle technologies developed in the 20th century—from seat belts to air bags to child seats—were once controversial. But after having saved hundreds of thousands of American lives, they are now considered indispensable. Advanced technologies developed in the first part of the 21st century—like automatic emergency braking and lane departure warnings—are already making U.S. roads safer. How many more lives might be saved today and in the future with highly automated vehicles? DOT is committed to finding out.

Note on “Levels of Automation”

There are multiple definitions for various levels of automation and for some time there has been need for standardization to aid clarity and consistency. Therefore, this Policy adopts the SAE International (SAE) definitions for levels of automation. The SAE defini-tions divide vehicles into levels based on “who does what, when.”4 Generally:

• At SAE Level 0, the human driver does everything;

• At SAE Level 1, an automated system on the vehicle can sometimes assist the human driver conduct some parts of the driving task;

• At SAE Level 2, an automated system on the vehicle can actually conduct some parts of the driving task, while the human continues to monitor the driving environment and performs the rest of the driving task;

• At SAE Level 3, an automated system can both actually conduct some parts of the driving task and monitor the driving environment in some instances, but the human driver must be ready to take back control when the automated system requests;

• At SAE Level 4, an automated system can conduct the driving task and monitor the driving environment, and the human need not take back control, but the automated system can operate only in certain environments and under certain conditions; and

• At SAE Level 5, the automated system can perform all driving tasks, under all conditions that a human driver could perform them.


10

Using the SAE levels, DOT draws a distinction between Levels 0-2 and 3-5 based on whether the human operator or the automated system is primarily responsible for monitoring the driving environment. Throughout this Policy the term “highly automated vehicle” (HAV) represents SAE Levels 3-5 vehicles with automated systems that are responsible for monitoring the driving environment.

An automated vehicle system is a combination of hardware and software (both remote and on-board) that performs a driving function, with or without a human actively monitoring the driving environment. A vehicle has a separate automated vehicle system for each Operational Design Domain such that a SAE Level 2, 3 or 4 vehicle could have one or multiple systems, one for each ODD (e.g., freeway driving, self-parking, geofenced urban driving). SAE Level 5 vehicles have a single automated vehicle system that performs under all conditions. This Policy defines “HAV systems” as automated vehicle systems that are capable of monitoring the driving environment as defined by SAE J3016. HAV systems are SAE Level 3 and higher by definition.5

NHTSA expects manufacturers and entities to classify their HAV system(s) as described in SAE J3016. Examples and the application of classifying HAV systems to the SAE levels of automation can be seen in the paper “Key Considerations in the Development of Driving Automation Systems.”6

Note on Effective Dates of This Policy

As discussed above, most of this Policy is effective on the date of its publication. However, certain elements involving data and information collection will be effective upon the completion of a Paperwork Reduction Act review and process. Those elements are the Safety Assessment for HAV Manufacturers and Other Entities and the Safety Assessment for L2 Systems described in Section I, Vehicle Performance Guidance for Automated Vehicles.


11

I. VEHICLE PERFORMANCE GUIDANCE FOR AUTOMATED VEHICLES

A. The Guidance

Under current law, manufacturers bear the responsibility to self-certify that all of the vehicles they manufacture for use on public roadways comply with all applicable Federal Motor Vehicle Safety Standards (FMVSS). Therefore, if a vehicle is compliant within the existing FMVSS regulatory framework and maintains a conventional vehicle design, there is currently no specific federal legal barrier to an HAV being offered for sale.7

However, manufacturers and other entities designing new automated vehicle systems are subject to NHTSA’s defects, recall and enforcement authority.8 DOT anticipates that manufacturers and other entities planning to test and deploy HAVs will use this Guidance, industry standards and best practices to ensure that their systems will be reasonably safe under real-world conditions.

The Agency expects to pursue follow-on actions to this Guidance, such as performing additional research in areas such as benefits assessment, human factors, cybersecurity, performance metrics, objective testing, and others as they are identified in the future. As discussed, DOT further intends to hold public workshops and obtain public comment on this Guidance and the other elements of the Policy. This Guidance highlights important areas that manufacturers and other entities designing HAV systems should be considering and addressing as they design, test, and deploy HAVs. This Guidance is not mandatory. NHTSA may consider, in the future, proposing to make some elements of this Guidance mandatory and binding through future regulatory actions. This Guidance is not intended for States to codify as legal requirements for the development, design, manufacture, testing, and operation of automated vehicles. Additional next steps are outlined at the end of this Guidance.

B. Scope

This Guidance should be considered by all individuals and companies manufactur-ing, designing, testing, and/or planning to sell automated vehicle systems in the United States. These include traditional vehicle manufacturers and other entities involved with manufacturing, designing, supplying, testing, selling, operating, or deploying highly automated vehicles. These entities include, but are not limited to, equipment designers and suppliers, entities that outfit any vehicle with automation capabilities or HAV equipment for testing, for commercial sale, and/or for use on public roadways, transit companies, automated fleet operators, “driverless” taxi companies, and any other individual or entity that offers services utilizing highly automated vehicles.


12

This Guidance is intended for vehicles that are tested and deployed for use on public roadways. This includes light-, medium-, and heavy-duty vehicles. This Guidance targets vehicles that incorporate HAV systems, such as those for which there is no human driver at all, or for which the human driver can give control to the HAV system and is not be expected to perform any driving-related tasks for a period of time.

The Guidance should be applied to both test- and production-level vehicles. If a vehicle is operated by members of the public who are not the employees or agents of the manufacturer or other testing/production entities, the Guidance considers that operation to be deployment (not testing).

For use on public roadways, automated vehicles must meet all applicable FMVSS. If a manufacturer or other entity wishes to test or operate a vehicle that would not meet applicable safety standards, “[t]he Agency encourages manufacturers to, when appropri-ate, seek use of NHTSA’s exemption authority to field test fleets that can demonstrate the safety benefits of fully autonomous vehicles.”9 This statement also applies to entities that traditionally may not be considered “manufacturers” (e.g., alterers and modifiers) under NHTSA’s regulations.10

In addition to safety, automated vehicles can provide significant, life-altering mobility benefits for persons with disabilities, older persons, and others who may not be con-sidered in conventional design programs. DOT encourages manufacturers and other entities to consider the full array of users and their specific needs during the develop-ment process.

C. Overview: DOT’s Vehicle Performance Guidance

Figure I provides the framework for DOT’s Vehicle Performance Guidance. It is the manufacturer or other entity’s responsibility to determine their system’s AV level in conformity with SAE International’s published definitions. (NHTSA will review manufacturers’ automation level designations and advise the manufacturer if the Agency disagrees with the level assigned by the manufacturer.) The figure identifies the key areas to be addressed by manufacturers and other entities prior to testing or deploying the vehicle on public roadways.

The framework applies to both test and production vehicles. It applies to both automated systems’ original equipment, and to replacement equipment or updates (including software updates/upgrades) to automated systems. It includes areas that are cross- cutting (i.e., areas that apply to all automation functions on the vehicle), as well as areas that apply to each specific automation function on the vehicle. Cross-cutting areas include: data recording and sharing, privacy, system safety, cybersecurity, Human-Machine Interface (HMI), crashworthiness, and consumer education and training. Areas

13

that are specific to each vehicle automation function are: description of the Operational Design Domain (ODD), Object and Event Detection and Response (OEDR), and fall back minimum risk condition.

To apply the Guidance framework, a manufacturer or other entity should start by ensuring certification to all applicable FMVSS standards or, if needed, request an interpretation or exemption from NHTSA. Section III of this Policy, NHTSA’s Current Regulatory Tools, provides more information on interpretations and exemptions. The manufacturer or other entity should then follow existing DOT identification/registration requirements (described in 49 CFR Parts 566 and 567).

For all HAV systems, the manufacturer or other entity should address the cross-cutting items as a vehicle or equipment is designed and developed to ensure that the vehicle has data recording and sharing capabilities; that it has applied appropriate functional safety and cybersecurity best practices; that HMI design best practices have been followed; that appropriate crashworthiness/occupant protection has been designed into the vehicle; and that consumer education and training have been addressed.

In addition to the cross-cutting items, for each specific HAV system, the manufacturer or other entity should clearly define the ODD and the corresponding SAE level to which this system maps. The ODD, which may vary for each HAV system, will define the conditions in which that function is intended to operate with respect to roadway types, geographical location, speed range, lighting conditions for operation (day and/or night), weather conditions, and other operational domain constraints. A well-defined ODD is necessary to determine what OEDR capabilities are required for the HAV to safely operate within the intended domain. OEDR requirements are derived from an evaluation of normal driving scenarios, expected hazards (e.g., other vehicles, pedestrians), and unspecified events (e.g., emergency vehicles, temporary construction zones) that could occur within the operational domain.


14

Figure I: Framework for Vehicle Performance Guidance

Scope & Process Guidance Guidance Specific to Each HAV System

Test/Production Vehicle Describe the ODD(Where does it operate?)

Geographic Location

Roadway Type

Speed

Normal Driving

Driver SystemCrash Avoidance -

HazardsDay/Night

Weather Conditions

Other Domain Constraints

Testing and Validation

Simulation Track On-Road

Object and Event Detection and Response

Fall BackMinimal Risk ConditionFMVSS Certification/

Exemption

HAV Registration

Guidance Applicable to AllHAV Systems on the Vehicle

Data Recording and Sharing

Privacy

System Safety

Vehicle Cybersecurity

Human-MachineInterface

Crashworthiness

Consumer Education andTraining

Post-Crash VehicleBehavior

Federal, State and Local Laws

EthicalConsiderations

The fall back minimal risk condition portion of the framework is also specific to each HAV system. Defining, testing, and validating a fall back minimal risk condition ensures that the vehicle can be put in a minimal risk condition in cases of HAV system failure or a failure in a human driver’s response when transitioning from automated to manual control.

Finally, as shown in Figure I, tests should be developed and conducted that can evaluate (through a combination of simulation, test track or roadways) and validate that the HAV system can operate safely with respect to the defined ODD and has the capability to fall back to a minimal risk condition when needed.

15

D. Safety Assessment Letter to NHTSA

To aid NHTSA in monitoring HAVs, the Agency will request that manufacturers and other entities voluntarily provide reports regarding how the Guidance has been followed. This reporting process may be refined and made mandatory through a future rulemak-ing. It is expected that this would require entities to submit a Safety Assessment to NHTSA’s Office of the Chief Counsel for each HAV system, outlining how they are meeting this Guidance at the time they intend their product to be ready for use (testing or deployment) on public roads. This Safety Assessment would assist NHTSA, and the public, in evaluating how safety is being addressed by manufacturers and other entities developing and testing HAV systems.

The Safety Assessment would cover the following areas:

• Data Recording and Sharing

• Privacy

• System Safety

• Vehicle Cybersecurity

• Human Machine Interface

• Crashworthiness

• Consumer Education and Training

• Registration and Certification

• Post-Crash Behavior

• Federal, State and Local Laws

• Ethical Considerations

• Operational Design Domain

• Object and Event Detection and Response

• Fall Back (Minimal Risk Condition)

• Validation Methods


16

The contemplated summary letter would be concise and complete. Manufacturers and other entities could submit more information if they believe that it is necessary to more fully convey their process, plan, approach, or other areas. The Agency might request more detailed information on Guidance areas to better assess safety aspects of the HAV systems. For each area, the Safety Assessment should include an acknowledgement that indicates one of three options:

• Meets this guidance area_______________________________________________

• Does not meet this guidance area_________________________________________

• This guidance area is not applicable________________________________________

Next to the checked line item, the submitter should include the name, title, and signature of an authorized company official and the date. This would be repeated for each area covered in the letter. This is intended to ensure appropriate transparency, awareness, and oversight within the submitting organization.

This provision of the Guidance will not take effect until after NHTSA completes the process required by the Paperwork Reduction Act (PRA). Once that process is complete, any resulting adjustments have been made, and NHTSA has published a notification in the Federal Register, this reporting provision of the Guidance will be effective. For HAV systems already being tested and deployed, NHTSA expects that manufacturers and other entities will provide a Safety Assessment within four months after the completion of the PRA process, understanding that manufacturers and entities may wish to supplement their submissions over time. Similarly, for vehicles introduced, tested, or deployed either while the PRA process is pending or after the PRA process has been completed, NHTSA would expect manufacturers and other entities to provide a Safety Assessment at least four months before active public road testing begins on a new automated feature.11

NHTSA expects a manufacturer or entity to submit a new Safety Assessment letter to the Agency when any significant update(s) to a vehicle or HAV system is made. A significant update is one that would result in a new safety evaluation for any of the 15 safety assess-ment areas. The purpose of the updated letter would be to describe for the agency the nature of the update, its expected impact on performance and other relevant information consistent with the intent of the safety assessment letter.

Software and Hardware Updates

For HAV systems deployed on public roadways for testing or production purposes, the Agency envisions that manufacturers and other entities will likely update the vehicle’s software through over-the-air updates or other means. For model updates, new vehicle platforms, or other advancements in technology, hardware may change and/or be updated.

17

If these software or hardware updates materially change the way in which the vehicle complies (or take it out of compliance) with any of the 15 elements of the Guidance (e.g., vehicle’s ODD, OEDR capability, or fall back approach), the agency would deem the update to be one that would necessitate provision of a Safety Assessment to the agency summarizing that particular change.

For example, with respect to the ODD, if the capability of the HAV system is changed by a software or hardware update such that its capabilities with respect to speed range, roadway types on which it operates, geographic areas of operation, environmental con-ditions of operation (weather, day/nighttime), these would all be significant changes to the operational domain of the HAV system and have safety implications that the agency needs to monitor. Therefore, the manufacturer should submit a new Safety Assessment for those capabilities.

For HAV OEDR capability, if there is a change to the set of normal driving scenarios (behavioral competencies) or pre-crash scenarios that the HAV system has the capability to address as a result of a software or hardware update, then this should also be summa-rized in revised Safety Assessment.

Similarly, as discussed in section F, manufacturers should have a fall back approach that transitions a vehicle to a minimal risk condition when a problem is encountered with an HAV system. If the fall back strategy and the resulting implementation for achieving a minimum risk condition is changed by a software or hardware change, this change should be addressed in a new or revised Safety Assessment.

E. Cross-Cutting Areas of Guidance

1. Data Recording and Sharing

Manufacturers and other entities should have a documented process for testing, vali-dation, and collection of event, incident, and crash data, for the purposes of recording the occurrence of malfunctions, degradations, or failures in a way that can be used to establish the cause of any such issues. Data should be collected for both testing and operational (including for event reconstruction) purposes. As discussed below in the privacy section, collection, recording, sharing, storage, auditing, and deconstruction of data recorded by a manufacturer, including but not limited to when crash events occur, must be strictly in accordance with the manufacturer’s consumer privacy and security agreements and notices.

For crash reconstruction purposes (including during testing), this data should be stored, maintained, and readily available for retrieval by the entity itself and by NHTSA. DOT recommends that manufacturers and other entities collect data associated with events involving: (1) fatalities and personal injuries or (2) damage to the extent that any motor


18

vehicle involved cannot be driven under its own power in the customary manner, without further damage or hazard to itself, other traffic elements, or the roadway, and therefore requires towing. Vehicles should record, at a minimum, all information relevant to the event and the performance of the system, so that the circumstances of the event can be reconstructed. This data should also contain information relating to the status of the HAV system and if the HAV system or the human driver was in control of the vehicle at the time. Manufacturers or other entities should have the technical and legal capability to share the relevant recorded information.

To develop new safety metrics, manufacturers and other entities should collect, store and analyze data regarding positive outcomes in addition to the type of reporting con-ditions listed above (event, incident, and crash data). Positive outcomes are events in which the HAV system correctly detects a safety-relevant situation, and successfully avoids an incident (e.g., “near misses” and edge cases). This data includes safety-related events such as near-crashes between HAVs and other vehicles or road users (e.g., pedes-trians and bicyclists). There is value in collecting data (and making it available during full operational use) that captures events in which the automated function correctly detects and identifies an unsafe maneuver initiated by another road user (e.g., another motor vehicle or pedestrian), and executes an appropriate response that successfully avoids an event, incident, or crash.

HAVs have great potential to use data sharing to enhance and extend safety benefits. Thus, each entity should develop a plan for sharing its event reconstruction and other relevant data with other entities. Such shared data would help to accelerate knowledge and understanding of HAV performance, and could be used to enhance the safety of HAV systems and to establish consumer confidence in HAV technologies. Generally, data shared with third parties should be de-identified (i.e., stripped of elements that make the data directly or reasonably linkable to a specific HAV owner or user).12 Manufacturers and other entities should take steps to ensure that data shared is in accordance with privacy and security agreements and notices applicable to the vehicle (which typically permit sharing of de-identified data) or with owner/user consent.

Data sharing is a rapidly evolving area that requires more research and discussion among stakeholders to develop consensus on data standards. For example, many man-ufacturers and other entities likely will want the ability to retrieve the data from vehicles they manufacture or sell, and store the data for some period of time. The industry as a whole should work together with relevant standards bodies (IEEE, SAE International, etc.) to develop a uniform approach to address data recording and sharing. All manufactur-ers and other entities should also participate in the Early Warning Reporting13 program and should submit the EWR information quarterly regardless of total production volume. Additionally, the data intended to be shared through a third party should not contain any personally identifiable information.

19

This provision of the guidance will not take effect until after NHTSA completes the PRA process for its data collection and reporting requirements. Once that process is complete, any resulting adjustments have been made, and NHTSA has published a notification in the Federal Register, this provision of the Guidance will be effective.

2. Privacy

The Department and the Administration strongly believe in protecting individuals’ right to privacy. This is exemplified by the White House Consumer Privacy Bill of Rights14 and the Federal Trade Commission’s privacy guidance. In November 2014, the Alliance of Automobile Manufacturers and the Association of Global Automakers published Privacy Principles for Vehicle Technologies and Services.15 Given these available resources, HAV manufacturers and other entities, either individually or as an industry, should take steps to protect consumer privacy.16 Manufacturers’ privacy policies and practices should ensure:

a. Transparency: provide consumers with accessible, clear, meaningful data privacy and security notices/agreements which should incorporate the baseline protections outlined in the White House Consumer Privacy Bill of Rights and explain how Entities collect, use, share, secure, audit, and destroy data generated by, or retrieved from, their vehicles;

b. Choice: offer vehicle owners choices regarding the collection, use, sharing, retention, and deconstruction of data, including geolocation, biometric, and driver behavior data that could be reasonably linkable to them personally (i.e., personal data);

c. Respect for Context: use data collected from production HAVs only in ways that are consistent with the purposes for which the data originally was collected (as explained in applicable data privacy notice/agreements);

d. Minimization, De-Identification and Retention: collect and retain only for as long as necessary the minimum amount of personal data required to achieve legitimate business purposes, and take steps to de-identify sensitive data where practical, in accordance with applicable data privacy notices/agreements and principles;

e. Data Security: implement measures to protect data that are commensurate with the harm that would result from loss or unauthorized disclosure of the data;

f. Integrity and Access: implement measures to maintain the accuracy of personal data and permit vehicle operators and owners to review and correct such information when it is collected in a


20

way that directly or reasonably links the data to a specific vehicle or person; and

g. Accountability: take reasonable steps, through such activities as evaluation and auditing of privacy and data protections in its approach and practices, to ensure that the entities that collect or receive consumers’ data comply with applicable data privacy and security agreements/notices.

3. System Safety

Manufacturers and other entities should follow a robust design and validation process based on a systems-engineering approach with the goal of designing HAV systems free of unreasonable safety risks. This process should encompass designing the intended functions such that the vehicle will be placed in a safe state even when there are electri-cal, electronic, or mechanical malfunctions or software errors.

The overall process should adopt and follow industry standards, such as the function-al safety process standard for road vehicles,17 and collectively cover the entire design domain of the vehicle. Manufacturers and other entities should follow guidance, best practices, design principles, and standards developed by established standards organiza-tions such as International Standards Organization (ISO) and SAE International, as well as standards and processes available from other industries such as aviation, space, and the military (e.g., the U.S. Department of Defense standard practice on system safety18), as they are relevant and applicable. See NHTSA’s June 2016 report, “Assessment of Safety Standards for Automotive Electronic Control Systems,” for an evaluation of the strengths and limitations of such standards, which the Agency believes could support the future development of a robust functional safety approach for automotive electronic control systems.19

The process should include a hazard analysis and safety risk assessment step for the HAV system, the overall vehicle design into which it is being integrated, and when applicable, the broader transportation system.

The process should describe design redundancies and safety strategies for handling cases of HAV system malfunctions.

The process should place significant emphasis on software development, verification and validation. The software development process should be well-planned, well- controlled, and well-documented to detect and correct unexpected results from software development and changes. Thorough and measurable software testing should complement a structured and documented software development process. The automotive industry should monitor the evolution, implementation, and safety

21

assessment of Artificial Intelligence (AI), machine learning, and other relevant software technologies and algorithms to improve the effectiveness and safety of HAVs.

Design decisions should be linked to the assessed risks that could impact safety-critical system functionality. Design safety considerations should include, but not be limited to, design architecture, sensor, actuator, and communication failure; potential software errors; reliability; potential inadequate control and undesirable control actions; potential collisions with environmental objects and other road users, potential collisions that could be caused by actions of the HAV system; leaving the roadway, loss of traction or stability, and violation of traffic laws and deviations from normal (expected) driving practices.

All design decisions should be tested, validated, and verified as individual subsystems and as part of the entire vehicle architecture.

The entire process should be fully documented and all, changes, design choices, analyses, associated testing and data should be fully traceable.20

4. Vehicle Cybersecurity

Manufacturers and other entities21 should follow a robust product development process based on a systems-engineering approach to minimize risks to safety, including those due to cybersecurity threats and vulnerabilities. This process should include systematic and ongoing safety risk assessment for the HAV system, the overall vehicle design into which it is being integrated, and when applicable, the broader transportation ecosystem. The identification, protection, detection, response, and recovery functions should be used to enable risk management decisions, address risks and threats, and enable quick response to and learning from cybersecurity events.

While this is an evolving area and more research is necessary before proposing a regula-tory standard, entities are encouraged to design their HAV systems following established best practices for cyber physical vehicle systems. In particular, entities should consider and incorporate guidance, best practices, and design principles published by National Institute for Standards and Technology (NIST), NHTSA, SAE International, the Alliance of Automobile Manufacturers, the Association of Global Automakers, the Automotive Information Sharing and Analysis Center (ISAC)22 and other relevant organizations.

The entire process of incorporating cybersecurity considerations should be fully docu-mented and all actions, changes, design choices, analyses, associated testing and data should be traceable within a robust document version control environment.23

As with safety data, industry sharing on cybersecurity is important. Each industry member should not have to experience the same cyber vulnerabilities in order to learn


22

from them. That is the purpose of the Auto-ISAC, to promote group learning. To that end entities should report any and all discovered vulnerabilities from field incidents, internal testing, or external security research to the Auto-ISAC as soon as possible, regardless of membership. Entities involved with HAVs should consider adopting a vulnerability dis-closure policy.

5. Human Machine Interface

Understanding the interaction between the vehicle and the driver (commonly referred to as “human machine interface (HMI)”) has always played an important role in the auto-motive design process. New complexity is introduced as HAVs take on driving functions, in part because the vehicle must be capable of accurately conveying information to the human driver regarding intentions and vehicle performance. This is particularly true of SAE Level 3 systems in which human drivers are expected to return to the task of mon-itoring and be available to take over driving responsibilities, but drivers’ ability to do so is limited by humans’ capacity for staying alert when disengaged from the driving task. Manufacturers and other entities should consider whether it is reasonable and appropri-ate to incorporate driver engagement monitoring to Level 3 HAV systems. Furthermore, manufacturers and other entities should consider how HAVs will signal intentions to the environment around the vehicle, including pedestrians, bicyclists, and other vehicles.

Manufacturers and other entities should have a documented process for the assess-ment, testing, and validation of the vehicle HMI. Considerations should be made for the human driver, operator, occupant(s), and external actors with whom the HAV may have interactions (other vehicles, pedestrians, etc.).24 HMI design should also consider the need to communicate information to pedestrians, conventional vehicles, and automated vehicles regarding the HAV’s state of operation relevant to the circumstance (e.g., whether the HAV system identified a pedestrian at an intersection and is yielding).

Given the rapidly evolving nature of this area and ongoing research, manufacturers and other entities should consider and apply the guidance, best practices, and design principles published by SAE International, ISO, NHTSA, American National Standards Institute (ANSI), the International Commission on Illumination (CIE) and other relevant organizations.

At a minimum, indicators should be capable of informing the human operator or occupant that the HAV system is:

1. Functioning properly;

2. Currently engaged in automated driving mode;

3. Currently “unavailable” for automated driving;

23

4. Experiencing a malfunction with the HAV system; and

5. Requesting control transition from the HAV system to the operator.

In fully automated vehicles, manufacturers and other entities should design their HMI to accommodate people with disabilities (e.g., through visual, auditory, and haptic displays).25

In designs where an HAV is intended to operate without a human driver or occupant, the remote dispatcher or central control authority should be able to know the status of the HAV at all times. Examples of these may include automated delivery vehicles, last mile special purpose ground drones, and automated maintenance vehicles.

6. Crashworthiness

a. Occupant Protection

An HAV is expected to meet NHTSA crashworthiness standards, because, regardless of the effectiveness of crash avoidance capabilities of an HAV, manufacturers and other entities still need to consider the possibility of another vehicle crashing into them. Furthermore, entities should develop and incorporate new occupant protection systems that use information from the advanced sensing technologies needed for HAV operation to provide enhanced protection to occupants of all ages and sizes. Regardless of whether the HAV is operating in fully automated mode or is being driven by a human driver, the occupant protection system should maintain its intended performance level in the event of a sensor failure.

In addition to the seating configurations evaluated in current standards, the HAV manufacturer and other entities should exercise and demonstrate due care to provide countermeasures that will fully protect all occupants given any planned seating or interior configurations. The tools to demonstrate such due care need not be limited to physical testing but also could include virtual tests with vehicle and human body models.

b. Compatibility

The expectation of due care also extends to the crash safety performance of non- occupied automated vehicles. These vehicles should provide geometric and energy absorption crash compatibility with existing vehicles on the road.26 HAVs intended for product or service delivery or other non-occupied use scenarios should conform to vehicle crash compatibility expectations appropriate for that vehicle type.


24

7. Consumer Education and Training

Proper education and training is imperative to ensure safe deployment of automated vehicles. Therefore, manufacturers and other entities should develop, document, and maintain employee, dealer, distributor, and consumer education and training programs to address the anticipated differences in the use and operation of HAVs from those of the conventional vehicles that the public owns and operates today.27 Such programs should be designed to provide the target users the necessary level of understanding to use these technologies properly, efficiently, and in the safest manner possible.

Entities should ensure that their staff, including but not limited to their marketing and sales forces, understand the technology and can educate and train dealers, distributors and end consumers.

Consumer education should cover topics such as an HAV system’s intent, operational parameters, capabilities and limitations, engagement/disengagement methods, HMI, emergency fall back scenarios, operational boundary responsibilities, and potential mechanisms that could change function behavior in service.

As part of their education and training programs, HAV manufacturers, dealers, and distributers should consider including an on-road or on-track hands-on experience demonstrating HAV operations and HMI functions prior to release to the consumer. Other innovative approaches (e.g., virtual reality) should be considered, tested, and employed as well. These programs should be continually evaluated for their effectiveness and updated on a routine basis, incorporating feedback from dealers, customers, and other data sources.

8. Registration and Certification

NHTSA understands that vehicles may change levels of automation over the vehicle’s lifecycle as a result of software updates. As more HAVs are tested and sold commercially to be used on public roadways, older vehicles may be modified to provide similar functionality to new vehicles. As new features and technologies are introduced to the market, manufacturers may choose to modify a vehicle’s current level of automation to more advanced levels, even if the hardware was produced years previously.

NHTSA currently requires manufacturers of motor vehicles and motor vehicle equipment that produce FMVSS relevant products to submit identifying informa-tion and a description of the items they produce (See 49 CFR Part 566, Manufacturer Identification). Manufacturers and other entities also should submit to the Agency identifying information and a description of the items they produce for use by or in coordination with HAV systems and features.28

25

Further, manufacturers should also provide on-vehicle means to readily communicate concise information regarding the key capabilities of their HAV system to human drivers and owners of such vehicles. For example, manufacturers and other entities working with completed vehicles could provide additional semi-permanent labeling to the vehicle, either in sight of where a human driver would be sitting, or if not practical, on the door-latch post next to the front left seating position. Information provided within the vehicle could include the function’s capabilities, the operational design domain(s) and reference to persons or places where the owner can get more detailed information. Also, as software and/or hardware may be updated over the life of the vehicle to provide additional or updated capabilities, information provided on-board the vehicle should also be updated to reflect these changes.

Manufacturers and other entities should fully describe the capabilities and limitations of the HAV systems in each operational design domain, including operational speeds, geographical areas, weather conditions and other pertinent information in the vehicle’s owners and/or operator’s manual, or through an in-vehicle HMI.

9. Post-Crash Behavior

Manufacturers and other entities should have a documented process for the assessment, testing, and validation of how their HAV is reinstated into service after being involved in a crash.29 If sensors or critical safety control systems are damaged, the vehicle should not be allowed to operate in HAV mode. When problems are diagnosed, the HAV should be maintained in a minimal risk condition until properly serviced.

10. Federal, State and Local Laws

Manufacturers and other entities should have documented plans detailing how they intend to comply with all applicable Federal, State, and local laws.30 Based on the ODD, the HAV should obey governing traffic laws and follow the rules of the road for the region of operation.

In certain safety-critical situations (e.g., having to cross double lines on the roadway to travel safely past a broken-down vehicle on the road, other road hazard avoidance, etc.) human drivers currently have the ability to temporarily violate certain State motor vehicle driving laws. It is expected that HAVs have the capability of handling such fore-seeable events safely. Also, manufacturers or other entities should have a documented process for independent assessment, testing, and validation of these plausible cases. The manufacturers and other entities may wish to consider recording data that may be necessary to prove that actions taken by the HAV system were safety-promoting.

Traffic laws vary from State to State (and even city to city); the HAV should be able to follow all laws that apply to its ODD. This should include speed limits, traffic control


26

devices, one-way streets, access restrictions (e.g., crosswalks, bike lanes), U-turns, right-on-red situations, metering ramps, and other traffic circumstances and situations. Given that laws and regulations will inevitably change over time, manufacturers and other entities should develop processes to update and adapt HAV systems to address new or changed legal requirements.

11. Ethical Considerations

Various decisions made by an HAV’s computer “driver” will have ethical dimensions or implications. Different outcomes for different road users may flow from the same real-world circumstances depending on the choice made by an HAV computer, which, in turn, is determined by the programmed decision rules or machine learning procedures.31 Even in instances in which no explicit ethical rule or preference is intended, the programming of an HAV may establish an implicit or inherent decision rule with significant ethical consequences. Manufacturers and other entities, working cooperatively with regulators and other stakeholders (e.g., drivers, passengers and vulnerable road users), should address these situations to ensure that such ethical judgments and decisions are made consciously and intentionally.

Three reasonable objectives of most vehicle operators are safety, mobility, and legality. In most instances, those three objectives can be achieved simultaneously and without conflict. In some cases, achievement of those objectives may come into conflict. For example, most States have a law prohibiting motor vehicles from crossing a double- yellow line in the center of a roadway. When another vehicle on a two-lane road is double-parked or otherwise blocking a vehicle’s travel lane, the mobility objective (to move forward toward an intended destination) may come into conflict with safety and legality objectives (e.g., avoiding risk of crash with oncoming car and obeying a law). An HAV confronted with this conflict could resolve it in a few different ways, depending on the decision rules it has been programmed to apply, or even settings applied by a human driver or occupant.

Similarly, a conflict within the safety objective can be created when addressing the safety of one car’s occupants versus the safety of another car’s occupants. In such situations, it may be that the safety of one person may be protected only at the cost of the safety of another person. In such a dilemma situation, the programming of the HAV will have a significant influence over the outcome for each individual involved.

Since these decisions potentially impact not only the automated vehicle and its occupants but also surrounding road users, the resolution to these conflicts should be broadly acceptable. Thus, it is important to consider whether HAVs are required to apply particular decision rules in instances of conflicts between safety, mobility, and legality objectives. Algorithms for resolving these conflict situations should be developed transparently using input from Federal and State regulators, drivers, passengers and

27

vulnerable road users, and taking into account the consequences of an HAV’s actions on others.

F. Automation Function

1. Operational Design Domain

The manufacturer or other entity should define and document the Operational Design Domain (ODD) for each HAV system available on their vehicle as tested or deployed for use on public roadways.32 The ODD should describe the specific operating domain(s) in which the HAV system is designed to properly operate. The defined ODD should include the following information to define HAV systems’ capabilities:

• Roadway types on which the HAV system is intended to operate safely;

• Geographic area;

• Speed range;

• Environmental conditions in which the HAV will operate (weather, daytime/nighttime, etc.); and

• Other domain constraints.

For each HAV system, the manufacturer or other entity should have a document-ed process and procedure for the assessment, testing, and validation of the system’s capabilities.

Manufacturers and other entities should develop tests and verification methods to assess their HAV systems’ capabilities to ensure a high level of safety. In the future, as DOT develops more experience and expertise with HAV systems, NHTSA may promulgate specific performance tests and standards. Presently, manufacturers and other entities should develop and apply tests and standards to establish the safe ODD for each HAV system.

An HAV should be able to operate safely within the ODD for which it is designed. In situations where the HAV is outside of its defined ODD or in which conditions dynamically change to fall outside of the HAV’s ODD, the vehicle should transition to a minimal risk condition. The vehicle should give a clear indication of the type outlined in the HMI section to the occupants that it is switching to a minimal risk condition and that the HAV system is not available.

To better inform human drivers and vehicle operators, the ODD should also be described in summary form and in plain language in the vehicle owner’s manual, including a clear description of the conditions in which the vehicle’s HAV system(s) is and is not intended


28

to operate. These instructions should aid the human driver or operator of the vehicle to easily understand the capabilities and limitations of each HAV system.

2. Object and Event Detection and Response

Object and Event Detection and Response (OEDR)33 refers to the detection by the driver or HAV system of any circumstance that is relevant to the immediate driving task, as well as the implementation of the appropriate driver or HAV system response to such circumstance. For purposes of this Guidance, the HAV system is responsible for performing the OEDR while in its ODD and automation is engaged.

Entities should have a documented process for assessment, testing, and validation of their OEDR capabilities.34 Within its ODD, an HAV’s OEDR functions are expected to be able to detect and respond to other vehicles (in and out of its travel path), pedestrians, cyclists, animals, and objects that could affect safe operation of the HAV.

Within its ODD, an HAV’s OEDR should be able to deal with a variety of conditions, including emergency vehicles, temporary work zones, and other unusual conditions (e.g., police manually directing traffic, construction worker controlling traffic, emergency response workers) that may impact safe operations of an HAV.

a. Normal Driving

Manufacturers and other entities should have a documented process for assessment, testing, and validation of a variety of behavioral competencies that are applicable for the HAV.35 Behavioral competency refers to the ability of an automated vehicle to operate in the traffic conditions that it will regularly encounter, including keeping the vehicle in the lane, obeying traffic laws, following reasonable etiquette, and responding to other vehicles, road users, or commonly encountered hazards.36

The example set of behavioral competencies below has been adapted from research performed by California PATH:37

• Detect and Respond to Speed Limit Changes and Speed Advisories

• Perform High-Speed Merge (e.g., Freeway)

• Perform Low-Speed Merge

• Move Out of the Travel Lane and Park (e.g., to the Shoulder for Minimal Risk)

• Detect and Respond to Encroaching Oncoming Vehicles

• Detect Passing and No Passing Zones and Perform Passing Maneuvers

• Perform Car Following (Including Stop and Go)

29

• Detect and Respond to Stopped Vehicles

• Detect and Respond to Lane Changes

• Detect and Respond to Static Obstacles in the Path of the Vehicle

• Detect Traffic Signals and Stop/Yield Signs

• Respond to Traffic Signals and Stop/Yield Signs

• Navigate Intersections and Perform Turns

• Navigate Roundabouts

• Navigate a Parking Lot and Locate Spaces

• Detect and Respond to Access Restrictions (One-Way, No Turn, Ramps, etc.)

• Detect and Respond to Work Zones and People Directing Traffic in Unplanned or Planned Events

• Make Appropriate Right-of-Way Decisions

• Follow Local and State Driving Laws

• Follow Police/First Responder Controlling Traffic (Overriding or Acting as Traffic Control Device)

• Follow Construction Zone Workers Controlling Traffic Patterns (Slow/Stop Sign Holders).

• Respond to Citizens Directing Traffic After a Crash

• Detect and Respond to Temporary Traffic Control Devices

• Detect and Respond to Emergency Vehicles

• Yield for Law Enforcement, EMT, Fire, and Other Emergency Vehicles at Intersections, Junctions, and Other Traffic Controlled Situations

• Yield to Pedestrians and Bicyclists at Intersections and Crosswalks

• Provide Safe Distance From Vehicles, Pedestrians, Bicyclists on Side of the Road

• Detect/Respond to Detours and/or Other Temporary Changes in Traffic Patterns

The full list of behavioral competencies a particular HAV system would be expected to demonstrate and routinely perform will depend on the HAV system, its ODD, and the fall back method. Manufacturers and other entities should consider all known behavioral


30

competencies and document detailed reasoning for those which they consider to be inapplicable. Further, they should fully document methods by which they implement, validate, test and demonstrate applicable behavioral competencies.

b. Crash Avoidance Capability – Hazards

Based on the ODD, the HAV should be able to address pre-crash scenarios38 that relate to control loss, crossing path crashes, lane change/merge, head-on and opposite direction, rear-end, road departure, and low speed situations such as backing and parking maneuvers.39 Depending on the ODD, an HAV is expected to handle many of the pre-crash scenarios that are defined in the U.S. DOT report “Benefits Estimation Framework for Automated Vehicle Operations.”40

Events such as road repair and construction changes in traffic patterns, traffic flow directed by a police officer, disabled vehicles in travel lane, and other events should be addressed if they reasonably could be anticipated for a given ODD. In cases where the HAV cannot operate safely, the HAV should fall back to a minimal risk condition.

Manufacturers and other entities should have a documented process for assessment, testing, and validation of their crash avoidance capabilities and design choices.41

3. Fall Back (Minimal Risk Condition)

Manufacturers and other entities should have a documented process for transitioning to a minimal risk condition when a problem is encountered.42 HAVs operating on the road should be capable of detecting that their HAV systems have malfunctioned, are operating in a degraded state, or are operating outside of their ODD, and of informing the human driver in a way that enables the driver to regain proper control of the vehicle or allows the HAV system to return to a minimal risk condition43 independently.

Fall back strategies should take into account that—despite laws and regulations to the contrary—human drivers may be inattentive, under the influence of alcohol or other substances, drowsy, or physically impaired in some other manner.

Fall back actions should be administered in a manner that will facilitate safe operations of the vehicle and minimize erratic driving behavior. Such fall back actions should also minimize the effects of errors in human driver recognition and decision-making during and after transitions to manual control.

In cases of higher automation where a human driver may not be present, the HAV must be able to fall back into a minimal risk condition that may not include a driver.

A minimal risk condition will vary according to the type and extent of a given failure, including automatically bringing the vehicle safely to a stop, preferably outside of an active lane of traffic (assuming availability). Manufacturers and other entities should

31

have a documented process for assessment, testing, and validation of their fall back approaches.

4. Validation Methods

Given that the scope, technology, and capabilities vary widely for different automation functions, manufacturers and other entities should develop tests and validation methods to ensure a high level of safety in the operation of their HAVs.

Tests should demonstrate the performance of the behavioral competencies that the HAV system would be expected to demonstrate during normal operation; the HAV system’s performance during crash avoidance situations, and performance of fall back strategies relevant to the HAV’s ODD.

To demonstrate the expected performance of an HAV system, test approaches should include a combination of simulation, test track, and on-road testing. Manufacturers and other entities should determine and document the mix of methods that are appropriate for their HAV system(s).44 Testing may be performed by manufacturers and suppliers but could also be performed by an independent third party.

Manufacturers and other entities are encouraged to work with NHTSA45 and other standards organizations (SAE, NIST, etc.) to develop and update tests that use innovative methods as well as criteria for necessary test facility capabilities.

G. Guidance for Lower Levels of Automated Vehicle Systems

As documented in NHTSA’s report to Congress “Electronic Systems Performance in Passenger Motor Vehicles,”46 the increasing use of electronics and software has enabled the development and deployment of many proven safety technologies, such as electronic stability control. Software and electronics continue to power the automotive industry’s efforts to develop and deploy even more advanced HAV systems.

Electronics and software are at the heart of all automated vehicle systems. There is a clear technical distinction between HAV systems (those classified as SAE Level 3, Level 4, and Level 5) and lower levels of automation (SAE Levels 2 and below) based on whether the automated system relies on the human driver when engaged and operating. However, this distinction does not change many of the areas in which the manufacturers and other entities should apply elements of this Guidance during product development, testing, and deployment.

Most of the Guidance elements and considerations specified under the cross- cutting areas of Vehicle Performance Guidance for HAVs, such as “Data Recording and Sharing,” “Privacy,” “System Safety,” “Vehicle Cybersecurity,” “Human Machine Interface,” “Crashworthiness,” and “Consumer Education and Training” should generally apply to the full spectrum of automated vehicle systems.


32

Additionally, guidance provided in the areas “Registration and Certification,” “Post-Crash Behavior,” and “Ethical Considerations” also applies to those automated vehicle systems that can provide sustained lateral and longitudinal control simultaneously (systems that would be classified as SAE Level 2). Manufacturers of lower levels of automated vehicle systems should also consider guidance under the “Federal, State, and Local Laws” section and develop and deploy systems that make it clear to the driver how the system handles the function and the role of the driver.

Furthermore, manufacturers and other entities should place significant emphasis on assessing the risk of driver complacency and misuse of Level 2 systems, and develop effective countermeasures to assist drivers in properly using the system as the manufacturer expects. Complacency has been defined as, “… [when an operator] over- relies on and excessively trusts the automation, and subsequently fails to exercise his or her vigilance and/or supervisory duties” (Parasuraman, 1997). SAE Level 2 systems differ from HAV systems in that the driver is expected to remain continuously involved in the driving task, primarily to monitor appropriate operation of the system and to take over immediate control when necessary, with or without warning from the system. However, like HAV systems, SAE Level 2 systems perform sustained longitudinal and lateral control simultaneously within their intended design domain. Manufacturers and other entities should assume that the technical distinction between the levels of automation (e.g., between Level 2 and Level 3) may not be clear to all users or to the general public. And, systems’ expectations of drivers and those drivers’ actual understanding of the critical importance of their “supervisory” role may be materially different.

Manufacturers and other entities should develop tests, validation, and verification methods to assess their systems for effective complacency and misuse countermea-sures. For example, a Level 2 vehicle might have a system to monitor human driver engagement, and take the vehicle to a safe fall back condition if the monitor determines the driver is not sufficiently engaged. Recognizing the complex human factors issues surrounding SAE Level 2 systems, DOT encourages the automotive industry to work with NHTSA to develop appropriate methods and metrics to understand and quantify effective human factors approaches to address potential risks from complacency and foreseeable misuse of such systems.

The Operational Design Domain (ODD) concept, Object and Event Detection and Response (OEDR), and associated tests and validation methods discussed in this Guidance are primarily focused on HAV systems (those classified as SAE Level 3, Level 4, and Level 5). This is because HAV systems should be designed to perform the complete driving task and monitor the environment within their ODD without any expectation of involvement by a human driver. This Guidance focuses on designing and validating HAV systems that can robustly achieve this goal within their ODD.

In lower levels of automation (SAE Level 0, Level 1, and Level 2), drivers are expected to remain fully engaged in the driving task. Drivers are an integral part of these systems in

33

terms of perception and decision making. While extending the ODD concept outlined for HAVs in the Guidance to Level 2 systems may not always be possible, lower levels of automated vehicle systems often have an intended ODD (IODD). While such systems may not be able to fully confine the system’s use to its IODD due to the drivers’ expected role as part of the system, manufacturers and other entities should use available means to communicate, monitor, and limit uses of the automated vehicle systems when there is a reasonable expectation (or risk) of systems being used outside of their IODD or of drivers not performing the safety assurance role expected of them.

Unlike HAVs, where manufacturers must ensure robustness of the system itself within the ODDs, robustness of L1-L2 automated vehicle systems cannot be ensured within their IODDs without an engaged and vigilant driver in the loop. However, limiting the uses of automated functions in an L2 vehicle to the IODD, to the extent practical, should reduce the likelihood of such systems encountering circumstances they may not be able to handle. Further, limiting the uses of the system when drivers are not performing what is expected of them should lower the likelihood of an automation system failure occurring when the human driver is not sufficiently attentive.


34

Table 1: Applicability of Guidance Areas to SAE Level 2-5 Automated Vehicle Systems

Levels of AutomationSAE Levels 3, 4,

5 (HAVs)SAE Level 2

Safety Assessment Letter to NHTSA Yes YesC. Cross-Cutting Areas Fully Partially C.1.Data Recording and Sharing Yes Yes

C.2 Privacy Yes Yes

C.3 System Safety Yes Yes

C.4 Vehicle Cybersecurity Yes Yes

C.5 Human Machine Interface Yes Yes

C.6 Crashworthiness Yes Yes

C.7 Consumer Education and Training Yes Yes

C.8 Registration and Certification Yes Yes

C.9 Post-Crash System Behavior Yes Yes

C.10 Federal, State and Local Laws Yes Clarify to driver

C.11 Ethical Considerations Yes Yes

F. Automation Function47 Fully Partially

F.1 Operational Design Domain Yes No

F.2 Object and Event Detection and Response

Yes No

F.3 Fall Back (Minimal Risk Condition) Yes No

F.4 Validation Methods Yes Yes

G. Guidance for Lower Levels of Automated Vehicle Systems

No Yes

H. Next Steps: Activities to Improve, Expand and Oversee the Guidance

In the coming months, the Agency anticipates taking the following steps to evolve the Guidance as technology, experience, and knowledge progresses.

1. Obtain Public Input: NHTSA will seek public input through a Request for Comment on this and all other sections of this Policy.

2. Public Workshop(s): The Agency plans to hold a public workshop to provide interactive discussions of the Guidance and gather additional input for future considerations.

3. Expert Review: In parallel with the public workshop effort, the Agency will conduct an external expert peer review of the Guidance.

35

4. Complete Paperwork Reduction Act Process for Safety Assessment letters: The Agency will conduct the Paperwork Reduction Act process for the Safety Assessment letters identified in the Performance Guidance.

5. Publish Safety Assessment Template: NHTSA will publish a template for manufacturers and other entities to use to submit their Safety Assessments.

6. Pursue Anonymous Data Sharing: The Agency will explore a mechanism to facilitate anonymous data sharing among those parties testing and deploying HAVs. The mechanism will facilitate sharing that complies with antitrust and competition law requirements, perhaps by using a third-party aggregator. While the specific data elements to be shared will need further refinement, the mechanisms for sharing can be established.

7. Work Plan for Priority Safety Areas: To further enhance the Guidance, some elements would benefit from specific actions taken by industry. NHTSA will formally request actions needed from specific industry associations and groups (e.g., SAE) to address priority safety areas. These efforts are expected to yield more detailed findings and direction in areas such as data collection and test procedures that would enable all parties to build on the Guidance.

8. Continual Coordination: NHTSA will coordinate with State partners to ensure that the Guidance and the Model State Policy sections complement each other.

9. Automated Vehicle Classification: NHTSA will publish an objective method that manufacturers and other entities may use to classify their automated vehicle systems.

10. Gather Data: Use special and general order authority48 when necessary and appropriate to gather data.

11. Mandate Safety Assessment: Implement a rule mandating the submission of the Safety Assessment letter identified in this Guidance.

12. HAV Registration: Consider a rulemaking that would require any entity planning to test or operate HAVs on public roadways (i.e., those vehicles with systems that correspond to SAE Levels 3-5) to register with the Agency and to document and report to the Agency items related to NHTSA’s Guidance such as data recording, cybersecurity, test and evaluation process and methods used to ensure on-road operational safety, etc. NHTSA could model this effort on other reporting rulemakings such as Early Warning Reporting (EWR).

13. Consider Updates to FMVSS: Additional standards could be provided by, among other possibilities, a new FMVSS to which manufacturers could certify HAVs that do not have controls to permit operation by a human driver (i.e., no steering


36

wheel, brake pedals, turn signals, etc.). Such a standard would not apply to vehicles with lower levels of automation. A new standard could prescribe performance requirements for multiple types of equipment to ensure the safety of these vehicles on roadways in the United States.

As illustrated by these next steps, this Guidance represents a first step, to be followed promptly by further agency and industry efforts. These include potential DOT/NHTSA regulatory action to design and implement new standards, as research is available—to govern the initial testing and deployment of HAVs. As NHTSA continues its research, as technology evolves and matures, and as greater consensus develops regarding uniform standards, the Agency intends to promulgate new FMVSS and use other regulatory tools and authorities to facilitate the introduction of safety-advancing HAVs and facilitate their safe operation. In a year—or earlier if warranted by developments—DOT intends to produce an updated version of this Policy incorporating new data, lessons learned from NHTSA investigations and activities, and continued input.

37

II. MODEL STATE POLICY

A. Introduction

Vehicles operating on public roads are subject to both Federal and State jurisdiction. This section defines Federal and State regulatory responsibilities and outlines a Model State Policy that if adopted can create a consistent, unified national framework for regulation of motor vehicles with all levels of automated technology, including highly automated vehicles (HAVs). Some States have already begun to pass laws and develop regulations concerning HAVs, and the national discussion to date has benefited from their efforts to begin addressing the complex issues posed. The Model State Policy issued at this point builds on the collective knowledge gathered thus far, and can help to avoid a patchwork of inconsistent laws and regulations among the 50 States and other U.S. jurisdiction, which could delay the widespread deployment of these potentially lifesaving technologies.

This Model State Policy outlines State roles in regulating HAVs, and lays out model procedures and requirements for State laws governing HAVs. NHTSA, member States of the American Association of Motor Vehicle Administrators (AAMVA) and other safety stakeholders formed a collaborative partnership to provide valuable information, individual advice and input regarding the role of States in the regulation of HAVs.49 Based on that information and input and the Department’s own research and experience, DOT developed this Model State Policy. NHTSA is also issuing today a Request for Comment on this entire Policy—including the Model State Policy—to obtain public input concerning these matters.

DOT strongly encourages States to allow DOT alone to regulate the performance of HAV technology and vehicles. If a State does pursue HAV performance-related regulations, that State should consult with NHTSA and base its efforts on the Vehicle Performance Guidance provided in this Policy.50

NHTSA is prepared to assist with challenges that States face with regard to HAVs both now and in the future. For example, the Agency recognizes the need for driver education and training regarding HAV systems, and is prepared to partner with States to address this need. NHTSA has already begun research to evaluate the ability of drivers to stay engaged while HAVs are performing part (or all) of the driving task. The results and recommendations from this research will be shared with the States and used to refine the Model State Policy and NHTSA’s Vehicle Performance Guidance. NHTSA also hopes to partner with the States to identify and mitigate other human behavior issues such as misuse and inadequate maintenance of HAVs.


38

B. The Federal and State Roles

The division of regulatory responsibility for motor vehicle operation between Federal and State authorities is clear. NHTSA responsibilities include:

• Setting FMVSS for new motor vehicles and motor vehicle equipment (to which manufacturers must certify compliance before they sell their vehicles);51

• Enforcing compliance with the FMVSS;

• Investigating and managing the recall and remedy of non-compliances and safety-related motor vehicle defects and recalls on a nationwide basis;

• Communicating with and educating the public about motor vehicle safety issues; and

• Issuing guidance for vehicle and equipment manufacturers to follow, such as the Vehicle Performance Guidance for HAVs presented in this Policy.

States’ responsibilities include other aspects of motor vehicle regulations:

• Licensing (human) drivers and registering motor vehicles in their jurisdictions;

• Enacting and enforcing traffic laws and regulations;

• Conducting safety inspections, where States choose to do so; and

• Regulating motor vehicle insurance and liability.

These general areas of responsibility should remain largely unchanged for HAVs. DOT and the Federal Government are responsible for regulating motor vehicles and motor vehicle equipment, and States are responsible for regulating the human driver and most other aspects of motor vehicle operation. As motor vehicle equipment increasingly performs “driving” tasks, DOT’s exercise of its authority and responsibility to regulate the safety of such equipment will increasingly encompass tasks similar to “licensing” of the non-human “driver” (e.g., hardware and software performing part or all of the driving task).

The Vehicle Safety Act expressly preempts States from issuing any standard that regulates performance if that standard is not identical to an existing FMVSS regulating that same aspect of performance.52 If NHTSA issued an FMVSS setting performance requirements for HAVs, then a State could not have its own performance standards on the same aspects of HAV performance unless they were identical to NHTSA’s standards. The Supreme Court has also found that State laws may be preempted if they stand as an obstacle to the accomplishment and execution of a NHTSA safety standard.53

39

C. Model State Policy

States are charged with reducing traffic crashes and the resulting deaths, injuries, and property damage (Highway Safety Act, 23 U.S.C. § 401 et seq.). States may use their authority to establish and maintain highway safety programs addressing issues including: driver education and testing; licensing; pedestrian safety; law enforcement; vehicle registration and inspection; traffic control; highway design and maintenance; crash prevention, investigation, and record keeping; and emergency services.

States should evaluate their current laws and regulations to address unnecessary impediments to the safe testing, deployment, and operation of HAVs, and update references to a human driver as appropriate. States may still wish to experiment with different policies and approaches to consistent standards, and in that way contribute to the development of the best approaches and policies to achieve consistent regulatory objectives. The goal of State policies in this realm need not be uniformity or identical laws and regulations across all States. Rather, the aim should be sufficient consistency of laws and policies to avoid a patchwork of inconsistent State laws that could impede innovation and the expeditious and widespread distribution of safety enhancing automated vehicle technologies.

States are also encouraged to work together to standardize and maintain road infrastructure including signs, traffic signals and lights, and pavement markings. This will support the safe operation of HAVs and ensure the safety of human drivers, who will continue to operate vehicles on the roads for years to come.

The following sections describe a model regulatory framework for States that wish to regulate procedures and conditions for testing, deployment, and operation of HAVs. For purposes of this section, “testing” refers to analyses and evaluations of HAV systems and vehicles conducted by a researcher, manufacturer, entity, or expert third party at the request of one of those entities. Deployment refers to use of HAV systems and vehicles by members of the public who are not employees or agents of researchers, manufactur-ers, or other entities. For purposes of State traffic laws that apply to drivers of vehicles (e.g., speed limits, traffic signs), States may wish to deem an HAV system that conducts the driving task and monitors the driving environment (generally SAE Levels 3-5) to be the “driver” of the vehicle. For vehicles and circumstances in which a human is primarily responsible for monitoring the driving environment (generally SAE Levels 1-2), NHTSA recommends the State consider that human to be the driver for purposes of traffic laws and enforcement.

NHTSA believes that eventually there should be a consistent set of laws and regulations governing the testing and operation of HAVs. In such an approach NHTSA generally would regulate motor vehicles and motor vehicle equipment (including computer hardware and software that perform functions formerly performed by a human driver)


40

and the States would continue to regulate human drivers, vehicle registration, traffic laws, regulations and enforcement, insurance, and liability. As discussed above, States also may wish to regulate HAV “drivers” for the limited purpose of enforcement of traffic laws with respect to vehicles with L3-L5 automation. This model framework envisions State regulation of the procedures and requirements for granting permission to vehicle manufacturers and owners to test and operate vehicles within a State.

1. Administrative

a. Each State should identify a lead agency responsible for consideration of any testing of HAVs.

b. Each State should create a jurisdictional automated safety technology committee that is launched by the designated lead agency and which includes representatives from the governor’s office, the motor vehicle administration, the State department of transportation, the State law enforcement agency, the State Highway Safety Office, office of information technology, State insurance regulator, the State office(s) representing the aging and disabled communities, toll authorities, and transit authorities.

c. Other stakeholders should be consulted as appropriate, such as transportation research centers located in the State, the vehicle manufacturing industry, and groups representing pedestrians, bicyclists, consumers and other interested parties.

d. The designated lead agency should keep its state automated safety technology committee informed of the requests from manufacturers to test in their jurisdiction and the status of the designated agency’s response to the manufacturers.

e. The designated lead agency should take necessary steps to use or establish statutory authority to implement a framework and regulations. Each jurisdiction should examine its laws and regulations in the areas of: (1) licensing/registration; (2) driver education/training; (3) insurance and liability; (4) enforcement of traffic laws/regulations; and (5) administration of motor vehicle inspections, in order to address unnecessary barriers to safe testing, deployment, and operation of HAVs.

f. Each State should develop an internal process that includes an application for manufacturers to test in the jurisdiction as described in sections 2 and 3 below.

g. The motor vehicle agency should establish an internal process for issuing test vehicle permits as described in sections 2 and 3 below.

41

h. The designated lead agency should review State statutes to identify any legal issues that need to be addressed prior to the deployment and operation of automated vehicles.

2. Application for Manufacturers or Other Entities to Test HAVs on Public Roadways

a. A “manufacturer” is an individual or company that manufactures HAVs for testing and deployment on public roadways. Manufacturers include original equipment manufacturers (OEMs), multiple- and final-stage manufacturers, alterers (individuals or companies making changes to a complete vehicle prior to first retail sale or deployment), and modifiers (individuals or companies making changes to existing vehicles after first retail sale or deployment).

b. An “other entity” is any individual or company that is not a manufacturer, and is involved with designing, supplying, testing, selling, operating, deploying, or helping to manufacture HAVs.

c. Each manufacturer or other entity should submit an application to the designated lead agency in each jurisdiction in which they plan to test their HAVs.

d. The application should state that each vehicle used for testing by manufacturers or other entities follows the Performance Guidance set forth by NHTSA and meets applicable Federal Motor Vehicle Safety Standards.

e. The application should include the name of the manufacturer or other entity, the corporate physical and mailing addresses of the manufacturer or other entity, the in-State physical and mailing addresses of manufacturer, if different than corporate address, the name of the program administrator/director and the contact information for the program administrator/director.

f. The application should identify each vehicle that will be used on roadways for testing purposes by VIN, vehicle type, and other unique identifiers such as the year, make, and model.

g. The application should identify each test operator, their driver’s license number, and the jurisdiction or country in which the operator is licensed.

h. The application should include the manufacturer’s or other entity’s safety and compliance plan for testing vehicles, which should include a self-certification of testing and compliance to NHTSA’s


42

Vehicle Performance Guidance for the technology in the test vehicles under controlled conditions that simulate the real-world conditions (various weather, types of roads, times of the day and night, etc.) to which the applicant intends to subject the vehicle on public roadways (e.g., a copy of the summary Safety Assessment submitted to NHTSA per the Vehicle Performance Guidance).

i. The application should include evidence of the manufacturer’s or other entity’s ability to satisfy a judgment or judgments for damages for personal injury, death, or property damage caused by a vehicle in testing in the form of an instrument of insurance, a surety bond, or proof of self-insurance, for no less than 5 million U.S. dollars. 54

j. The application should include a summary of the training provided to the employees, contractors, or other persons designated by the manufacturer or other entity as operators of the test vehicles. Approval should be granted by the designated lead agency if evidence of insurance, operator training, and self-certification is demonstrated.

3. Jurisdictional Permission to Test

a. Each jurisdiction’s lead agency should involve the jurisdictional law enforcement agency before responding to the request from the manufacturer or other entity.

b. The lead agency may choose to grant authorization to test in a jurisdiction with restrictions, and/or may prohibit manufacturers or other entities from testing in certain areas or locations, such as school zones, construction zones, or other safety-sensitive areas.

c. The authorization may be suspended if the manufacturer or other entity fails to comply with the State insurance or driver requirements, or fails to comply with its self-certification compliance plan.

d. The lead agency may request additional information or require the manufacturer or other entity to modify its application before granting authorization.

e. The lead agency should issue a letter of authorization to the manufacturer or other entity to allow testing in the State, and the State’s motor vehicle agency should issue a permit to each test vehicle. The authorization and permits may be renewed periodically. The jurisdiction may determine that it is appropriate to charge fees for the application and for each vehicle-specific permit.

43

f. The vehicle-specific permit must be carried in the test vehicle at all times.

g. Each test vehicle should be properly registered and titled in accordance with the State’s laws.

4. Testing by the Manufacturer or Other Entity

a. Manufacturers or other entities must comply with Federal law and applicable NHTSA regulations before operating vehicles on public roadways, whether or not they are in testing or in “normal” operation.

b. The vehicle used in testing must be operated solely by persons designated by the manufacturer or other entity, who have received training and instruction concerning the capabilities and limitations of the vehicle. The training provided to the persons designated by the manufacturer or other entity must be summarized and submitted to the lead agency.

c. The operators testing the vehicles must hold a valid State driver’s license.55

d. Before being allowed to operate a test vehicle, the persons designated by the manufacturer or other entity as operators of the test vehicles, may be subjected to a background check including, but not limited to, a driver history review and a criminal history check.

e. The test operators are responsible for following all traffic rules and will be responsible for all traffic violations.

f. All crashes involving test vehicles must be reported in accordance with the State laws in which the crash occurred.

5. Deployed Vehicles: “Drivers”

a. States regulate human drivers. Licensed drivers are necessary to perform the driving functions for motor vehicles equipped with automated safety technologies that are less than fully automated (SAE Levels 3 and lower). A licensed driver has responsibility to operate the vehicle, monitor the operation, or be immediately available to perform the driving task when requested or the lower level automated system disengages.

b. Fully automated vehicles are driven entirely by the vehicle itself and require no licensed human driver (SAE levels 4 and 5), at least


44

in certain environments or under certain conditions.56 The entire driving operation (under specified conditions) is performed by a motor vehicle automated system from origin to destination.

c. In order to make the transition from human-driven motor vehicles equipped with automated safety technologies to fully automated vehicles, gaps in current regulations should be identified and addressed by the States (with the assistance of NHTSA). Some examples are:

• Law enforcement/emergency response

• Occupant safety

• Motor vehicle insurance

• Crash investigations/crash reporting

• Liability (tort, criminal, etc.)

• Motor vehicle safety inspections

• Education and training

• Vehicle modifications and maintenance

• Environmental impacts

6. Deployed Vehicles: Registration and Titling

a. HAV technologies that allow the vehicle to be operated without a human driver either at all times or under limited circumstances should be identified on title and registration documentation by States, using the code HAV in a new data field.

b. When HAV technologies that allow the vehicle to be operated without a human driver either at all times or under limited circumstances is installed on a vehicle after the initial purchase of the vehicle, the motor vehicle agency should be notified by the installer. The vehicle registration and title should be marked with the code HAV in a new data field.

c. Regulations governing labeling and identification for HAVs should be issued by NHTSA.

45

7. Law Enforcement Considerations

It is important for first responders and law enforcement to understand how HAVs may affect their duties. In addition, there will be a growing need for the training and education of law enforcement regarding their interaction with drivers/operators in both the testing and deployment of these technologies.

For vehicles that offer less than full automation capabilities, there is potential for increased distracted driving. Dangerous activities that contribute to distracted driving such as using an electronic device, eating, drinking, and conversing with passengers could significantly increase in HAVs. Regulations to limit these activities, especially in vehicles providing less than full self-driving capabilities, should be consistent across jurisdictions. The States should work together to develop a consistent regulatory scheme to limit potential driver distraction. In addition, States should develop methodologies for enforcement to discourage hazardous vehicle operation for the safety of the motoring public. Once HAVs are deployed and operated on roadways, State regulations need to keep pace with the changing technology.

Although HAVs are expected to provide significant safety benefits by reducing human errors, motor vehicles currently equipped with automation technologies are already involved in traffic crashes and will continue to be, especially during the years of initial introduction and integration with existing motor vehicles. Responders to crashes of HAVs may be placed at risk if they are not trained for unique hazards that they may encounter. These hazards may include, for example, silent operation, self-initiated or remote ignition, high voltage, and unexpected movement. In the interest of safety, it is essential that first responders—including those in police, fire, emergency medical services, and tow and recovery services—receive information and training regarding the potential hazards they may face.

8. Liability and Insurance

States are responsible for determining liability rules for HAVs. States should consider how to allocate liability among HAV owners, operators, passengers, manufacturers, and others when a crash occurs. For example, if an HAV is determined to be at fault in a crash then who should be held liable? For insurance, States need to determine who (owner, operator, passenger, manufacturer, etc.) must carry motor vehicle insurance. Determination of who or what is the “driver” of an HAV in a given circumstance does not necessarily determine liability for crashes involving that HAV. For example States may determine that in some circumstances liability for a crash involving a human driver of an HAV should be assigned to the manufacturer of the HAV.


46

Rules and laws allocating tort liability could have a significant effect on both consumer acceptance of HAVs and their rate of deployment. Such rules also could have a substantial effect on the level and incidence of automobile liability insurance costs in jurisdictions in which HAVs operate.

In the future, the States may identify additional liability issues and seek to develop consistent solutions. It may be desirable to create a commission to study liability and insurance issues and make recommendations to the States.

D. NHTSA’s Enforcement Authority

Several States have sought clarification of DOT’s enforcement authority with respect to HAVs.

NHTSA has broad enforcement authority to address existing and new automotive technologies and equipment. The Agency is commanded by Congress to protect the safety of the driving public against unreasonable risks of harm that may occur because of the design, construction, or performance of a motor vehicle or motor vehicle equipment, and to mitigate risks of harm, including risks that may be emerging or contingent. This authority and responsibility extends to cover defects and unreasonable risks to safety that may arise in connection with HAVs. As NHTSA always has done when evaluating new vehicle technologies, it will be guided by its statutory mission, the laws it is obligated to enforce, and the benefits of the technology. NHTSA’s enforcement authorities with respect to HAV are discussed in more detail in Section III “NHTSA’s Current Regulatory Tools,” and in separate enforcement guidance.57

E. Next Steps

NHTSA will continue its collaboration with State stakeholders to help inform next steps and future Model State Policy updates. These steps include:

1. Public comment: NHTSA is issuing a Request for Comment on this Model State Policy and the entire Policy, to obtain public comment and input regarding the matters addressed in this Policy.

2. Public Workshop(s): The Agency plans to hold a public workshop to provide interactive discussions of the Model State Policy and gather additional input for future considerations.

3. Stakeholder Engagement: In parallel with the public workshop effort, NHTSA will meet with stakeholders at the State level who would be responsible for implementing the Model State Policy. This will be an opportunity to learn more about what States have learned through their experimentation thus far with HAV regulation.

47

4. Education: NHTSA recognizes that States may not have the resources to develop a deep understanding of the technologies being deployed. In conjunction with vehicle manufacturers, NHTSA will explore a mechanism to help State officials gain a better understanding of available vehicle technologies and NHTSA’s roles and activities.

5. Work Plan: Some elements of the Model State Policy will benefit from specific stakeholder actions. NHTSA will explore potential activities, for example, to convene relevant stakeholders (e.g., environmental groups, disability advocacy groups) to develop a work plan that facilitates policy refinements. In some instances (e.g., insurance and liability), NHTSA may seek to convene a commission to study a particular issue and make recommendations.

6. North American Cross-Border Coordination: NHTSA will explore the opportunity for cross-border consistency by engaging Canadian and Mexican authorities to leverage this Policy within their own regulatory framework.

7. Continual Coordination: NHTSA will coordinate with State partners and other safety stakeholders to ensure that the Vehicle Performance Guidance and the Model State Policy sections continue to complement each other.


48

III. NHTSA’S CURRENT REGULATORY TOOLS

A. Introduction

To assist persons interested in introducing new and innovative HAVs into the U.S. market, and to advance and protect public safety, NHTSA intends to publish the following information and guidance on current Agency regulatory tools and processes in the Federal Register, and request public comments.

NHTSA has four primary “tools” that the Agency uses to address the introduction of new technologies and new approaches to existing technologies, which are:

• Letters of interpretation;

• Exemptions from existing standards;

• Rulemakings to amend existing standards or create new standards; and

• Enforcement authority to address defects that pose an unreasonable risk to safety.

It is important to note that the Agency does not prohibit the introduction of new motor vehicles or motor vehicle technologies into the vehicle fleet, provided that those vehicles and technologies meet existing Federal Motor Vehicle Safety Standards (FMVSS).58 The National Traffic and Motor Vehicle Safety Act, NHTSA’s organic statute, creates a self- certification system of compliance, in which vehicle and equipment manufacturers certify that their products meet applicable standards. NHTSA chooses vehicles and equipment from the fleet to test for compliance, and pursues enforcement actions when the Agency finds either a non-compliance or a defect posing an unreasonable risk to safety. NHTSA does not presently have authority to pre-approve new motor vehicles or new motor vehicle technologies.

A vehicle or equipment manufacturer need ask NHTSA about a new technology or vehicle design only when it will not comply with applicable standards, or when there might be a question as to compliance. If a manufacturer anticipates having such a question, then requests for interpretations, exemptions, and rulemakings are the methods that a manufacturer can use to pursue answers from the Agency.

1. Interpretations

Letters of interpretation are both the fastest way to get an answer to a question, and the narrowest tools in terms of scope and effect. Interpretation letters can help the requestor and others understand how the Agency believes existing law applies to the requestor’s motor vehicle or motor vehicle equipment. An interpretation describes the Agency’s view of the meaning and application of an existing statute or regulation. It can better


49

explain the meaning of a regulation, statute, or overall legal framework and provide clarity for regulated entities and the public. For example, an interpretation may clarify a statutory or regulatory term or provide sharper and more detailed lines than the regulation or statute it interprets.

Not all questions can be answered by interpretations. An interpretation may not make a substantive change to the meaning of a statute or regulation or to their clear provisions and requirements. In particular, an interpretation may not adopt a new position that is irreconcilable with or repudiates existing statutory or regulatory provisions. Historically, interpretation letters have taken several months to several years for NHTSA to issue, but the Agency has committed to expediting interpretation requests regarding HAVs. Section B provides information to the public on how to request an interpretation from NHTSA.

2. Exemptions

Exemptions from existing standards are intended to provide some flexibility to the general requirement that manufacturers must comply with applicable FMVSS and bumper standards. Exemptions provide for limited exceptions to the obligation to comply with the FMVSS in certain circumstances specified in the Vehicle Safety Act. 59 They are not intended to allow indefinite non-compliance for large numbers of vehicles. General exemptions are also not a device to excuse non-compliance with applicable standards simply because doing so would be inconvenient or inconsistent with the manufacturers’ preferred vehicle design. Additionally, general exemptions are only temporary—two to three years, with the option for renewal for a similar time period. As with interpretations, Agency rulings on exemptions have historically taken several months to several years. The Agency has committed also to expediting exemption requests regarding HAVs. Section III.C provides information to the public on how to request an exemption from NHTSA.

3. Rulemaking

Notice-and-comment rulemaking is the tool the Agency uses to adopt new standards, modify existing standards, or repeal an existing standard. This procedure has the broadest potential scope and application and generally takes the longest time to complete. If a party wishes to avoid compliance with an FMVSS for longer than the allowed time period for exemptions, or for a greater number of vehicles than the allowed number for exemptions, or has a motor vehicle or equipment design substantially different from anything currently on the road that compliance with standards may be very difficult or complicated (or new standards may be needed), a petition for rulemaking may be the best path forward. Parties wishing to petition NHTSA for rulemaking must follow the procedures at 49 CFR Part 552. Additionally, NHTSA may choose of its own


50

accord to commence a rulemaking, and need not wait for a request from an interested party. Reasons that NHTSA might choose on its own accord to commence rulemaking include directives from Congress, priorities within the Executive Branch, the culmination of NHTSA research projects which indicate the need for standards, or the desire to improve international coordination.60 Rulemaking generally takes the longest of the tools described in this section, but it enables the Agency to make the broadest and most thorough changes to governing regulations, and gives the public the greatest opportunity to participate in the Agency’s decision-making process. Section D provides information to the public on how to petition NHTSA for rulemaking and for reconsideration of Agency final rules.

4. Enforcement

NHTSA has broad enforcement authority under existing statutes and regulations to address existing and emerging automotive technologies. NHTSA has issued an Enforcement Guidance Bulletin relating to safety-related defects and emerging automotive technologies. This bulletin sets forth NHTSA’s current views on emerging automotive technologies—including its view that when vulnerabilities of such technology or equipment pose an unreasonable risk to safety, those vulnerabilities constitute a safety-related defect—and suggests guiding principles and best practices for motor vehicle and equipment manufacturers in this context. With regard to NHTSA’s enforcement authority over motor vehicles and equipment, it applies “notwithstanding the presence or absence of an FMVSS for any particular type of advanced technology.” NHTSA has the authority to “respond to a safety problem posed by new technologies in the same manner it has responded to safety problems posed by more established automotive technology and equipment.” This includes the Agency determining the existence of a defect that poses an unreasonable risk to motor vehicle safety and ordering the manufacturer to conduct a recall.61

With regard to new motor vehicle technologies, including HAVs, NHTSA states in its bulletin that its “enforcement authority concerning safety-related defects in motor vehicles and equipment extends and applies equally to new and emerging automotive technologies.” Furthermore, “[w]here an autonomous vehicle or other emerging automotive technology causes crashes or injuries, or has a manifested safety-related failure or defect” that presents a safety concern, NHTSA will evaluate the HAV or technology through its investigative authority and, if necessary, “exercise its enforcement authority to the fullest extent.”62

B. Guidance on Requesting an Interpretation From NHTSA63

This procedural guidance is meant to provide the public with informal informa-tion about requests for interpretation and NHTSA’s process of responding to

51

requests for interpretation. It provides general recommendations and suggestions in plain language about the types of information, explanations, and arguments that requestors might consider to facilitate a more rapid response. This document is not meant to be binding on requestors or on the Agency.

1. Background

NHTSA’s Office of the Chief Counsel interprets the statutes that the Agency administers and the regulations that it issues. When members of the public ask the Agency a question about the meaning or application of these statutes and regulations, the Chief Counsel may respond with a letter of interpretation that examines the particular facts and questions presented and explains how the law applies given those facts. These letters of interpretation, signed by the Chief Counsel, represent the opinion of the Agency on the question(s) addressed at the time of signature. Such a letter of interpretation may be helpful in determining how the Agency might answer questions that are similar. Interpretation letters represent the opinion of the Agency based on the specific facts of individual cases at the time the letter was written. A person should not assume that a prior interpretation will necessarily apply to its situation. There are a number of reasons why prior NHTSA interpretation letters might not be applicable to another situation, such as:

• The facts may be sufficiently different from those presented in prior interpretations, that the Agency’s answer to a new question is different from the answer in the existing interpretation letter;

• The situation may be new and not addressed in an existing interpretation letter;

• The Agency’s standards and regulations may have changed since the time when it issued the existing interpretation letter;

• The Agency has withdrawn or overruled the prior interpretation, and that interpretation no longer applies; or

• Some combination of all of the above, or other factors.

2. Purpose of Interpretation Letters

Interpretation letters are intended help the requestor and others understand how the Agency believes existing law applies to the requestor’s motor vehicle or motor vehicle equipment. Some questions are better suited to interpretations than others. An inter-pretation describes the Agency’s view of the meaning and application of an existing statute or regulation. It can better explain the meaning of a regulation, statute, or overall legal framework and provide clarity for regulated entities and the public. For example,


52

an interpretation may clarify a statutory or regulatory term or provide sharper and more detailed lines than the regulation or statute it interprets. An interpretation may not, however, make a substantive change to a statute or regulation or to their clear provisions and requirements. In particular, an interpretation may not adopt a new position that is irreconcilable with or repudiates existing statutory or regulatory provisions.

If a person would like the Agency to consider changing an existing regulation or adopting a new regulation, they should petition for a rulemaking by following the procedures at 49 CFR Part 552. If a motor vehicle or motor vehicle equipment is unable to comply with provisions of the FMVSS and a person would like the Agency to consider granting that vehicle or equipment an exemption from those provisions, they may petition for exemption by following the procedures at 49 CFR Part 555.

3. Process for Agency Review and Ruling on Interpretation Requests

a. Agency Consideration of Interpretation Requests

After receiving an interpretation request, the Agency will consider and respond to it. Following finalization of the interpretation response, it is typically mailed to the requestor either that day or the following business day, and posted in the online database at http://isearch.nhtsa.gov. The response, along with the request, also is then posted in the docket at www.regulations.gov.

b. Factors Affecting the Time it Takes the Agency to Respond to an Interpretation Request

Several factors can affect the time it takes the Agency to respond to an interpretation request. Examples of such factors include:

• The complexity of the question or issue;

• The novelty of the question or issue;

• Whether the requestor has provided all necessary information;

• Whether the question asked is ripe for interpretation;

• Whether prior interpretations on the topic at hand, if any, are consistent, both with each other and with the Agency’s best current thinking on the topic; and

• Agency resources and the number and complexity of other interpretation requests.

NHTSA prioritizes requests that promote vehicle safety when allocating its available resources for interpretations.


53

c. Information That NHTSA Seeks When Responding to an Interpretation Request

NHTSA’s interpretations are based on the information and arguments provided by the requestor and the Agency’s analysis and conclusion(s) regarding how laws apply in the context of particular information and arguments. It is the burden of the request-ing person or entity to provide NHTSA with all information, data, explanations, and arguments necessary for NHTSA to decide on an interpretation request. If a request fails to provide any necessary information, NHTSA may deny the request for interpretation. It is important that a request for interpretation is clear, thorough, and well-supported. Following is a non-exhaustive list of information that requestors should include in an interpretation request:

• Requestors should make an express request for a specific interpretation, not merely inform the Agency of the requestor’s plans or view of the law.

• Questions should be stated clearly, and the specific question asked should be the question for which an answer is sought.

• Requestors should state clearly how they would like the Agency to interpret the statute or regulation.

• Requestors should explain clearly what it is about the facts of their situation that makes the application of the statute or regulation unclear, not merely state that their product is safe or will be beneficial for safety in general.

• Requestors should provide a clear, well-supported, and complete legal argument for why the interpretation they seek from NHTSA is legally reasonable and appropriate for an interpretation rather than a rulemaking or other action. Requestors should identify the relevant provisions in the Agency’s statutes and regulations and demonstrate that the requested interpretation is consistent with each of those provisions. If requestors are seeking a change in existing performance criteria or test procedures, or to avoid compliance with existing performance criteria or test procedures, a request for exemption or rulemaking is more likely to be the correct mechanism to address the issue.

• Requestors should provide all supporting data and information necessary for the Agency to make an informed determination of the interpretation request.

• Before submitting a request for interpretation, requestors should search the Agency’s interpretation data base at http://isearch.nhtsa.gov for prior relevant interpretations (both favorable and unfavorable). With respect to favorable interpretations, requestors should explain in their interpretation request why they believe that the current situation is comparable. With respect to unfavorable ones, requestors should


54

explain in their interpretation request why they believe that the current situation is distinguishable.

• Requestors should identify and discuss the possible policy implications (both positive and negative) of the requested interpretation, with particular emphasis on the safety-related implications.

4. Timeline for NHTSA Action on Requests for Interpretation That Advance Safety

In order to promote the safe adoption and deployment of HAVs, NHTSA has streamlined and expedited its process for evaluating and responding to interpretation requests. For a simple HAV-related interpretation request that appears to improve safety and follows the foregoing guidelines, NHTSA will endeavor to issue a response within 60 days. For a more complex request that appears to improve safety and follows the foregoing guidelines, NHTSA will endeavor to issue a response within 90 days.

5. Response to a Denial of Interpretation

If NHTSA denies a request for interpretation, a requestor may send a subsequent request for interpretation with additional information and/or arguments. Requestors should be aware that NHTSA will summarily reject redundant and duplicative petitions. If the Agency has stated that the question in the original request is not well-suited to interpretation, the requestor may petition for rulemaking or exemption.

C. Guidance on Requesting a Temporary Exemption From NHTSA’s Federal Motor Vehicle Safety Standards

This section provides the public with informal information about requests for temporary exemption and NHTSA’s process of responding to requests for temporary exemption. It provides suggestions about the types of information, explanations, and arguments that requestors might provide to facilitate a more rapid response. This document is not meant to be binding on requestors or on the Agency. To the extent that this document summa-rizes or discusses statutory or regulatory text, the actual text of the statutes or regulations controls.

1. Background

Congress requires vehicle manufacturers to comply with NHTSA’s vehicle safety standards64 and bumper standards65 in order to sell vehicles in the United States. However, recognizing that occasionally certain manufacturers temporarily may have difficulty meeting those standards, Congress allows DOT (by delegation, NHTSA) to

55

exempt motor vehicles from one or more Federal Motor Vehicle Safety Standards (FMVSS), for up to three years in certain circumstances, if the manufacturer can make a sufficient showing to the Agency that the exemption is necessary.66 For vehicles uses other than sale, NHTSA may exempt motor vehicles and items of motor vehicle equipment from compliance with certain standards if the Agency determines that doing so is necessary for research, investigations, demonstrations, training, competitive racing events, show, or display.67 Additionally, Congress recently amended the Vehicle Safety Act to allow certain vehicle manufacturers (those who, prior to enactment of the FAST Act, had manufactured and distributed FMVSS-compliant vehicles and have registered with NHTSA) to introduce non-FMVSS-compliant motor vehicles into interstate commerce “solely for purposes of testing or evaluation” so long as they “agree[] not to sell or offer for sale the motor vehicle at the conclusion of the testing or evaluation….”68 Manufacturers choosing this latter path should advise NHTSA of this action, but need not petition NHTSA for exemption.

Vehicles that have been granted exemptions and are intended for sale must have permanent labels affixed to their windshield or side window that list the standards (by number and title) for which an exemption has been granted, along with the exemption number from NHTSA.69

2. Purpose of General (Temporary) Exemptions

General exemptions are intended to provide some flexibility to the general requirement that manufacturers must comply with applicable FMVSS and bumper standards, but they are not intended to allow indefinite non-compliance for large numbers of vehicles. General exemptions do not excuse non-compliance with applicable standards simply because doing so would be inconvenient or inconsistent with the manufacturers’ preferred vehicle design. Rather, they provide for limited exceptions to the obligation to comply with the FMVSS in certain circumstances specified in the Vehicle Safety Act.

General exemptions are only temporary. The Vehicle Safety Act allows exemptions on the basis of substantial economic hardship to last no longer than three years; exemptions and renewals of exemptions on the bases of development or field evaluation of a new motor vehicle safety feature, a low-emission vehicle, or ‘overall safety level’ are allowed for up to two years. If a party wishes to avoid compliance with an FMVSS for longer than the allowed time period, or for a greater number of vehicles than the allowed number, a petition for rulemaking may be a better path forward. Parties wishing to petition NHTSA for rulemaking must follow the procedures at 49 CFR Part 552.70

3. Eligibility for Temporary Exemptions

Congress specifies the conditions under which temporary general exemptions from the FMVSS may be granted for vehicles intended for sale in the U.S. market, as follows:71


56

a. “Substantial economic hardship”

A manufacturer whose total motor vehicle production in the most recent year of production is fewer than 10,000 motor vehicles may petition for exemption on the basis of “substantial economic hardship.” A manufacturer seeking to use this basis for exemption must have attempted to comply with the applicable standard in good faith, and must provide extensive documentation to the Agency proving both the economic hardship and its good faith attempt to comply, as discussed in Section III.C.4.c below.

b. “Development or field evaluation of a new motor vehicle safety feature”

Any motor vehicle manufacturer may petition the Agency for exemption in order to facilitate the development or field evaluation of a new motor vehicle safety feature, for up to 2,500 vehicles per year. A manufacturer seeking to use this basis for exemption must provide documentation of the research performed already on the safety feature, how the safety feature is innovative, and how the safety level of the feature at least equals the safety level of the FMVSS for which exemption is sought, as discussed in Section III.C.4.c.

c. “Development or field evaluation of a low-emission motor vehicle”

Any motor vehicle manufacturer may petition the Agency for exemption in order to facilitate the development or field evaluation of a low-emission motor vehicle, for up to 2,500 vehicles per year. A manufacturer seeking to use this basis for exemption must provide documentation of research establishing that the motor vehicle is a low-emission motor vehicle, and how the safety level of the low-emission motor vehicle would not be reduced unreasonably by exemption from the FMVSS for which exemption is sought, as discussed in Section III.C.4.c.

d. “Overall safety level of exempted vehicle at least equal to overall safety level of nonexempt vehicles”

Any motor vehicle manufacturer may petition the Agency for exemption in order to sell a vehicle model that does not comply with one or more applicable standards, but only for up to 2,500 vehicles per year. A manufacturer seeking to use this basis for exemption must provide a detailed analysis showing how the exempted vehicle provides an overall safety level at least equal to the overall safety level of nonexempt vehicles, as discussed in Section III.C.4.c. For exemptions from bumper standards, the “substantial economic hardship” test applies.

4. Process for Agency Review and Ruling on Temporary Exemption Requests

57

a. Agency Consideration of Temporary General Exemption Requests

Upon receipt of an application for temporary exemption, NHTSA publishes a notice in the Federal Register including the information in the application and allowing opportu-nity for public comment, unless the application does not contain the required informa-tion.72 If the application lacks needed information, NHTSA informs the applicant of the areas of insufficiency and that the Agency will take no further action on the application until the information is submitted.73

Once the comment period has ended, NHTSA considers the available information and determines whether to grant or deny the exemption request. If NHTSA determines that the application does not contain adequate justification, the Agency will deny the request and notify the applicant in writing, and also will publish a Federal Register notice of the denial and the reasons for it.74 Conversely, if NHTSA determines that the application does contain adequate justification, the Agency will grant the request, notify the applicant in writing, and publish a Federal Register notice of the grant and the reasons for it.75

Interested parties may discuss applications for exemption or the Agency’s response to such applications with Agency officials, but no public hearing, argument, or other formal proceeding (other than the public comment period described above) is held on an application prior to the Agency’s decision.76

When NHTSA grants a request for temporary exemption, the exemption is effective upon publication of the grant notice in the Federal Register and exempts vehicles manufactured on and after the effective date, unless the Federal Register notice specifies a later effective date.77

b. Factors affecting the time it takes the Agency to respond to a request for exemption

Some factors that can affect the time it takes the Agency to respond to a request for temporary exemption may include, for example:

• Determining whether the information and justification provided is adequate for the Agency to assess the merits of granting or denying the request;

• Determining whether the Agency is deciding on an exemption request consistently with prior decisions on prior similar requests, if any, and whether such a decision remains consistent with the Agency’s best current thinking on the topic;

• Complexity of the exemption request and issues presented; and

• Agency workload.

NHTSA generally prioritizes requests that promote vehicle safety.


58

c. Information that NHTSA seeks when evaluating a request for temporary exemption

The Safety Act directs manufacturers applying for exemptions to provide specific in-formation in their applications to NHTSA, which has given further substance to those directions in regulations. The information required for an application under each exemption category is discussed below. All information submitted as part of applications (except that withheld as confidential business information) will be publicly available at http://www.regulations.gov as part of the docket for the exemption request.78

i. “Substantial economic hardship”

If a manufacturer is petitioning for exemption on this basis, the manufacturer must submit a complete financial statement describing the economic hardship and a complete description of the manufacturer’s good faith effort to comply with the relevant standards.79 49 CFR Part 555 further requires that information submitted in support of a “substantial economic hardship” petition include the following:80

• Engineering and financial information demonstrating in detail how compliance or failure to obtain an exemption would cause substantial economic hardship, including—

w A list or description of each item of motor vehicle equipment that would have to be modified in order to achieve compliance;

w The itemized estimated cost to modify each such item of motor vehicle equipment if compliance were to be achieved (A) as soon as possible, (B) at the end of a one-year exemption period (if the exemption is for one year or more), (C) at the end of a two-year exemption period (if the petition is for two years or more), and (D) at the end of a three-year exemption period (if the exemption is for three years);

w The estimated price increase per vehicle to balance the total costs incurred if the equipment were modified to comply, and a statement of the anticipated effect of each such price increase;

w Corporate balance sheets and income statements for the three fiscal years immediately preceding the filing of the application;

w Projected balance sheet and income statement for the fiscal year following a denial of the application;

w A discussion of any other hardships (e.g., loss of market, difficulty of obtaining goods and services for compliance) that the petitioner desires the Agency to consider; and

59

• A description of the petitioner’s efforts to comply with the standards, including—

w A chronological analysis of such efforts showing its relationship to the rulemaking history of the standard from which exemption is sought;

w A discussion of alternate means of compliance considered and the reasons for rejection of each;

w A discussion of any other factors (e.g., the resources available to the petitioner, inability to procure goods and services necessary for compliance following a timely request) that the petitioner desires the Agency to consider in deciding whether the petitioner tried in good faith to comply with the standard;

w A description of the steps to be taken, while the exemption is in effect, and the estimated date by which full compliance will be achieved either by design changes or termination of production of nonconforming vehicles; and

w The total number of motor vehicles produced by or on behalf of the petitioner in the 12-month period prior to filing the petition, and the inclusive dates of the period. (49 U.S.C. 30113(d) limits eligibility for exemption on the basis of economic hardship to manufacturers whose total motor vehicle production in the year preceding the filing of their applications does not exceed 10,000.)

ii. “Development or field evaluation of a new motor vehicle safety feature”

If a manufacturer seeks an exemption on this basis, Congress requires the manufacturer to submit a record of the research, development, and testing establishing the innovative nature of the safety feature and a detailed analysis establishing that the safety level of the feature at least equals the safety level of the standard for which exemption is sought.81 49 CFR Part 555 further requires that supporting information include the following:82

• A description of the safety or impact protection features, and research, development, and testing documentation establishing the innovational nature of such features;

• An analysis establishing that the level of safety or impact protection of the feature is equivalent to or exceeds the level of safety or impact protection established in the standard from which exemption is sought, including—

w A detailed description of how a vehicle equipped with the safety or impact protection feature differs from one that complies with the standard;

w If applicant is presently manufacturing a vehicle conforming to the standard, the results of tests conducted to substantiate certification to the standard; and


60

w The results of tests conducted on the safety or impact protection features that demonstrates performance which meets or exceeds the requirements of the standard;

• Substantiation that a temporary exemption would facilitate the development or field evaluation of the vehicle;

• A statement whether, at the end of the exemption period, the manufacturer intends to conform to the standard, apply for a further exemption, or petition for rulemaking to amend the standard to incorporate the safety or impact protection features; and

• A statement that not more than 2,500 exempted vehicles will be sold in the U.S. in any 12-month period for which an exemption may be granted, and an application for renewal of such an exemption shall also include the total number of exempted vehicles sold in the United States under the existing exemption.

iii. “Development or field evaluation of a low-emission motor vehicle”

If a manufacturer petitions for exemption on this basis, it must submit a record of the research, development, and testing establishing that the motor vehicle is a low-emission motor vehicle and that the safety level of the vehicle would not be unreasonably reduced by exemption from the standard.83 49 CFR Part 555 requires that that information include the following:84

• Substantiation that the vehicle is a low-emission vehicle as defined by 49 U.S.C. § 30113(a);

• Research, development, and testing documentation establishing that a temporary exemption would not unreasonably degrade the safety or impact protection of the vehicle, including—

w A detailed description of how the motor vehicle equipped with the low-emission engine would, if exempted, differ from one that complies with the standard;

w If the applicant is presently manufacturing a vehicle conforming to the standard, the results of tests conducted to substantiate certification to the standard;

w The results of any tests conducted on the vehicle that demonstrate its failure to meet the standard, expressed as comparative performance levels; and

w Reasons why the failure to meet the standard does not unreasonably degrade the safety or impact protection of the vehicle;

61

• Substantiation that an exemption would facilitate the development or field evaluation of the vehicle;

• A statement whether, at the end of the exemption period, the manufacturer intends to conform to the standard; and

• A statement that not more than 2,500 exempted vehicles will be sold in the United States in any 12-month period for which an exemption may be granted. An application for renewal of an exemption must also include the total number of exempted vehicles sold in the United States under the existing exemption.

iv. “Overall safety level of exempted vehicle at least equal to over-all safety level of nonexempt vehicles”

A manufacturer petitioning for exemption on this basis must submit a detailed analysis showing how the vehicle provides an overall safety level at least equal to the overall safety level of non-exempt vehicles.85 49 CFR Part 555 further requires that that informa-tion include the following:86

• A detailed analysis of how the vehicle provides the overall level of safety or impact protection at least equal to that of non-exempted vehicles, including—

w A detailed description of how the motor vehicle, if exempted, differs from one that conforms to the standard;

w A detailed description of any safety or impact protection features that the vehicle offers as standard equipment that are not required by the FMVSS or bumper standards;

w The results of any tests conducted on the vehicle demonstrating that it fails to meet the standard, expressed as comparative performance levels;

w The results of any tests conducted on the vehicle demonstrating that its overall level of safety or impact protection exceeds that which is achieved by conformity to the standards;

w Other arguments that the overall level of safety or impact protection of the vehicle is at least equal to that of non-exempted vehicles;

• Substantiation that compliance would prevent the sale of the vehicle;

• A statement whether, at the end of the exemption period, the manufacturer intends to comply with the standard;


62

• A statement that not more than 2,500 exempted vehicles will be sold in the United States in any 12-month period for which an exemption may be granted; and an application for renewal shall also include the total number of exempted vehicles sold in the United States under the existing exemption.

5. Termination and Renewal of Temporary Exemptions

As discussed, temporary exemptions are not permanent. If a temporary exemption is granted on the basis of “substantial economic hardship,” it will terminate according to its terms no later than three years after the date of issuance, unless NHTSA terminates it sooner.87 If a temporary exemption is granted on any other basis, it will terminate according to its terms but not later than two years after the date of issuance, unless NHTSA terminates it sooner.88 If a manufacturer with an exemption applies for renewal within 60 days of the termination date for the existing exemption, and the renewal ap-plication meets the requirements of 49 CFR § 555.5, the exemption does not terminate until NHTSA grants or denies the renewal application.89

NHTSA may terminate or modify a temporary exemption if the Agency determines that either (1) the temporary exemption is no longer consistent with the public interest and the objectives of the Vehicle Safety Act; or (2) the temporary exemption was granted on the basis of false, fraudulent, or misleading representations or information.90 Any inter-ested person may petition for the termination or modification of an exemption granted under Part 555, and NHTSA will process those petitions according to the procedures in 49 CFR Part 552.91 NHTSA publishes notices in the Federal Register for both applications for termination or modification of an exemption and the Agency’s action in response to it, and also for any termination or modification of an exemption pursuant to the Agency’s own motion.92

6. Timelines for NHTSA Action on Compliant Petitions

NHTSA has streamlined and expedited its process for reviewing and determining exemption petitions that advance safety and that follow these guidelines. For simple exemption petitions that promote improved safety and that follow these guidelines, NHTSA will endeavor to grant or deny the petition(s) within six months. For more complex petitions that promote improved safety and that follow these guidelines, NHTSA will endeavor to grant or deny the petition(s) within 12 months.

7. Response to a Denial of Request for Temporary Exemption

If NHTSA denies a request for temporary exemption, the requestor may submit another request with new/additional information and/or arguments. Duplicative exemption requests will be summarily denied. If the Agency has stated in its denial that the issue presented is not well-suited to temporary exemption, the requestor may petition for rulemaking under 49 CFR Part 552.


63

D. Guidance on Preparing Well-Supported Petitions for Safety Rulemaking and Reconsideration of Final Safety Rules

This section is intended to aid the process for petitioning the Agency to take either of two types of actions: (1) initiate a rulemaking under the National Traffic and Motor Vehicle Safety Act to amend existing vehicle safety standards or to establish new ones; or (2) reconsider a final rule amending or establishing safety standards. This action is needed because NHTSA must be able to allocate and manage its vehicle safety resources in a way that allows the Agency to focus its efforts on those vehicle technologies having the greatest potential for improving safety at reasonable cost. When the Agency decides to grant a petition for a rulemaking on a technology with substantial safety potential, it is critical that the Agency be able to complete the rulemaking on a sound and complete basis and as expeditiously as possible. This guidance will aid the Agency in doing so by clarifying the existing minimum content requirements for petitions for rulemaking and reconsideration and offering guidance on meeting those requirements.93 The more supporting research and well-reasoned analysis that petitioners include in their petitions, the more quickly the Agency will be able to assess the safety significance of petitions and act on them. This guidance also describes additional information whose inclusion in petitions is not required, but is helpful to the Agency in addressing petitions and deciding how to allocate its resources to achieve its safety goals. The more thoroughly supported an application is, the more quickly and efficiently the Agency can work to respond to it.

1. Introduction

Through this guidance, NHTSA seeks to aid its ability to focus on petitions for rulemaking that offer the greatest safety potential and on meritorious petitions for reconsideration. The Agency also seeks to obtain data and analysis that will enable it to complete rulemakings initiated in response to petitions expeditiously and on a sound and robust scientific and analytical basis.

This guidance is intended to clarify the existing minimum content requirements for rulemaking petitions and offers guidance on meeting those requirements. It also describes additional contents whose inclusion in petitions is not required, but is helpful to the Agency. The description of these additional contents is intended to aid the public in preparing better supported petitions, thereby increasing the likelihood that the Agency will grant and act on them. The submission of more thoroughly explained and better supported petitions will aid the Agency by reducing the resources and time it would otherwise need to expend in order to evaluate the merits of petitions and to develop proposals (and supporting analyses required by various Executive Orders and statutes) to act on those petitions that it grants.


64

2. Agency Regulations on Petitions

a. Contents of petitions for rulemaking or reconsideration of a rule

NHTSA’s current administrative requirements concerning the contents of petitions for rulemaking and petitions for reconsideration are essentially the same as those that existed when the Motor Vehicle and Schoolbus Safety Amendments of 1974 (“1974 Amendments”) were enacted. The 1974 Amendments amended the National Traffic and Motor Vehicle Safety Act (Vehicle Safety Act) by, inter alia, adding a new section 124, which established requirements concerning petitions for rulemaking under that Act. 94 More specifically, section 124 specified requirements for petitions for rulemaking relating to Federal motor vehicle safety standards, and for petitions requesting the Agency to determine the existence of a noncompliance with an FMVSS or a defect related to motor vehicle safety.

NHTSA responded to the addition of section 124 by establishing a new regulation, part 552—Petitions for Rulemaking, Defect, and Noncompliance Orders.95 40 FR 42013; September 10, 1975. Similar to the APA, section 124 expressly provides that any person may file a petition requesting the Agency to commence a proceeding to establish a vehicle safety standard. However, section 124 also went beyond the APA, specifying that a person’s petition asking the Agency to issue a vehicle safety standard “…must state facts that the person claims establish that a motor vehicle safety standard or order referred to in subsection (a) of this section is necessary and briefly describe the order the Secretary should issue.”

In § 552.4 of Part 552, the Agency paraphrased section 124, specifying that petitions for rulemaking must “(s)et forth facts which it is claimed establish that an order is necessary” and “(s)et forth a brief description of the substance of the order which it is claimed should be issued.”96 The necessity of providing the required information is emphasized in §552.5 (b). That paragraph says “(a) document that fails to conform to one or more of the requirements of §552.4(a) through (e) will not be treated as a petition under” Part 552. “Such a document will be treated according to the existing correspon-dence or other appropriate procedures of the NHTSA, and any suggestions contained in it will be considered at the discretion of the Administrator or his delegate.”

Recognizing the impact that evaluating pending petitions and implementing granted petitions could have on the Agency resources available for priority safety activities, NHTSA also addressed the variety of factors, including resource management, which it might consider in deciding whether to grant or deny a petition. In section 552.8, Notification of Agency action on the petition, it specified: “After considering the technical review conducted under §552.6, and taking into account appropriate factors, which may include, among others, allocation of Agency resources, Agency priorities and the likelihood of success in litigation which might arise from the order, the Administrator will grant or deny the petition. …”

65

Parties may petition for reconsideration within 45 days after a final rule has been issued to establish a new standard or amend an existing standard, if they disagree with the Agency’s action.97 The regulation on petitions for reconsideration, Section 553.35 reads:

(a) Any interested person may petition the Administrator for reconsideration of any rule issued under this part. …. The petition must contain a brief statement of the complaint and an explanation as to why compliance with the rule is not practicable, is unreason-able, or is not in the public interest. …

(b) If the petitioner requests the consideration of additional facts, he must state the reason they were not presented to the Administrator within the prescribed time.

(c) The Administrator does not consider repetitious petitions.

b. Improperly filed petitions

When the Agency established part 552, it included a section explaining how the Agency would handle incomplete petitions. Paragraph (b) of section 552.5, “Improperly filed petitions,” provides: A document that fails to conform to one or more of the requirements of §552.4(a) through (e) will not be treated as a petition under this part. Such a document will be treated according to the existing correspondence or other appropriate procedures of the NHTSA, and any suggestions contained in it will be considered at the discretion of the Administrator or his delegate.

3. Need for Better Supported Petitions

a. Need to focus Agency resources on vehicle safety priorities

The effort involved in the Agency’s evaluating and acting upon petitions for rulemaking and petitions for reconsideration draws resources away from other important Agency responsibilities, including conducting the rulemakings in the Agency’s vehicle safety rulemaking priority plan, complying with statutory mandates for vehicle safety rulemakings,98 and improving the New Car Assessment Program. Likewise, with respect to enforcement matters, the Agency has a responsibility to focus on those matters that will have the greatest safety benefit to the public.

In recent years, the Agency has devoted a great deal of effort to developing, implementing and updating plans setting forth its vehicle safety rulemaking priorities. In deciding which rulemakings and other actions to include in the plan, the Agency relies primarily on the relative potential of candidate actions to save lives and prevent injuries. In addition, the Agency considers the likelihood of being able to successfully complete the actions and effectively implement them, which involves many factors including the Agency’s ability to develop objective and practical performance requirements and test procedures, and to develop a solution that meets the identified


66

need for safety and is also cost-beneficial, or at least relatively low-cost. The Agency also considers other factors such as the need to protect particularly vulnerable groups of people (e.g., children). It is critical to safety that the Agency focuses the use of its finite resources on implementing its priority plans.

b. Impacts of petitions for rulemaking on Agency resources

In order to ensure that public resources are devoted to implementing the Agency’s priority plan and statutory mandates, the Agency must be particularly careful in deciding whether a submission qualifies as a petition and whether to grant each petition.

The Agency has not always exercised sufficient rigor in screening and evaluating rulemaking petitions. It has sometimes granted petitions for rulemaking whose implementation made it necessary for the Agency to conduct years of research to develop and validate effective performance requirements and test procedures, and then initiate rulemaking. Acceptance of these documents as petitions for rulemaking is not generally appropriate action for the Agency. Neither the APA, nor section 124, nor part 552, provide for the submitting or granting of petitions that are effectively either petitions for research or petitions for establishing Agency research priorities.

The Agency has further contributed to the problem by sometimes accepting petitions that do not meet the requirements of section 552.4, i.e., they do not “(s)et forth facts which it is claimed establish that an order is necessary.” Instead of denying such requests, the Agency has sometimes assumed the submitter’s burden under that section and used Agency resources to meet that responsibility. This is not an efficient use of Agency resources.

The processes of developing and adopting new rules are time-consuming and can be expensive. These processes involve identifying and gathering reliable data; carefully analyzing it to determine the nature and extent of safety problems; identifying and analyzing alternative solutions; choosing a solution; and developing and validating effective performance requirements and test procedures for the chosen solution. Moving forward, NHTSA seeks to focus its resources on its priority activities, rather than on developing data or performing analysis that could and should have been included in the submitter’s document.

c. Impacts of petitions for reconsideration of a rule on Agency resources

The Agency also has concerns regarding the growing practice in rulemaking proceedings of deferring technical issues to petitions for reconsideration of a rule instead of presenting them in comments on the rule at the proposed rulemaking stage. Some petitioners have raised technical issues for the first time at the petition for recon-sideration stage, and submitted multiple rounds of petitions for reconsideration. To some

67

extent, the growth in petitions for reconsideration is the result of the greater complexity of the performance requirements and test procedures being established, especially performance requirements based on dynamic test procedures. However, the Agency is concerned that many of the issues presented in petitions for reconsideration of final rules often could have been raised earlier, i.e., in the petitioners’ comments on the Notices of Proposed Rulemaking that preceded those final rules.

Similarly, some issues that could have been raised in the first round of petitions for reconsideration are instead sometimes raised in a subsequent round of petitions for reconsideration. In addition, when petitioning for the reconsideration of a final rule, petitioners sometimes rely on essentially the same arguments and data included in their comments on the Notice of Proposed Rulemaking that preceded the final rule or filed in a previous petition for reconsideration.

For its part, the Agency in the past has not uniformly enforced the provision in its regulations about not considering repetitious petitions for reconsideration. The Agency has also taken too long in some cases to respond to petitions for reconsideration. One factor in such delay, however, has been problems with some petitions for reconsideration received by the Agency, i.e., the absence of: (a) clear statements of how the regulatory text of a final rule should be changed and why; (b) information and analysis validating the reported problem with a final rule; and (c) explanation of the appropriateness and effectiveness of the requested change in the regulatory text. This material is needed by the Agency to identify the best ways of resolving issues raised by a petitioner.

NHTSA is also issuing a Request for Comment on this document, seeking public input on the guidance set out in this section, as well as the other sections of this document.


68

IV. MODERN REGULATORY TOOLS

This section discusses potential new tools and authorities that could help the Agency to meet the challenges and opportunities involved in facilitating the safe, expeditious development of HAVs. NHTSA is also issuing today a Request for Comment on this entire Policy—including this Modern Regulatory Tools discussion—to obtain public input concerning these matters.

A. Introduction

Fifty years ago, Congress enacted the National Traffic and Motor Vehicle Safety Act (Vehicle Safety Act), giving NHTSA broad jurisdiction over all elements of design in motor vehicles and motor vehicle equipment. It also directed the Agency to issue Federal Motor Vehicle Safety Standards (FMVSS) to reduce motor vehicle crashes and related deaths and injuries.99 The Vehicle Safety Act requires manufacturers of motor vehicles and motor vehicle equipment to certify that their products comply with all applicable FMVSS in effect at the time of their manufacture. It also requires motor vehicle manufac-turers to notify consumers about any safety-related defects in their motor vehicles and identify the measures to be taken to repair the defect.100

As novel regulatory challenges have emerged, NHTSA has pursued new regulatory tools (i) by finding new uses of its existing statutory authority; and (ii) by asking Congress to provide new authorities when needed. From the earliest years of the Agency’s history, sometimes in response to the Agency and sometimes on its own initiative, Congress has taken action to address these challenges with legislation refreshing and modernizing the Vehicle Safety Act.

NHTSA is once again facing an array of new regulatory challenges, this time posed by emerging HAVs. To meet those challenges, the Agency is attempting to answer familiar questions: What new uses can it make of its existing authorities, and should new author-ities be sought from Congress?

The speed with which HAVs are evolving warrants a review of NHTSA’s regulatory tools and authorities. To keep pace with developments, NHTSA must continuously build its expertise and knowledge, expand its ability to regulate the safety of automated systems and vehicles, and increase its speed of execution. This includes conducting research to develop and validate new performance metrics,101 establishing minimum or maximum thresholds for those metrics,102 developing test procedures and test equipment, and then conducting notice-and-comment rulemakings to incorporate those metrics, procedures, and tests in new FMVSS. To those ends, the Agency has identified an array of potential new tools and authorities and will initiate a public dialogue to determine which ones might be worth pursuing.103

69

The innovative technologies that are the basis of HAVs are vastly different from the tech-nologies that existed when Congress enacted the Safety Act. Then, vehicles were largely mechanical and controlled by the human driver via mechanical inputs and linkages. At that time, sensing of a vehicle’s performance and the roadway environment, and making driving decisions about that performance were done solely by the human driver.

Today, an increasing number of vehicle functions are electronic and can be activated and controlled automatically. Many do not require direct human involvement. Another significant difference is that the performance capabilities of a vehicle can be quickly and substantially altered after its manufacture and initial certification, via software updates. The trend toward software-driven vehicles began with such features as antilock brakes, electronic stability control, and air bags. This trend has accelerated with automatic emergency braking, forward crash warning, lane departure warnings, and is continuing on toward fully automated vehicles.

To help determine which new regulatory tools might be “right for the job,” NHTSA first defined the job. Initially, the Agency envisioned what a program for long-term regulation and safe facilitation of HAVs might look like. Second, the Agency identified a number of tools and explored their potential usefulness and feasibility. Third, the Agency looked at what tools other Federal regulatory agencies are using for similar regulatory challenges, which is summarized in Appendix II.

B. The Importance of Research to Guide Regulatory Actions

Extensive vehicle automation research will be needed to provide a sufficient scientific basis for sound regulatory decision-making and regulation of HAVs. The research needed during the next several years was outlined by the Agency in the attachment to an April 1, 2015, letter to the California Department of Motor Vehicles.104

Using information gained from the manufacturers and the Agency’s continuing research, DOT will be able to specifically identify effective safety analyses and risk mitigation measures, such as:

• What metrics and data are needed to assess reliability and measure safety performance and effectiveness;

• What test procedures and equipment are needed for that purpose;

• What types of safety problems should a manufacturer consider for each type of automated driving function; and

• What risk mitigation strategies should a manufacturer consider?


70

Ideally, this work would be done in conjunction with other countries so that similar testing and analyses would enable NHTSA and other regulatory authorities to avoid duplication of research, collect and analyze similar data, compare results obtained and lessons learned, and lay the foundation for compatible regulatory approaches.

NHTSA’s proposed research (whether conducted by the Agency or others) would have an immediate impact. Research enables greater specificity thereby raising the level of safety achieved by manufacturers in designing and implementing new technologies by:

• Increasing total industry knowledge of potential safety problems;

• Offering solutions that the industry can implement;

• Defining codes of conduct and help set performance expectations; and

• Suggesting models against which industry can analyze safety problems.

C. Potential New Tools and Authorities

This section discusses specific new regulatory tools and authorities that DOT has identified as having potential to facilitate the expeditious and safe introduction of HAVs. A combination of some of the following new regulatory tools (in conjunction with existing tools and authorities) may help to advance the goals of long-term safety regulation and safe deployment of HAVs. DOT does not intend to advocate or oppose any of the tools discussed below. Instead, it intends to describe an array of possible tools and authorities, and to solicit input and analysis regarding those potential options from interested parties. DOT believes that the right tools ultimately will be those judged best at providing sound, predictable, consistent, transparent, and efficient regulatory pathways for manufacturers and other entities that ensure consumer safety while facilitating innovation.

1. Authorities

a. Authority I: Safety Assurance

Among the categories of new regulatory tools and authorities DOT might apply to regulate the safety of HAVs are pre-market safety assurance tools. Such tools could include pre-market testing, data, and analyses reported by a vehicle manufacturer or other entity to DOT. Those tools would be designed to demonstrate that motor vehicle manufacturers’ and other entities’ design, manufacturing, and testing processes apply NHTSA performance guidance, industry best practices, and other performance criteria and standards to assure the safe operation of motor vehicles, before those vehicles are

71

deployed on public roads. Safety assurance tools and rules could require manufactur-ers to provide the Agency with advance information and reporting about their efforts to ensure safe introduction of complex safety systems and HAVs, through systematic risk analysis, identification, classification, and reduction. One example of a safety assurance tool is the summary Safety Assessment from manufacturers to NHTSA identified in the Vehicle Performance Guidance.105 Several of the other provisions of the Performance Guidance (e.g., data recording and sharing provisions; systems engineering design and validation approach; including cybersecurity measures in vehicle design and develop-ment; conducting robust validation and behavioral competency tests and simulations prior to deployment and sale of HAVs) and some of the potential new tools described below (e.g., functional and system safety testing and reporting) are safety assurance tools. NHTSA could implement many safety assurance tools without additional statutory authority.

b. Authority II: Pre-Market Approval Authority

A second type of regulatory authority used by other government agencies, but not presently part of NHTSA’s authority, is pre-market approval authority. Pre-market approval authority is a separate and distinct authority and regulatory approach from safety assurance. Pre-market approval also is a substantially different regulatory approach than the self-certification approach established by Congress and used by NHTSA today. Other agencies have used pre-market approval successfully to regulate the introduction of new products and technologies. For example, the Federal Aviation Administration (FAA) uses pre-market approval processes to regulate the safety of complex, software-driven products like autopilot systems on commercial aircraft, and unmanned aircraft systems. NHTSA has conducted an initial examination of using some form of pre-market approval process to regulate the introduction of HAV technologies. The following preliminary discussion is intended only to identify pre- market approval as a potential new tool that might facilitate the safe deployment of HAVs, and not to endorse that tool as a supplement or replacement for the existing self- certification system.

i. Current Self-Certification System

Today, the Vehicle Safety Act relies on self-certification by manufacturers of the compliance of their vehicles and equipment with the FMVSS.106 There is no provision for pre-manufacture Agency “type-approval” of prototypes specially produced by the manufacturers for that purpose. Instead, the vehicles used for the DOT’s compliance testing are purchased from new vehicle dealerships through a competitive bidding process. This approach ensures that the test specimens are true examples of the same vehicles that are mass produced and sold to consumers.


72

Because it is not feasible to test every vehicle model under every applicable FMVSS every model year, NHTSA employs a risk-based selection process to strategically select which standards and vehicles to test. This allows the Agency to devote its limited resources to those potential safety problems that pose the highest risk to the public. In determin-ing which standards to test, the Agency’s risk-based strategy identifies several principal factors for assessing risks associated with specific standards. Some factors pertain to the critical nature of the standard (the risk of fatalities and injuries associated with that standard), others to Early Warning Data and recall data associated with the standard, and still others to consumer complaints and past test failures. Using this strategy, DOT prioritizes the safety standards by determining which compliance issues are associat-ed with the greatest likelihood of harm. Similarly, when making vehicle and equipment selections, DOT’s risk-based strategy identifies several principal factors that are used for assessing risk associated with a specific product. Some risk factors pertain to the volume of items, others to market share, and still others to whether the items are new or redesigned or have failed in the past. DOT ranks vehicle functions and equipment and makes testing selections based on which items pose greatest risk.

The combination of self-certification and DOT’s strategic approach to ensuring compliance with the FMVSS historically has worked well. Instances of non-compliance, especially non-compliances having substantial safety implications, are rare.

ii. Possible NHTSA Use of Pre-Market Approval

A pre-market approval approach—used either in conjunction with or as a replacement for DOT’s existing self-certification and compliance testing process—might have potential for expediting the safe introduction and public acceptance of HAVs. Such a regulatory approach could also contribute to public acceptance of and confidence in HAVs, because it would involve affirmative approval by the federal government of the safety of HAVs and new safety technologies.

One version of such an approach would replace the existing self-certification process entirely with a pre-market approval approach for HAVs. Under such an approach rather than having HAV manufacturers certify that their vehicles meet applicable FMVSS (including any new standards that may be established for HAVs) NHTSA would test vehicle prototypes to determine if the vehicle meets all such standards.

NHTSA adoption of a full pre-market approval approach for HAVs would entail replacing the self-certification process with at least two new statutory provisions. The first provision would prohibit the manufacture, introduction into commerce, offer for sale and sale of HAVs unless, prior to such actions, NHTSA has assessed the safety of the vehicle’s performance and approved the vehicle. The scope of the approval would include not only the aspects of performance covered by FMVSS testing protocols but also aspects not covered by FMVSS testing protocols. NHTSA could also implement a similar, technology-specific process for vehicles that include lower levels of automation, below

73

L3-L5. In determining whether to affirm the safety of new HAVs, NHTSA would consider all reliable data and analysis.

The second provision would establish an Agency process for conducting an analysis of the safety of HAVs that would become the basis for the Agency’s review and approval of the vehicle. With respect to the aspects of performance covered by FMVSS testing protocols, the analysis likely would be based on tests conducted in accordance with established test procedures and measured against established performance metrics and thresholds for those metrics. For the aspects of performance not covered by FMVSS testing protocols, initially the Agency would need to rely upon engineering judgment.107

Substitution of pre-market approval for all standards for which manufacturers currently self-certify would be a wholesale structural change in the way NHTSA regulates motor vehicle safety and would require both fundamental statutory changes and a large increase in Agency resources.

A variety of questions should be explored regarding the task of evaluating the safety of HAVs through an approval process. For example, in the early years very few of the new functions and aspects of HAVs safety performance would be addressed directly by an FMVSS or other regulatory standard. The Agency initially would not have objective performance metrics or test conditions and procedures to guide consistent, objective, and reliable evaluations of safety. Prior to the establishment of objective approval standards (likely through rulemaking), the absence of established metrics could make it more difficult for manufacturers to anticipate the Agency’s evaluation and conclusions regarding the safety of their vehicles’ performance.

As discussed above and in Appendix II, the FAA uses pre-market approval and safety assurance processes as methods for managing the safety and health risks associated with the products it regulates. In discussions with NHTSA about usefulness and feasibility of NHTSA’s requiring some type of pre-market approval as a precondition to the manufacturing and selling of HAVs, FAA noted that there were significant differences between the industries and products FAA regulates and those NHTSA regulates in terms of the number of manufacturers, number of models, and number and frequency of new model introductions. For example, the FAA deals with only a few manufacturers and only rarely needs to approve an entirely new model of an airliner. NHTSA further notes that the motor vehicle industry’s long-established practice of introducing and producing motor vehicles on a model-year basis might create challenges for the industry due to potential delays in the beginning of production of vehicle models caused by the length of the approval process.

Potential pre-market approval approaches for expeditious and safe introduction and regulation of HAVs merit further exploration and inquiry. Again, this preliminary discussion is intended only to identify pre-market approval as a potential new regulatory


74

tool that might help to facilitate the safe deployment of HAVs. NHTSA solicits comments on the Agency’s potential use of pre-market approval—including hybrid certification/approval processes—for evaluation of HAVs. In addition to other comments and input, NHTSA is particularly interested in comments regarding whether use of pre-market approval tools would expedite or slow innovation.

iii. Hybrid Certification/Approval Processes

Another version of a pre-market approval process could be a hybrid certification and approval process. For example, HAV manufacturers could certify compliance with FMVSS and NHTSA (or a third-party expert retained and supervised by NHTSA108) could conduct pre-market approval for those HAV features that are not covered by an FMVSS. Over time as NHTSA promulgates new FMVSS (through rulemaking) to govern certain HAV systems and equipment, those features could become subject to manufacturer self-certification, and additional new features not covered by an FMVSS could be subject to pre-market approval under this approach.

DOT’s Pipeline and Hazardous Materials Safety Administration (PHMSA) operates one type of hybrid (certification and approval) regulatory program. Part of PHMSA’s regulatory process is a large self-certification system for classification, containment, and commercial transportation of hazardous materials. In addition to PHMSA’s self- certification process, it also operates a pre-market approval process in which PHMSA (or contract experts from outside the agency) reviews and approves certain types of transportation of hazardous materials.109

PHMSA uses approval authority to address some of the highest transportation risks. In addition, to address innovative ideas and technological advances, PHMSA’s approval program provides authorizations on a case-by-case basis through an application process. For example, for some of the highest risk activities, PHMSA requires an approval by an independent (third party) entity, and in the case of explosives, requires an additional PHMSA-issued approval prior to transportation. For lower risk activities and activities that cannot be fully anticipated by regulation, PHMSA allows an equal-in- safety-and-risk alternative to an existing requirement. These approval allowances are unique to specific regulatory standards as promulgated through public notice and comment. PHMSA approvals:

• only apply to a specific regulation that allows an alternative;

• require a level of safety that is equal to or greater than afforded by present regulations and/or is consistent with public interest;

• require cost and safety justification;

• place burden of proof on the applicant;

• are subject to additional conditions determined by the agency;

75

• may be limited by an expiration date, subject to renewal; and

• are subject to denial, suspension and termination.

NHTSA might consider hybrid regulatory systems similar to that described above, or an entirely different hybrid system tailored to the specific needs and characteristics of HAV safety regulation. For example, NHTSA could make the most safety-critical HAV systems subject to pre-market approval by the Agency, and make other lower level automation systems and equipment subject to manufacturer certification. Such an approach—involving objective, affirmative government approval of systems vital to safety—could foster consumer confidence and acceptance of HAVs featuring such systems.

Regardless of specific parameters and application of a hybrid pre-market approval approach, any such approach should be designed to facilitate innovation, foster public confidence and acceptance, and be flexible and expeditious enough to keep pace with vehicle product development cycles. NHTSA encourages public commenters to provide their views of whether a hybrid certification/approval process may be appropriate, and if so how it might be structured and operate.

Authority: A pre-market approval process would require statutory change.

c. Authority III: Cease-and-Desist Authority

Cease-and-desist authority would enable NHTSA to require manufacturers to take immediate action to mitigate safety risks that are so serious and immediate as to be “imminent hazards.” If, through testing, inspection, investigation, or research carried out under the Vehicle Safety Act, the Secretary of Transportation decided that an unsafe condition or practice causes an emergency situation involving an imminent hazard of death, personal injury, or significant harm to the public, cease-and-desist authority would empower the Secretary to issue an order immediately prescribing such restrictions and prohibitions as may be necessary to abate the situation. To balance the safety needs underlying this authority with the rights and interests of the manufacturers, manufacturers and suppliers subject to such an order should be given an opportunity for an expedited review prior to the Agency’s exercising of that authority.

Authority: NHTSA would need a statutory amendment to give it this authority.

d. Authority IV: Expanded Exemption Authority for HAVs

One option that could facilitate the safe testing and introduction of HAVs would be to expand the Agency’s existing exemption authority. Current authority permits NHTSA to exempt not more than 2,500 vehicles per year for a two-year period, on the basis of equivalent safety.


76

The current production volume limit of NHTSA’s existing exemption authority make it difficult to generate sufficient data for analysis (by manufacturers, government, and other researchers) that could enhance safety. The limited duration of exemptions require frequent and repeated application renewals, and cause uncertainty as to the availability of the exemption over a longer period, which makes planning difficult. Some manufacturers have indicated that the current statutory volume and time limits create little incentive to use the exemption process because it is difficult to obtain sufficient data with such a limited number of vehicles.

One approach to providing expanded exemption authority would be to amend the existing exemption provision. For example, NHTSA could be authorized to grant an initial exemption to a manufacturer based on innovative safety features or overall level of safety for up to 5,000 vehicles per year for up to five years. Such an exemption would allow a manufacturer to produce up to 25,000 vehicles over a five-year period. These higher numbers would significantly increase the ability to generate real-world data and thus aid in analyzing the on-road safety of the exempted vehicles, while maintaining reasonable scope and duration limits to minimize risks. As the Agency gains experience with HAV technologies, the exemptions statute might relax or dispense with the limits on initial exemptions as well. The Agency’s existing authority to set terms and conditions of exemptions could be used to manage safety risks and evaluate different types of controls that could be considerations for future regulatory proposals. The Agency might also use that same conditioning authority to require data sharing (with regulators or researchers) that could be used to improve and enhance HAVs and the safety they promise to provide.

Alternatively, expanded authority might authorize the Agency to grant incrementally increasing exemptions to the same manufacturer, progressively relaxing the numerical limits on annual production volume and exemption duration over time, or even elimi-nating those limits altogether (following an incremental one-step-at-a-time approach). Variations of this approach related to the number of stages, vehicles, and years provide a range of possibilities for this tool.

If the Agency were granted such expanded exemption authority, it would be important to guard against overuse of the authority such that exemptions might displace rulemaking as the de facto primary method of regulating motor vehicles and equipment.

Authority: NHTSA’s existing time-and-number-limited exemption authority is set forth at 49 U.S.C. § 30113. Expansion of the Agency’s exemption authority (through changes in the numerical and temporal limits or otherwise) would require a statutory change.

e. Authority V: Post-sale Authority to Regulate Software Changes

Motor vehicles and equipment, including automated vehicle technologies, are increasingly controlled by computer software. At the same time, the capabilities and

77

functions of software and related technologies are evolving very rapidly. To address problems and to improve and expand performance capabilities in the coming years, manufacturers and other entities will likely provide software updates for motor vehicles well after they are manufactured and certified. Some of those changes will substantially alter the functions and technical capabilities of those vehicles.

The statute underlying the FMVSS provides for manufacturer certification of a motor vehicle prior at the time of its manufacture. Subsequent software updates could affect the basis for that certification. In addition, such updates would themselves constitute new items of motor vehicle equipment, subject to the certification requirement and verification, to the extent there are applicable FMVSS. If a software change results in a defect posing an unreasonable risk to safety, NHTSA’s defects and recall authorities apply.

Additional measures and tools will be needed to ensure that consumers are adequately informed and educated about software updates, that such updates are promptly and properly made, and that the safety of affected vehicles is not compromised. For example, simulation might be used to assess the effects of a software update on vehicle performance.

Authority: NHTSA has authority to regulate the safety of software changes provided by manufacturers after a vehicle’s first sale to a consumer. The Agency may need to develop additional regulatory tools and rules to regulate the certification and compliance verification of such post-sale software updates.

2. Tools

a. Tool I: Variable Test Procedures to Ensure Behavioral Competence and Avoid the Gaming of Tests

For several reasons, variations in test environments are sometimes necessary to accomplish the purposes of the Vehicle Safety Act. This is particularly true in the case of HAVs. The requirement in the Vehicle Safety Act that each vehicle standard be “objective” was interpreted in the 1970s to mean that a standard’s “tests to determine compliance must be capable of producing identical results when test conditions are exactly duplicated.”110 Yet to ensure that automated vehicles are capable of driving safely in complex, busy environments full of other vehicles, bicycles and pedestrians, the Agency must have the ability to create test environments representative of those real-world environments. Due to their complexity and variability, it would not be feasible for one such test environment to fully and identically duplicate another such test environment.

Further, if NHTSA issued a standard whose test procedure called for an HAV to be driven on a standardized path through a testing track simulating a particular urban or suburban driving environment and to avoid colliding with surrogate vehicles and pedestrians that would always appear in the same sequence at the same locations and at the same time


78

intervals, the manufacturer of an HAV could program the vehicle to “perform to the test.” A vehicle could be programmed to slow down or stop in those locations without having to rely on the vehicle’s sensors being able to detect the surrogate vehicles and pedestrians and without the vehicle’s decision-making software having to decide on the basis of its observations and interpretations how to avoid a collision with those surrogates. To guard against the possibility of such “gaming,” (which has occurred in the vehicle emissions program), NHTSA needs the authority to vary its test procedures when necessary to achieve the safety purposes of the Vehicle Safety Act.

Authority: A clarifying amendment to the Vehicle Safety Act could confirm that the current requirement that FMVSS be “objective” does not preclude the Agency from varying those procedures to the extent it deems necessary to ensure public safety. NHTSA believes it already has this authority, but a statutory clarification/confirmation would remove any doubt.

b. Tool II: Functional and System Safety

NHTSA’s Vehicle Performance Guidance outlines the actions manufacturers and other entities should take during the design and production processes to detect, classify, and mitigate the safety risks associated with internal failures. Ensuring that these efforts are made during the design and production processes will be critical because evaluating them in completed vehicles would be difficult.

NHTSA may wish to monitor the extent that manufacturers follow the Vehicle Performance Guidance by requiring reporting. The Agency could use the information reported by the manufacturers to identify best practices, refine its Guidance, and identify potential rulemaking subjects and efforts.

The Agency could also take several additional steps. NHTSA could use its reporting authority111 to require manufacturers to report serious risks identified during the manufacturer’s Functional Safety analysis. Those risks could be indicative of potential safety-related defects. NHTSA might also require manufacturers to modify their designs as necessary to reduce high-level risks to acceptable levels. Clarifying the Agency’s authority in this regard would facilitate the smooth implementation of functional and system safety measures. It also would bring NHTSA’s practices more into line with those other agencies (e.g., Federal Aviation Administration, Food and Drug Administration, Federal Railroad Administration) use to ensure the safety of software-driven products and systems.112

Authority: The Agency’s authority under 49 U.S.C. §§ 30166(e) and (m)(3)(B) could be used to require the reporting described above to the extent that the reporting could be shown to aid in the identification of possible safety-related defects and in ensuring that manufacturers are satisfying their duties with respect to such defects. The Agency may need additional authority to allow it to ensure that manufacturers take all necessary and appropriate steps to verify, validate and debug software.

79

c. Tool III: Regular Reviews for Making Agency Testing Protocols Iterative and Forward-Looking

Use of an iterative and forward-looking process for setting and updating of FMVSS and other testing protocols for HAVs is important given that the technologies are new and rapidly evolving. Given the speed and extent of that evolution, even the most perfor-mance-oriented and forward-looking testing protocols rapidly could become out-of-date, ineffectual and even obstructive. The greater the amount of detail that is included in testing protocols to maximize safety performance or address risks believed to be associated with current HAVs, the greater the likelihood that detail might limit the use of future technologies.

In proposing and establishing detailed performance metrics, thresholds and test procedures for testing protocols, NHTSA could conduct an analysis of the potential of such provisions to hamper future innovation and publish its analysis for public comment. Among the questions that the Agency might ask are:

• How are the technologies likely to be used to perform the affected vehicle functions or operations expected to change in the foreseeable future?

• Is there a reasonable basis for believing that any particular provisions of a testing protocol would create a risk of unduly impacting innovation adversely?

• How should those provisions be modified to reduce that risk while retaining their safety benefits?

Responsive comments would aid the Agency in fashioning a rule that would minimize the potential for obstructing safety-enhancing innovation.

In addition, NHTSA could provide in its final rules that it would: periodically assess the extent to which the FMVSS affecting HAVs continue to be technology-neutral, notwith-standing changes in technology; publish a draft assessment for public comment; and publish a revised assessment that indicated whether the Agency was inclined to pursue any suggested amendments to the standards. Given that many of the changes would involve software and given the speed with which software evolves, these assessments might need to be conducted fairly frequently.

Alternatively, selected provisions of a final rule could be made subject to a sunset clause. This is another way of building more flexibility and adaptability into testing protocols by making it necessary for the Agency to revisit and reaffirm the provisions based on updated information in a new rulemaking if the Agency wishes to retain them.

At the same time, if sunset clauses were to be used, they should be used judiciously so that the need to ensure regular review and, if necessary, revise rules to allow innovation could be balanced against the need to maintain sufficient stability in regulation. If much


80

of the regulatory structure were put into flux too often, the result could be an undesirable loss of regulatory certainty and predictability.

Authority: NHTSA may conduct innovation impact analyses, provide for regular reas-sessments, and establish sunset clauses under existing authority.

d. Tool IV: Additional Recordkeeping/Reporting

To aid NHTSA in meeting its safety oversight responsibilities, the Agency should know when manufacturers intend to begin testing HAVs on public roads. Prior to beginning any testing, manufacturers and other entities could be required to submit brief plans and reports with the necessary information.

Requiring manufacturers to keep records and submit reports either periodically or upon request would encourage manufacturers to establish and follow a robust, proactive, and well-documented process for implementing the Vehicle Performance Guidance. Being required to make their practices transparent to the Agency could help to ensure that manufacturers take care in anticipating possible problems and resolving them before putting new vehicle models on public roads. When HAVs experience incidents or crashes, records and reports about those problems and manufacturer response actions would facilitate identification of problem causes. Also, such reporting would support identification of improvements that could be made in the manufacturers’ practices to reduce the likelihood of future problems.

Authority: NHTSA has authority to require recordkeeping and reporting by manufac-turers to aid the Agency in determining whether a manufacturer is complying with the Vehicle Safety Act and its regulations.113 Thus, to the extent that the reporting by man-ufacturers regarding the actions they have taken pursuant to the Vehicle Performance Guidance would aid in the identification by NHTSA of potential safety-related defects, the Agency could use its existing authority to require manufacturers to submit reports regarding those actions.

e. Tool V: Enhanced Data Collection Tools

Automated vehicles will access and generate large amounts of data about the nearby roadway environment and roadway users (e.g., other motorists, bicyclists, and pedestrians), and use those data to make judgments and execute safety decisions. When crashes or near crashes occur, the best source of information for learning the underlying causes will be the vehicle itself—if the vehicle retains the data and a record of relevant decisions it made.

To that end, NHTSA believes enhanced event data recorders would be useful to allow the Agency to reconstruct the circumstances of crashes and to gain an understanding of how a vehicle involved in a crash or incident sensed and responded to its driving

81

environment immediately before and during the crash or near crash. Such data could provide insight to the answers to such crash- reconstruction-related questions as whether there were other roadway users nearby shortly before the crash or incident and whether the vehicle correctly and timely identified the other users and anticipated their speed and trajectories.

To allow the Agency to identify potential safety-related defects, and to aid it in identifying appropriate new regulatory measures for HAVs, NHTSA could require manufacturers to submit reports directly to the Agency about the circumstances and possible causes and consequences of crashes and incidents involving their test vehicles. NHTSA could also review the reports currently required by the California Department of Motor Vehicles (DMV) as a possible starting point for reports to NHTSA. Under the California testing regulations, manufacturers are required to provide DMV with a Report of Traffic Accident Involving an Autonomous Vehicle (form OL 316) within 10 business days of the incident.

Also, the Agency could require manufacturers to provide documents (e.g., build sheets) describing the safety equipment and safety-system-related software for crash-involved vehicles upon request. To provide a baseline of vehicles with and without certain safety features or capabilities, the Agency might require such information for all vehicles, not just those involved in crashes.

Authority: NHTSA currently has authority to take all of these steps, should it determine they are reasonable and practical and would advance vehicle safety.

3. Agency Resources

a. Resources I: Network of Experts

Vehicle technologies, including their software as well as their hardware, continue to become more diverse and complex. A network of experts would help NHTSA broaden its existing expertise and enhance its knowledge by accessing a variety of scientific and technical viewpoints, especially on emerging technologies.

Members of the network would not provide policy advice or opinions. Instead, network members would share their particular expertise on specific topics to help Agency staff form their own conclusions.

Collaboration agreements could be used to govern the exchange of ideas between the Agency and selected experts and partner organizations. This would permit a fast and efficient exchange of knowledge with scientific and technical leaders on an as-needed basis. Safeguards could be established to protect privileged and confidential information and to ensure relevant conflicts of interest are disclosed and appropriately addressed.

Authority: NHTSA could establish a network of experts under its existing authority.


82

b. Resources II: Special Hiring Tools

NHTSA needs to be able to build quickly a cadre of in-house experts in cutting edge areas of science, technology, engineering, and mathematics. Given the newness of HAVs and the private sector demand for persons with the necessary types of scientific expertise to work with those technologies, there is a shortage of suitable candidates to meet the Agency’s critical hiring needs. Particularly if the Agency were to adopt some type of pre-market approval approach, it would need substantial additional numbers of persons qualified to conduct pre-market testing and analysis on a fairly large scale. The Agency could use a number of special hiring tools to enable it to hire qualified applicants with very specialized skills:

1. Direct hiring authority (as DOT currently can use for IT Security Specialists) that allows applicants to be selected directly from the qualified list of candidates without regard to veterans’ preference;

2. Term appointments;

3. Greater flexibility on pay; and

4. Other recruitment, relocation, and retention incentives.

Alternatively, if the Agency were not granted special hiring authority, it might be required to rely on third-party contractors and consultants to perform the additional work necessary to regulate the safety of HAV systems and vehicles.

Authority: A delegation from the Office of Personnel Management would be necessary for the direct hiring authority. A statutory amendment might be necessary to provide greater flexibility on pay.

D. Next Steps: Dialogue About New Tools and Authorities

Given the importance of the choices to be made about new tools and authorities to ensure safety and facilitate innovation, NHTSA plans to solicit input from vehicle man-ufacturers, technology companies, suppliers, consumer advocacy groups and the public regarding the list of tools and authorities in this section and any other tools and authorities those stakeholders might suggest. NHTSA hopes that comments and other stakeholder input will focus on which new tools and authorities appear to be the most promising ways to advance the purposes of the Vehicle Safety Act in this new age of highly automated vehicles.

83

GLOSSARY

AAMVA (American Association of Motor Vehicle Administrators)AAMVA is a non-profit organization that develops model programs in motor vehicle administration, law enforcement, and highway safety. See www.aamva.org/about-aamva/.

ANSI (American National Standards Institute)ANSI is a non-profit organization that coordinates development of volun-tary consensus standards. See www.ansi.org/about_ansi/overview/over-view.aspx?menuid=1.

California PATHCalifornia Partners for Advanced Transportation Technology (PATH), is a multi-disciplinary research and development program of the University of California, Berkeley, with staff, faculty, and students from universities worldwide and cooperative projects with private industry, State and local agencies, and nonprofit institutions. See www.path.berkeley.edu.

CIE (International Commission on Illumination)CIE is a non-profit organization that coordinates development of volun-tary consensus standards regarding illumination. See www.cie.co.at.

CrashAn unintended event resulting in fatality, injury or damage to a vehicle or property, involving one or more motor vehicles, on a roadway that is pub-licly maintained and open to the public for vehicular travel.

DMV (Department of Motor Vehicles)A State-level government agency that administers vehicle registration and driver licensing, among other things.

DriverFor purposes of this Policy, the human operator of an HAV when it is not operating in a fully automated mode.

DVI (Driver-Vehicle Interface)The specialized version of HMI for the driving task.

EntitiesA collective term used to refer to automated vehicle Manufacturers and Other Entities


84

Event114

An occurrence that is not readily discernible as an incident. Not all events have an impact on safety. Example: Automation function shuts down and returns to a minimal risk condition for no apparent reason.

FMVSS (Federal Motor Vehicle Safety Standard)A vehicle safety regulation issued by the National Highway Traffic Safety Administration (NHTSA), codified at 49 CFR Part 571, and applying to mo-tor vehicles and motor vehicle equipment.

HAVs (Highly Automated Vehicles)Vehicles that contain systems referred to as Conditional (Level 3), High (Level 4), and Full (Level 5) Automation in SAE J3016. These are systems that rely on the automation system (not on a human) to monitor the driv-ing environment.

HAV Systems (Highly Automated Vehicle Systems)A system is a combination of hardware and software that provides safety, comfort, and convenience features to drivers. Automated driving systems (hardware and software) are ones that perform a driving function (e.g., freeway driving, automated taxi, self-parking) by controlling and combin-ing braking, throttle and steering functionality. The capability of a system is broken down into levels depending on the system’s ability to monitor the driving environment as defined by SAE J3016. In this document, an HAV system is one that is SAE Level 3 and higher where the system moni-tors the driving environment instead of the driver.

HMI (Human-Machine Interface)The combination of hardware and software that allows a human to interact with a machine to perform a task.

Incident115

An occurrence involving one or more vehicles in which a hazard or a potential hazard is involved but not classified as a crash due to the degree of injury and/or extent of damage. An incident could affect the safety of operations. This definition covers a broad range of events. Example: HAV requires human control to avoid a crash with another object.

ISO (International Organization for Standardization)An independent, non-governmental organization with a membership of 162 national standards bodies that coordinates development of voluntary consensus standards. See www.iso.org/iso/home/about.htm.

85

ManufacturerAn individual or company that manufactures automated vehicles or equipment for testing and deployment on public roadways. Manufacturers include original equipment manufacturers (OEMs), multiple and final stage manufacturers, alterers (individuals or companies making changes to a completed vehicle prior to first retail sale or deployment), and modifiers (individuals or companies making changes to existing vehicles after first retail sale or deployment).

Minimal risk conditionA low-risk operating condition that an automated driving system automat-ically resorts to either when a system fails or when the human driver fails to respond appropriately to a request to take over the dynamic driving task.

NCAP (New Car Assessment Program)A consumer information program implemented by NHTSA to provide in-formation to consumers on the relative safety of passenger motor vehicles. See 49 U.S.C. Chapter 323; www.safercar.gov.

OccupantAnyone seated in or on an automated vehicle.

ODD (Operational Design Domain)A description of the specific operating domain(s) in which an automat-ed function or system is designed to properly operate, including but not limited to roadway types, speed range, environmental conditions (weather, daytime/nighttime, etc.), and other domain constraints.

OEDR (Object and Event Detection and Response)The perception by the driver or system of any circumstance that is relevant to the immediate driving task, as well as the appropriate driver or system response to such circumstance.

OEM (Original Equipment Manufacturer)An individual or (more usually) a company that manufactures new motor vehicles or motor vehicle equipment.

OperatorAn occupant of an automated vehicle who is not responsible for the driv-ing task, but is still responsible for certain aspects of the journey (i.e., in-putting a destination for the vehicle).


86

Other EntityAny individual or company, that is not a manufacturer, involved with helping to manufacture, design, supply, test, sell, operate or deploy automated vehicles or equipment.

SAE InternationalAn automotive and aerospace standards setting body that coordinates development of voluntary consensus standards. See www.sae.org/about.

Vehicle Safety ActThe National Traffic and Motor Vehicle Safety Act of 1966, as amended. See 49 U.S.C. § 30101 et seq.

87

APPENDIX I: NHTSA’S CURRENT REGULATORY TOOLS

I. Guidance on Preparation of Well-Supported Petitions for Rulemaking

A. Scope

This guidance applies to petitions for rulemaking under Subpart A of Part 552 of Title 49 of the Code of Federal Regulations to amend existing vehicle safety standards or to establish new ones.

B. Definition

“Agency” means the National Highway Traffic Safety Administration.

C. Matters to be Addressed in Petitions

Petitions for rulemaking must include facts, descriptions and arguments suffi-cient to establish the necessity of a rulemaking, as contemplated in Subpart A of Part 552. In order to assist the Agency in its decision to grant or deny a petition in a timely manner, those facts, descriptions and arguments should include the matters specified in paragraph E.4.a or E.4.b, as appropriate, and in paragraph E.4.c of this guidance. Petitions that do not include all of the relevant information and data described in this guidance may be summarily denied.

D. Establishing Vehicle Safety Priorities

The Agency welcomes public comments and recommendations regarding areas in which the Agency should conduct research and ultimately establish vehicle safety standards or adopt other safety measures. The most useful and appropriate way of doing this is in connection with the Agency’s multi-year plan setting forth vehicle safety prior-ities. The Agency periodically will seek public comments on revisions to that plan.

E. Preserving Vehicle Safety Rulemaking Priorities

1. Necessity for Providing Complete Petitions

The Agency will consider a document to be complete and therefore a petition under Subpart A of Part 552 only with respect to those documents that meet paragraph C of this guidance.

2. Handling of an Incomplete Petition


88

In accordance with 49 CFR 552.5(b), the Agency will treat an incomplete petition as a suggestion, summarily deny the petition, and send the submitter a response. The Agency will place a copy of an incomplete petition suggesting rulemaking or research and any response letter in a public docket in the U.S. Department of Transportation’s electronic docket.

3. General policy on consideration of petitions for rulemaking

NHTSA generally will closely consider sound, well-supported petitions that will promote safety, to the extent that the Agency resources and other priority vehicle safety actions allow such consideration. The Agency will consider granting a rulemaking petition that would promote safety if, in the Agency’s judgment, the Agency would be able to develop and issue a sound, well-supported proposed rule, including regulatory text with performance requirements and test procedures, without conducting more than minimal additional research (e.g., to establish a sound basis for taking the recommended action or to develop and validate performance requirements, test conditions, or test proce-dures). In addition, in order to wisely and efficiently use its limited rulemaking resources and focus on priority matters, the Agency will distinguish between matters ready for rulemaking in the short term (based on information presented by the petitioner and/or otherwise readily available that supports and defines the requested course of action) and those longer-term matters for which significant additional research is needed before a rulemaking proposal can be developed and supported.

4. Petitions for vehicle safety standard rulemaking

Petitions must include the matters and information specified in 49 CFR 552.4 and should include the matters in paragraph E.4.a or E.4.b, as appropriate, and in paragraphs E.4.c and E.4.d of this guidance.

a. Petitions seeking adoption of new or more stringent performance requirements, test conditions or test procedures

i. Hazard

The petition should describe the nature, cause, size, and severity of the hazard (e.g., how many deaths and injuries result from this hazard, in what types of crashes does the hazard occur, and what is the severity of the injuries? How do the injuries occur?).

The petition should also identify the nature and size of target population (e.g., who might benefit—which persons, in what seating positions, in what types of vehicles, and in

89

which types of crashes?).

ii. Practical means

The petition should describe technologies and designs that are or will be available to comply with the performance requirements and demonstrate the level of effectiveness of those technologies and designs in addressing the problem or hazard.

iii. Substance of standard

The petition should describe the requested standard (i.e., the performance requirements, test conditions, and test procedures), the supporting research and reasons why those performance requirements, test conditions, and test procedures are appropriate and better than alternative performance requirements, test conditions, and test procedures, and provide proposed regulatory text.

b. Petitions seeking amendment of existing vehicle safety standard to reduce cost or allow the use of a new design or technology

i. Problem and potential impact

In petitions seeking to permit the use of new technology or design or new application of an existing technology, the petition should describe the technologies, designs or appli-cations, identify the regulatory text that restricts their use, explain specifically how the regulatory text restricts their use, and discuss the utility of the proposed technology or design to consumers, especially any safety impacts. The petition should quantify the impacts and explain the underlying calculations and the basis for them; if quantification is impossible, the reasons for that impossibility should be stated and the petitioner’s best attempt should be presented. In petitions seeking to relieve a restriction to facilitate cost reductions, petitions should identify the regulatory provisions or text that prevents the cost reduction, explain specifically how the regulatory provisions or text prevents the cost reduction, quantify the cost reduction, and explain the underlying calculations and their basis.

ii. Likelihood of impact

The petition should indicate the extent to which the described technologies or designs are likely to be used, or cost reductions made, in the near future if the standard is changed in the manner requested.

iii. Substance of standard

The petition should describe the necessary changes in the regulatory text of existing standards (i.e., the changes to the performance requirements, test conditions, and test


90

procedures), along with the research supporting and reasons why those performance requirements, test conditions, and test procedures are appropriate and better than alter-native performance requirements, test conditions, and test procedures,

c. Supporting data and analysis

The petition should provide data and arguments to support all of the minimum required contents specified in section 552.4 and, in order to assist the Agency in a timely disposi-tion of the petition, should also provide support for the items in paragraph E.4.a or E.4.b of this guidance, including relevant test results, data, and studies reasonably available to the petitioner. The petition should explain the origin of any recommended numerical values, and provide any underlying calculations. The petition should precisely identify, but need not submit, any data readily available to the public and identify its source.

d. Supplementary supporting justification, data and analysis

To assist the Agency in evaluating and implementing the petition, the Agency encour-ages petitioners to submit detailed justification and supplementary data and analyses. To the extent that a petition contains the following, it will facilitate Agency action:

i. Regulatory text

The petition should provide the proposed regulatory text, i.e., text of performance re-quirements, test conditions, test procedures and similar parameters, that the petitioner requests the Agency to establish, add, or delete. In addition, explain how those require-ments, conditions and procedures will effectively measure safety performance and objectively differentiate between compliant and noncompliant technologies and designs consistent with the interests of safety. A petition should describe the extent to and manner in which those requirements, conditions and procedures have been validated through research (e.g., testing), and submit the research results.

ii. Benefits and costs

The petition should identify and describe the type and amount of anticipated benefits and costs of adopting the requested regulation amendments, show how the figures were calculated, and submit studies or other materials or data supporting those figures.

II. Guidance on Preparation of Well-Supported Petitions for Reconsideration

A. Scope

This guidance applies to petitions under Part 553 of Title 49 of the Code of Federal Regulations for reconsideration of Agency final rules.

91

B. Definition

“Agency” means the National Highway Traffic Safety Administration

C. General guidance

1. The Agency will reconsider a rule based on a party or commenter’s claim that:

a. The rule was based on material error(s) of fact or law;

b. New facts, evidence, or circumstances that could not have been raised previously compel a different result; or

c. Compliance with a new rule or standard is not practical, is not reasonable, or is not in the public interest.

2. The Agency will summarily deny any reconsideration petition based on any claim or argument other than those set forth in paragraph C.1.

3. The Agency will not consider a request for reconsideration that is based on repetition of arguments previously raised before the Agency.

D. Specific guidance on petition contents

Petitions for reconsideration must include the matters specified in paragraph D.1, D.2 or D.3 of this guidance.

1. Required minimum contents of petition based on claim that compli-ance is impractical, unreasonable, or not in the public interest

a. Statement of the complaint.

The petition must:


92

i. Explain the petitioner’s difficulty, if any, in complying with the rule as adopted;

ii. Identify the specific regulatory text that the petitioner believes needs to be changed;

iii. Explain how that text creates petitioner’s compliance difficulty or problem;

iv. Explain how the text should be changed; and v. Explain how that change would resolve the petitioner’s compli-

ance difficulty or problem.

b. Explanation as to why compliance with the rule is not practical, is unreasonable, or is not in the public interest

The petition must provide the factual and analytical basis for its belief that compliance with the rule is:

i. Not economically or technologically practical; ii. Unreasonable; or

iii. Not in the public interest.

2. Required minimum contents of petition based on new facts, circum-stances, or evidence

The petition must set forth and support claim that the facts, evidence or circumstanc-es submitted in support of the petition are new, could not have been raised before the issuance of the rule whose reconsideration is sought, and compel a different result.

3. Required minimum contents of petition based on claim that rule was based on material error of fact or law

The petition must identify and describe the alleged error and why that error is material to the provision for which petition seeks reconsideration.

E. Suggested supplementary justification, data and analysis

To assist the Agency in evaluating and potentially implementing the petition, the Agency encourages the submission of detailed supplementary data and analyses. To the extent that petitions contain the following, it will facilitate faster Agency action:

93

1. Regulatory text

The petition should:

a. Provide the actual regulatory text, e.g., performance requirements, test conditions and test procedures, which the petitioner wishes to have established, added or deleted;

b. Explain how the new requirements, conditions and procedures to be established or added will accurately measure safety performance and differentiate between acceptable and unacceptable technologies and designs;

c. Describe the extent and manner in which the new requirements, conditions and procedures to be established or added have been validated through research, e.g., testing, and submit the research results; and

d. Explain the reasons why the performance requirements, test conditions, and test procedures to be established or added are appropriate and better than alternative performance requirements, test conditions, and test procedures.

2. Benefits and costs

The petition should:

a. Describe type and amount of anticipated impacts on safety benefits and costs of making the requested changes;

b. Show how the figures were calculated, including key assumptions; and

c. Submit studies or other materials or data supporting those figures and the methodology for calculating them.


94

F. Disposition of petitions

1. Complete petitions

The Agency will consider a reconsideration petition to be complete and process it under Part 553 if it includes the contents specified in paragraph D of this guidance for all of the requests in the petition.

2. Incomplete petitions

The Agency will deny a petition that is incomplete, i.e., does not include the contents specified in paragraph C of this guidance for all of the requests in the petition.

3. Repetitious petitions

The Agency will deny petitions that are based on repetition of arguments or evidence previously raised before the Agency.

4. Untimely petitions

Complete petitions received by the Agency later than 45 days after the publication of the final rule for which the petitioner seeks reconsideration will be denied.

95

APPENDIX II: REGULATORY TOOLS USED BY FAA

To aid its efforts to determine what types of new regulatory tools might potentially be most useful, NHTSA examined the experiences of other Federal agencies facing similar technological innovations and challenges and adapting their regulatory frameworks to facilitate the introduction of those technologies, while at the same time taking the actions necessary to assure the safe deployment and performance of those technologies.

The Agency focused on the Federal Aviation Administration (FAA) because its challenges seem closest to those that NHTSA faces in dealing with HAVs. FAA uses an agency pre-market approval process116 to regulate the safety of complex, software-driven products like autopilot systems on commercial aircraft. The FAA also requires regulated parties to analyze and assure the functional and system safety of their products during the product design process.117 To help NHTSA assess the relevance of the FAA’s experi-ence and the potential feasibility and transferability of its regulatory tools and policies to the Agency, NHTSA considered the implications of the similarities and differences between the industry and products FAA regulates and the ones NHTSA regulates, e.g., numbers of manufacturers, numbers of models, numbers and frequency of new model introductions (and thus number of new model approval needed), and adherence to standardized production cycles such as the model year production cycle used in the motor vehicle industry. That consideration is discussed below.

The FAA uses a pre-market approval (i.e., Agency certification) process for new commercial aircraft. Before introducing a new aircraft into commercial service, a manufacturer must obtain a certification by the FAA that the aircraft meets aviation safety standards. There are five phases for FAA’s “type certification” process for approving aircraft design that move from early project concept and initiation through post certification activities.118 All phases contribute to improving safety and serve to mitigate cost and project risk. The five phases are:

• Conceptual design phase;

• Requirements definition phase;

• Compliance planning phase;

• Implementation phase; and

• Post certification phase.

The duration of the certification processes varies. Typically, they last three to five years. However, the most recent FAA certification process for a new commercial aircraft design, the one for the Boeing 787 Dreamliner, lasted considerably longer.119 It consumed


96

an estimated 200,000 hours of FAA staff time and lasted eight years. The unusually long duration of the process was at least partly the result of the very advanced nature of the aircraft and the production of key components in locations geographically distant from one another (e.g., the wings were produced in Japan and the fuselage in the United States).

One way in which the FAA has been able to keep the duration of most certification processes to three to five years has been by delegating some of the oversight functions to the aircraft manufacturers. This practice is somewhat similar to self-certification. The Federal Aviation Act of 1958 was the original statute allowing FAA to delegate activities, as that Agency thinks necessary, to approved private people (experts) employed by aircraft manufacturers. Although paid by the manufacturers, these experts act as surrogates for FAA in examining aircraft designs, production quality, and airworthiness. The FAA is responsible for overseeing the expert designees’ work and determining whether designs meet FAA requirements for safety.

The FAA places great importance on system safety and safety risk management, an element of which is functional safety.120 The purpose of the system safety effort is not to produce a hazard analysis report, but to influence the design of the system to ensure that it is safe when it enters the production phase of the acquisition life cycle.121 This can be accomplished effectively if the following process tasks are performed:

• Identify the safety critical functions of the system;

• Identify the system and subsystem hazards/risks;

• Determine the effects of the risk occurrence;

• Analyze the risk to determine all contributing factors (i.e., hardware, software, human error, and combinations of each.)

• Categorize the risk in terms of severity and likelihood of occurrence;

• Determine requirements for each contributing factor to eliminate, mitigate, and/or control the risk to acceptable levels;

• Determine testing requirements to prove the successful implementation of design requirements where the hazard risk index warrants; and

• Determine and communicate residual safety risk after all other safety efforts are complete to the design team and program management.

97

While the numbers of manufacturers and of new design introductions are relatively small for commercial aircraft, these numbers are much larger for drones (unmanned aircraft systems). These differences have led the FAA to take some different approaches in dealing with drones.

While FAA’s proposed rule to establish standards for small UAS was pending, the Agency took the interim step of issuing exemptions to permit civil visual-line-of-sight small UAS operations in the National Airspace System. The final rule, which was issued on June 21, 2016, permits those operations and does not require airworthiness certification of small UAS.

122


98

99

APPENDIX III: NEXT STEPS

A. Vehicle Performance Guidance

1. Public Comment on Guidance

2. Public Workshop(s): The Agency plans to hold a public workshop to provide interactive discussions of the Guidance and gather additional input for future considerations.

3. Expert Review: In parallel with the public workshop effort, the Agency will conduct an external expert review of the Guidance.

4. Complete Paperwork Reduction Act Process for Safety Assessment letters: The Agency will conduct the Paperwork Reduction Act process for the Safety Assessment letters identified in the Performance Guidance.

5. Publish Safety Assessment Template: NHTSA will publish a template for manufacturers and other entities to use to submit their Safety Assess-ments.

6. Pursue Anonymous Data Sharing: The Agency will explore a mechanism to facilitate anonymous data sharing among those parties testing and deploying HAVs. The mechanism will facilitate sharing that complies with antitrust and competition law requirements, perhaps by using a third-party aggregator. While the specific data elements to be shared will need further refinement, the mechanisms for sharing can be established.

7. Work Plan for Priority Safety Areas: To further enhance the Guidance, some elements would benefit from specific actions taken by industry. NHTSA will formally request actions needed from specific industry associations and voluntary industry groups to address priority safety areas. These efforts are expected to yield more detailed findings and direction in areas such as data collection and test procedures that would enable all parties to build on the Guidance.

8. Continual Coordination: NHTSA will coordinate with State partners to ensure that the Guidance and the Model State Policy sections complement each other.

9. Automated Vehicle Classification: NHTSA will publish an objective method that manufacturers and other entities may use to classify their automated vehicle systems.


100

10. Gather Data: Use special and general order authority123 when necessary and appropriate to gather data.

11. Mandate Safety Assessment: Implement a rule mandating the submission of the Safety Assessment letter identified in this Guidance.

12. HAV Registration: Consider a rulemaking that would require any entity planning to test or operate HAVs on public roadways (i.e., those vehicles with systems that correspond to SAE Levels 3-5) to register with the Agency and to document and report to the Agency items related to NHTSA’s Guidance such as data recording, cybersecurity, test and evaluation process and methods used to ensure on-road operational safety, etc. NHTSA could model this effort on other reporting rulemakings such as Early Warning Reporting (EWR).

13. Consider Updates to FMVSS: Additional standards could be provided by, among other possibilities, a new FMVSS to which manufacturers could certify HAVs that do not have controls to permit operation by a human driver (i.e., no steering wheel, brake pedals, turn signals, etc.). Such a standard would not apply to vehicles with lower levels of automation. A new standard could prescribe performance requirements for multiple types of equipment to ensure the safety of these vehicles on roadways in the United States.

B. Model State Policy

1. Public Comment on Policy

2. Public Workshop(s): The Agency plans to hold a public workshop to provide interactive discussions of the Model State Policy and gather additional input for future considerations.

3. Stakeholder Engagement: In parallel with the public workshop effort, NHTSA will meet with stakeholders at the State level who would be responsible for implementing the Model State Policy.

4. Education: NHTSA recognizes that States may not have the resources to develop a deep understanding of the technologies being deployed. In conjunction with vehicle manufacturers, NHTSA will explore a mechanism to help State officials gain a better understanding of available vehicle technologies and NHTSA’s roles and activities.

101

5. Work Plan: Some elements of the Model State Policy will benefit from specific stakeholder actions. NHTSA will explore potential activities, for example, to convene relevant stakeholders to develop a work plan that facilitates policy refinements.

6. North American Cross-Border Coordination: NHTSA will explore the opportunity for cross-border consistency by engaging Canadian and Mexican authorities to leverage this document within their own regulatory framework.

C. Current Regulatory Tools

1. Notice and public comment on new procedures and timelines for exemptions and interpretations.

2. Finalization of new procedures and timelines for exemptions and interpretations.

D. Potential Tools and Authorities

1. Public comment on potential new tools and authorities, including ones not identified in this Policy.

2. Workgroup to assess new tools and authorities: NHTSA will convene a working group of relevant experts and stakeholders to consider new tools and authorities further.


102

103

NOTES

1 Kahane, C.J. (2015, January). Lives saved by vehicle safety technologies and associated Fed-eral Motor Vehicle Safety Standards, 1960 to 2012 – Passenger cars and LTVs – With reviews of 26 FMVSS and the effectiveness of their associated safety technologies in reducing fatalities, injuries, and crashes. (Report No. DOT HS 812 069). Washington, D.C. National Highway Traffic Safety Administration.

2 See Singh, S. (2015, February). Critical reasons for crashes investigated in the National Motor Vehicle Crash Causation Survey. (Traffic Safety Facts Crash Stats. Report No. DOT HS 812 115). Washington, DC: National Highway Traffic Safety Administration.

3 Both interpretations and exemption requests have often taken years for NHTSA to decide.

4 See www.sae.org/misc/pdfs/automated_driving.pdf for a relatively plain-language explanation of the SAE taxonomy.

5 If a vehicle can do freeway driving and non-freeway driving, the operational design domain would outline the appropriate scenarios the vehicle must operate in to be safe and would be considered one system.

6 “Key Considerations in the Development of Driving Automation Systems.” Crash Avoidance Metrics Partnership (CAMP) Automated Vehicle Research (AVR) Consortium; Andy Christensen, Nissan - North America Andrew Cunningham, Volkswagen (VW) Group of America Jerry Engelman, Ford Motor Company Charles Green, General Motors Charles Kawashima, Mercedes-Benz Steve Kiger, CAMP Danil Prokhorov, Toyota Motor Engineering & Manufacturing North America, Inc. Levasseur Tellis, Ford Motor Company Barbara Wendling, Volkswagen (VW) Group of America Frank Barickman, National Highway Traffic Safety Administration. Proceedings of the 24th Enhanced Safety of Vehicles Conferences, 2015. http://www-esv.nhtsa.dot.gov/Proceedings/24/files/24ESV-000451.PDF.

7 See Review of Federal Motor Vehicle Safety Standards (FMVSS) for Automated Vehicles: Review of Federal Motor Vehicle Safety Standards (FMVSS) for Automated Vehicles. Preliminary Report - March 2016. Available at http://ntl.bts.gov/lib/57000/57000/57076/Review_FMVSS_AV_Scan.pdf.

8 49 U.S. Code §§ 30102(a)(8), 30116, 30120.

9 “DOT/NHTSA Policy statement concerning Automated Vehicles” 2016 update to “Preliminary statement of policy concerning automated vehicles”. Available at http://www.nhtsa.gov/staticfiles/rulemaking/pdf/Autonomous-Vehicles-Policy-Update-2016.pdf.

10 This would include entities such as a modifier or alterer that adds automated features to a vehicle after its manufacture. It would also include transit companies, fleet owners, and others who may test or operate HAV systems.

11 Pursuant to the Paperwork Reduction Act, NHTSA is seeking public comment on an Information Collection Request that covers the information sought in this section and in other parts of this document. The information collection and reporting requirements identified in this document will not be effective until the ICR process is completed.


104

12 As defined in Section 4 of the White House Consumer Privacy Bill of Rights, the Agency views as personal data: “data that are under the control of a covered entity, not otherwise general-ly available to the public through lawful means, and are linked, or as a practicable matter linkable by the covered entity, to a specific individual, or linked to a device that is associated with or rou-tinely used by an individual.” NHTSA intends for the term “reasonably linkable,” as used herein, to have the same meaning as the phrase “as a practical matter linkable” in the definition of “personal data” that appears in Section 4 of the White House Consumer Privacy Bill of Rights. The Federal Trade Commission also uses the term “reasonably linkable” as it relates to personally identifiable information in its recent comment to the Federal Communications Commission at https://www.ftc.gov/system/files/documents/advocacy_documents/comment-staff-bureau-consumer-pro-tection-federal-trade-commission-federal-communications-commission/160527fcccomment.pdf.

13 Under the EWR program (49 CFR Part 579 Reporting of Information and Communications about Potential Defects) NHTSA requires manufacturers to provide information annually relating to possible safety-related defects and noncompliance in their products. These requirements will apply to manufacturers of HAVs once their vehicles are introduced for public sale or commer-cial use. Specifically, sections 579.21 and 579.27 apply. Under Part 579, manufacturers that pro-duce more than 5,000 total vehicles annually must report on injuries, fatalities, property damage claims, consumer complaints, warranty claims and field reports. Furthermore, these same man-ufacturers must also identify the vehicle systems (e.g., ESC, forward collision avoidance, lane de-parture prevention, back-over prevention) that are the cause of the problem/issue. Manufacturers that produce fewer than 5,000 total vehicles annually would have to report on incidences where a fatality occurred and on field reports received along with identification of systems involved. Pro-duction volume for a manufacturer includes all vehicles produced not just its HAVs. The Agen-cy recommends that all the above information be submitted to the Agency for HAVs annually, regardless of total production volume.

14 Available at https://www.whitehouse.gov/sites/default/files/omb/legislative/letters/cpbr-act-of-2015-discussion-draft.pdf.

15 Available at http://www.autoalliance.org/index.cfm?objec-tid=CC629950-6A96-11E4-866D000C296BA163.

16 To the extent that this provision implicates information collection subject to the Paper-work Reduction Act, its requirements will not take effect until after NHTSA completes the PRA process for its data collection and reporting requirements. Once that process is complete and any resulting adjustments have been made, this provision of the Guidance will be effective.

17 Under ISO 26262 (Road Vehicles: Functional Safety), functional safety refers to absence of unreasonable safety risks in cases of Electrical and Electronic failures.

18 MIL-STD-882E. 11 May 2012. Available at http://www.system-safety.org/Documents/MIL-STD-882E.pdf.

19 Van Eikema Hommes, Q. D. (2016, June). Assessment of safety standards for automotive electronic control systems. (Report No. DOT HS 812 285). Washington, DC: National Highway Traffic Safety Administration.


https://www.ftc.gov/system/files/documents/advocacy_documents/comment-staff-bureau-consumer-protection-federal-trade-commission-federal-communications-commission/160527fcccomment.pdf

105

21 Manufacturers should insist that their suppliers build into their equipment robust cybersecurity features. Manufacturers should also address cybersecurity, but they should not wait to address cybersecurity until after they have received equipment from a supplier.

22 An ISAC (Information Sharing and Analysis Center) is a trusted, sector-specific entity that can provide a 24-hour per day and 7-day per week secure operating capability that establishes the coordination, information sharing, and intelligence requirements for dealing with cybersecu-rity incidents, threats, and vulnerabilities. See McCarthy, C., Harnett, K., Carter, A., and Hatipoglu, C. (2014, October). Assessment of the information sharing and analysis center model. (Report No. DOT HS 812 076). Washington, DC: National Highway Traffic Safety Administration.



25 Entities are encouraged to seek technical and engineering advice from members of the disabled community and otherwise engage with that community to develop designs informed by its needs and experiences.

26 In 2003, as part of a voluntary agreement on crash compatibility, the Alliance of Automo-bile Manufacturers agreed to a geometric compatibility commitment which would provide for alignment of primary energy absorbing structures among vehicles. The European Union recently introduced a new frontal crash test that also requires geometric load distribution similar to the Alliance voluntary agreement.

27 The training and education programs recommended here are intended to complement and augment driver training and education programs run by States, who retain the primary re-sponsibility for training, testing, and licensing human drivers. Additionally. to the extent that this provision implicates information collection subject to the Paperwork Reduction Act, its require-ments will not take effect until after NHTSA completes the PRA process for its data collection and reporting requirements. Once that process is complete and any resulting adjustments have been made, this provision of the Guidance will be effective.

28 To the extent that these reporting obligations extend beyond what is already covered by NHTSA’s PRA clearance for Part 566, this provision of the guidance will not take effect until after NHTSA completes the PRA process for its data collection and reporting requirements. Once that process is complete and any resulting adjustments have been made, this provision of the Guid-ance will be effective.



106


31 This discussion is intended only to introduce the relevance and importance of ethical considerations to the development and deployment of HAVs. It is not intended to be exhaustive or definitive, or to answer ethical questions, but rather only to raise the general topic of ethics as worthy of discussion and consideration by manufacturers, consumers, government, and other stakeholders.


33 Automated Vehicle Research for Enhanced Safety: Final Report. Collision Avoidance Met-rics Partnership, Automated Vehicle Research Consortium. June 2016. DTNH22-050H-01277.



36 See Nowakowski, Christopher, et al., “Development of California Regulations to Govern the Testing and Operation of Automated Driving Systems,” California PATH Program, University of California, Berkeley, Nov. 14, 2014, at 10. Available at http://docs.trb.org/prp/15-2269.pdf .

37 Id., at 10-11. NHTSA notes that California PATH’s work defined only minimum behavioral competencies for automated vehicles, which that organization described as “necessary, but by no means sufficient, capabilities for public operation.”

38 See Rau, Paul, Mikio Yanagawa, and Wassim G. Najm, “Target Crash Population of Au-tomated Vehicles,” available at http://www-esv.nhtsa.dot.gov/Proceedings/24/files/Session%2021%20Written.pdf.

39 See Najm, Wassim G., John D. Smith, and Mikio Yanagawa, “Pre-Crash Scenario Typology for Crash Avoidance Research,” DOT HS 810 767, April 2007. Available at http://www.nhtsa.gov/DOT/NHTSA/NRD/Multimedia/PDFs/Crash%20Avoidance/2007/Pre-Crash_Scenario_Typolo-gy-Final_PDF_Version_5-2-07.pdf.

40 Available at http://ntl.bts.gov/lib/55000/55400/55443/AVBenefitFrameworkFinalRe-port082615_Cover1.pdf .

http://www-esv.nhtsa.dot.gov/Proceedings/24/files/Session%2021%20Written.pdf

http://www.nhtsa.gov/DOT/NHTSA/NRD/Multimedia/PDFs/Crash%20Avoidance/2007/Pre-Crash_Scenario_Typology-Final_PDF_Version_5-2-07.pdf

107



43 SAE J3016.


45 NHTSA plans to continue Agency research into test and verification methods for highly automated vehicles as resources and availability of systems permit.

46 Available at http://www.nhtsa.gov/staticfiles/laws_regs/pdf/Electronic-Systems-Perfor-mance-in-Motor%20Vehicles.pdf .

47 There is no Safety Assessment document requested for SAE Level 0 and 1 systems. How-ever, if multiple SAE Level 0 and 1 systems could be simultaneously engaged by the driver and in combination they could create a system of systems that would function as a SAE Level 2 system, manufacturers are expected to submit a Safety Assessment to NHTSA.

48 See 49 U.S.C. § 30166(g)(1).

49 The purpose of NHTSA’s collaboration with States and other stakeholders was to obtain their individual views and input and to exchange facts and information. NHTSA did not seek consensus recommendations from these stakeholders.

50 DOT reiterates that the Performance Guidance is not intended for codification by States, in part because DOT will revise and update that Guidance with experience and as technology evolves.

51 NHTSA does not expressly regulate motor vehicle (or motor vehicle equipment) perfor-mance in-use, after first sale, but because NHTSA’s standards apply to the vehicle or equipment when first manufactured, and because taking a vehicle or piece of equipment out of compliance with an applicable standard can be a violation of the Safety Act, the influence of NHTSA’s FMVSS extends through the life of the vehicle even if NHTSA is not directly regulating it. At the same time, States have the authority to regulate a vehicle’s in-use performance (as through safety in-spection laws), but as the text here states, State regulations cannot conflict with applicable FMVSS.

52 “When a motor vehicle safety standard is in effect under this chapter, a State or a political subdivision of a State may prescribe or continue in effect a standard applicable to the same as-pect of performance of a motor vehicle or motor vehicle equipment only if the standard is identi-cal to the standard prescribed under this chapter.” 49 U.S.C. § 30102(b)(1).

53 See Geier v. American Honda Motor Co., 529 U.S. 861 (2000).


108

54 Depending on the circumstances, States may wish to establish a higher minimum insur-ance requirement.

55 Typically, a driver’s license from one State in the United States is honored by all other States, so a driver’s license from any State would be valid to allow an “operator” to operate a motor vehicle in any other State.

56 Some vehicles may be capable of being entirely “driven” either by the vehicle itself or by a human driver. For such dual-capable vehicles, the States would have jurisdiction to regulate (license, etc.) the human driver.

57 See www.nhtsa.gov/AV.

58 The FMVSS are codified at 49 CFR Part 571. DOT’s Volpe Center recently reviewed the FM-VSS to identify potential barriers to introduction of AV technology, and found very few. See Kim, et al., “Review of Federal Motor Vehicle Safety Standards (FMVSS) for Automated Vehicles,” March 2016, available at http://ntl.bts.gov/lib/57000/57000/57076/Review_FMVSS_AV_Scan.pdf.

59 A recent change to NHTSA’s organic statute in the FAST Act allows manufacturers who had manufactured and distributed FMVSS-compliant vehicles as of the date of enactment of the FAST Act to introduce non-compliant vehicles for testing purposes only without petitioning NHTSA for an exemption.

60 With respect to international coordination, DOT recognizes that it is important to avoid regulatory inefficiencies and concurrently maximize safety as we collectively strive to facilitate the introduction of HAVs into the marketplace. DOT is actively working to remove potential regu-latory barriers for HAVs, both in the U.S. and abroad. DOT is actively involved at the World Forum for the Harmonization of Vehicle Regulations and directly with individual foreign governments. These activities are intended to reduce barriers to innovation while preserving safety. Where ap-propriate, DOT will intensify its efforts to develop well-designed and globally-consistent regula-tions for HAVs.

61 See www.nhtsa.gov/AV.

62 Id.

63 While NHTSA intends for this information to assist members of the public in interacting with the Agency, we emphasize that if there are any discrepancies between the statements in this document and applicable statute or regulation, the statute or regulation controls, and that this document is not intended to be binding on the Agency or outside parties. If an outside party has a question about the contents of this notice and guidance, NHTSA encourages them to contact the Office of the Chief Counsel at 202-366-2992.

64 49 U.S.C. § 30112.

65 49 U.S.C. § 32506. Exemptions from bumper standards are allowed only for “passenger motor vehicles,” which NHTSA defines as “a vehicle with motive power designed to carry not more than 12 individuals, but does not include a truck not designed primarily to carry its operator or passengers, or a motorcycle.” 49 CFR § 555.4.

66 49 U.S.C. § 30113.

109

67 49 U.S.C. § 30114.

68 FAST Act, Sec. 24404, to be codified at 49 U.S.C. § 30112(b)(10). Because “replica” is defined in that provision as a motor vehicle intended to resemble the body of another motor vehicle that was manufactured not less than 25 years prior, DOT assumes for purposes of this particular document that manufacturers wishing to introduce HAV technologies are not likely planning to install them on “replica” vehicles, and will more likely seek exemption from applicable FMVSS under the § 30113 provisions.

69 49 U.S.C. § 30113(h); 49 CFR § 555.9; FAST Act, Sec. 24405.

70 NHTSA recently issued guidance to assist persons wishing to petition for a rulemaking. See Section III.C.

71 49 U.S.C. § 30113(d).

72 49 CFR § 555.7(a).

73 Id.

74 49 CFR § 555.7(d).

75 49 CFR § 555.7(e).

76 49 CFR § 555.7(b) and (c).

77 49 CFR § 555.7(f).

78 49 U.S.C. § 30113(f); 49 CFR § 555.10.

79 49 U.S.C. § 30113(c)(1).

80 49 CFR § 555.6(a).

81 49 U.S.C. § 30113(c)(2).

82 49 CFR § 555.6(b).

83 49 U.S.C. § 30113(c)(3).

84 49 CFR § 555.6(c).

85 49 U.S.C. § 30113(c)(4).

86 49 CFR § 555.6(d).87 49 CFR § 555.8(a).

88 49 CFR § 555.8(b).

89 49 CFR § 555.8(e).

90 49 CFR § 555.8(d).


110

91 49 CFR § 555.8(c).

92 49 CFR § 555.8(f).

93 Appendix I summarizes this guidance in a more concise format (similar to Federal Regis-ter regulatory text).

94 Section 124 is codified at 49 U.S.C. 30162.

95 The purpose of Part 552 is set forth in § 552.1, Scope: This part establishes procedures for the submission and disposition of petitions filed by inter-ested persons pursuant to 49 U.S.C. Chapters 301, 305, 321, 323, 325, 327, 329 and 331 to initiate rulemaking or to make a decision that a motor vehicle or item of replacement equipment does not comply with an applicable Federal Motor Vehicle Safety Standard or contains a defect which relates to motor vehicle safety.

96 § 552.4 Requirements for petition.… Each petition filed under this part must:(a) Be written in the English language;(b) Have, preceding its text, a heading that includes the word “Petition”;(c) Set forth facts which it is claimed establish that an order is necessary;(d) Set forth a brief description of the substance of the order which it is claimed should be issued; and (e) Contain the name and address of the petitioner.

97 “Agency’s action” refers to the regulatory text that is added to, changed in, or deleted from the Code of Federal Regulations by the final rule. Disagreement with the Agency’s preamble describing the Agency’s action and its rationale for that action is not grounds for petitioning for reconsideration, because the preamble is not the rule itself.

98 For example, a variety of vehicle safety rulemakings were mandated in the recently en-acted ‘’Fixing America’s Surface Transportation Act’’ (FAST Act), Public Law No: 114-94.

99 H.R. Rep. No. 89-1776, at 10 (1966). The Safety Act, as amended, is now codified at 49 U.S.C. §§ 30101 et seq.

100 In 1974, Congress mandated that manufacturers recall their noncompliant vehicles as well as their defective ones and remedy the problems without charge to consumers.

101 For example, stopping distance is a performance metric for measuring the effectiveness of a braking system.

102 A maximum of some number of feet, say 300, is an example of a maximum performance threshold.

103 For review of NHTSA’s authority to regulate advanced technologies under the Safety Act, see the Potential Regulatory Challenges of Increasingly Autonomous Vehicles, 52 Santa Clara L. Rev. 1423 (Wood et al., 2012) at http://digitalcommons.law.scu.edu/lawreview/vol52/iss4/9/.

104 See http://www.nhtsa.gov/staticfiles/nvs/crash-avoidance/LEtter-to-CA-DMV-04012015.pdf .

http://www.nhtsa.gov/staticfiles/nvs/crash-avoidance/LEtter-to-CA-DMV-04012015.pdf

111

105 See I.D, supra; see also Appendix II (describing safety assurance tools used by FAA).

106 Both the U.S. and Canada use self-certification for their vehicle safety standards. Use of the same approach in both countries facilitates U.S.-Canada regulatory cooperation and the op-eration of the closely integrated U.S.-Canada motor vehicle industry.

107 Such an approval process would be considerably different from the type approval pro-cess used by regulatory authorities in the European Union and various other countries. The European Commission type-approves new vehicle models before they can be manufactured and sold. However, in deciding whether to type-approve a model, the Commission does not consid-er aspects of performance for which it has not yet established any regulations. The scope of its analysis and approval is limited to the aspects of performance for which there are regulations. The performance metrics, thresholds, and test procedures and equipment in those regulations give the Commission a way of scientifically measuring and evaluating performance. In addition to ensuring that evaluation process is objective, this limitation has the advantage of enabling manufacturers to anticipate the bases on which their models will be evaluated and assures that all models of all manufacturers will be judged on a level playing field.

108 See Nowakowski et. al. at 12 (a “…third-party certification process has the merit of add-ed credibility because of the independence of the certifying organization, but it also raises new problems involving protection of manufacturers’ intellectual property (including trade secrets), lack of organizations qualified to do the work in the U.S., and the cost associated with an addi-tional team of people having to develop an in-depth understanding of a complex system. Re-quiring third-party certification would essentially require the development of a new certification industry in the U.S.”).

109 PHMSA’s pre-market approval approach illustrates an alternative to self-certification of compliance with regulatory standards, where the approved type provides an alternative that is equal in safety and in risk to that provided by an existing standard or requirement. Such a hybrid certification-approval approach likely would require fewer structural changes in NHTSA regula-tions and fewer additional resources than adoption of a full pre-market assurance approach to all vehicle safety standards.

110 Chrysler Corporation v. Department of Transportation, 472 F.2d 659, 676 (6th Cir. 1972).

111 See 49 U.S.C. § 30166(e), which authorizes the Secretary to require a manufacturer of a motor vehicle or motor vehicle equipment to keep records, and a manufacturer, distributor, or dealer to make reports, to enable the Secretary to decide whether the manufacturer, distributor, or dealer has complied or is complying with this chapter or a regulation prescribed or order issued under this chapter. See also 49 U.S.C. §30166(m)(3)(B) which authorizes the Secretary, as part of the early warning reporting rule, to require manufacturers of motor vehicles or motor vehicle equipment to report, periodically or upon request of the Secretary, such information as the Sec-retary may request, to the extent that such information may assist in the identification of defects related to motor vehicle safety in motor vehicles and motor vehicle equipment in the United States.


112

112 See the discussion of the Federal Aviation Administration and Food and Drug Adminis-tration tools and authorities at Appendix II.

113 See 49 U.S.C. §§ 30166(e) and (m)(3)(B).

114 Adapted from PTRS Code 1725/3720/5720.

115 Adapted from PTRS Code 1711/3711/5711 or 1712/3712/5712 (http://fsims.faa.gov/WDocs/8900.1/V07%20Investigation/Chapter%2001/07_001_002.htm).

116 NHTSA presently uses a manufacturer self-certification process, combined with periodic risk-based agency compliance testing, to ensure compliance with its standards, the FMVSS. The Agency does not presently engage in pre-market review, testing, or approval of products.

117 Similarly, the Federal Railroad Administration requires that steps be taken to analyze and assure the functional and system safety of train control systems. See 49 CFR Part 236 Appendix C, Safety Assurance Criteria and Processes.

118 See https://www.faa.gov/aircraft/air_cert/design_approvals/media/CPI_guide_II.pdf. Note that there are two other types of certification, i.e., production certification (based on manu-facturer having sufficient processes to ensure aircraft produced conforms to the approved de-sign) and airworthiness certification (based on a showing that the finished product does, in fact, conform to the approved design and is in condition for safe operation).

119 See http://www.faa.gov/news/press_releases/news_story.cfm?newsId=13064.

120 System Safety Process, See https://www.faasafety.gov/gslac/alc/libview_normal.aspx-?id=6877. For a more detailed treatment of this subject, see http://www.faa.gov/regulations_poli-cies/handbooks_manuals/aviation/risk_management/ss_handbook/.

121 Much of this process and its individual elements could be described as “Safety Assur-ance.” See IV.C, supra.

122 See 81 Fed. Reg. 42064 (Jun. 28, 2016).

123 See 49 U.S.C. § 30166(g)(1).

12507-091216-v9


45 | P a g e

APPENDIX E

Autonomous Vehicle Testing License

Nevada Department of Motor Vehicles ATTN: Director’s Office

555 Wright Way Carson City, Nevada 89711

For questions regarding the autonomous vehicle regulations, testing process and/or consumer deployment please contact:

April Sanborn, Manager - Management Services & Programs Division (775) 684-4719

For questions regarding the autonomous application packet please contact:

Natalie Vargas-Murray, Manager - Occupational & Business Licensing (775) 684-4672

OBL326 (8/2016)

Introduction The State of Nevada is excited to lead autonomous vehicle development by licensing qualified companies to begin testing on our public roads. However, it is crucial that autonomous vehicles permitted to test in the state do not create an elevated risk to the Nevada public. Because the safety of the public is always the Department of Motor Vehicles’ (Department) primary concern, we require that all testing applicants articulate how they have combined competent autonomous technology and safe testing practices.

Application Submittal

Testing Proof In order to establish whether the autonomous technology to be tested on Nevada roads has reached a reasonable level of maturity, regulations require that applicants provide proof of ten thousand miles of prior autonomous vehicle operation. The application should show a report of the prior autonomous testing for the Department to consider when processing the application. The report should be made with a non-technical audience in mind. The Department is not requesting exhaustive logs of all the miles claimed, however, applicants should have and maintain proof of all the miles claimed. The report should explain how the vehicle handles the following while driving in autonomous mode; traffic control devices, pedestrians/objects of variable size, speed variations and various environmental types. Examples of these include but are not limited to:

Traffic Control Devices: roundabouts, stop lights, traffic signs, school zones, cross walks, construction zones, unmarked intersections

Pedestrians/Object of Variable Size: humans, bicycles, animals, rocks, sandbags, cones Speed Variations: recognize speed limit signs, temporary speed restrictions, school zone variable

speed limits Environmental Types: rain, snow, ice, fog, high wind, blowing dust, night driving Emergency Vehicles: fire trucks, ambulance, law enforcement vehicles, etc.

The report should also include descriptions of any past incidents in which a vehicle in autonomous mode was in an accident or issued a traffic citation.

Nevada Testing Geographical Categories and Environmental Types At the discretion of the Department, the testing license may be limited to specific geographic categories and environmental types. The Department has partitioned all of Nevada’s public roads into four geographic categories. This section describes what the Department has determined to make these locations uniquely challenging for autonomous vehicles. Geographic Categories:

Interstate Highways Interstate highways are any highways that are part of the federal interstate highway system and exhibit the following characteristics:

1. speeds of up to 80 MPH 2. ongoing road construction 3. infrequent pedestrian traffic and foreign debris 4. controlled access 5. high speed maneuvers and braking requirements 6. toll booths

OBL326 (8/2016)

State Highways State highways are any US or SR highway (State Highways inside an urban corridor must have additional authority) and exhibit the following characteristics:

1. Speeds of up to 80 mph 2. Ongoing road construction 3. Possibility of pedestrian, bicycle, and livestock obstacles 4. Traffic control devices (such as stop lights and stop signs) 5. Downtown/mid-city congestion 6. Various non-controlled access points

Urban Environments Nevada’s Urban Environments exhibit the following characteristics:

1. High levels of pedestrian traffic 2. Traffic control devices (such as stop lights, stop signs, and school zones) 3. Frequent road construction or roadblocks and foreign debris 4. Variable speed controls 5. Metered and parallel parking 6. Speed bumps or physical speed control devices 7. Animals off leash 8. Children at play in the roadway 9. Commercial shopping centers 10. Intersections lacking traffic control devices

Unpaved or Unmarked Roads Any road outside of a city that is not a State Highway or Interstate are considered Rural or Unpaved roads. Additionally, any roads found inside an urban environment which are unpaved or unmarked are considered part of this environment. Unpaved or Unmarked roads exhibit the following characteristics:

1. Degraded pavement quality or no pavement (dirt roads) 2. Inconsistent or nonexistent road markings 3. Moderate levels of pedestrian traffic and foreign debris 4. Children at play in roadways 5. Animals off leash 6. Unmarked intersections

Environmental Types: The environmental types you may apply for are:

Night driving Rain Fog Snow/ice High crosswinds (gusts above 30mph)

The above environmental types must be indicated on the “Autonomous Technology Capabilities Checklist” in order to have them added to the testing license. Due to the unpredictability of weather conditions, environmental types may be added to the testing license if the applicant can present documented proof, satisfactory to the Department that the technology has safely operated in the same conditions in another location. At any point, an applicant can apply to expand their testing license to more geographic categories or environmental types. This does not require a separate ten thousand miles of prior testing experience to be submitted. Instead, the applicant can fill out the OBL326 (Application for Autonomous Vehicle Testing License) to identify the new geographic category or environmental type.

OBL326 (6/2016)

Combining Procedure & Technology In addition to the minimum of ten thousand miles of autonomous vehicle driving, applicants must have in place processes and procedures to mitigate the risk of any potentially underdeveloped technologies. Additional documentation we would like to see for our evaluation:

• A complete description of your autonomous technology • The safety plan for testing on public roadways • Your plan for hiring and training the test vehicle operators

For a full list of required items, please reference the Autonomous Vehicle Testing License Application Requirements at the end of this application.

Safety Practices Licensees must ensure that at least one person is physically present in the autonomous vehicle while being tested on a highway in this state. The operator must at all times be seated in a position which allows the person to take active control or physical control of the vehicle. Each person must hold a valid driver’s license and be trained in the operation of the autonomous vehicle including the capabilities and limitations of the technology. Within 10 days of any accident or traffic violation occurring while operating an autonomous test vehicle, the licensee must provide the Department with a report of the incident. The report must include a copy of any accident report or any citation.

Application and Technology Evaluation Upon review of the application, testing proof, and additional documentation, the Department will determine if additional information is needed. If no additional information is needed, a drive demonstration will be scheduled. The drive demonstration is used to determine if the vehicle can safely perform the autonomous functions outlined in the application. The designated route is at the discretion of the licensee. It should encompass several characteristics in the geographic categories and environmental types selected on the application. While navigating this route in autonomous mode, the technology will be evaluated to determine if it can handle the various situations encountered. The Department may ask for additional explanation or documentation describing the methodology used to handle conditions not encountered while on the drive demonstration. The Nevada Department of Motor Vehicles is a public agency. All books, communications and records are subject to inspection or review upon request, per NRS 239.010. Be sure to omit any proprietary information that should not be made public prior to submission.

Application Approval Upon approval of the application and drive demonstration, a test license and a certificate detailing the testing parameters and limitations will be provided by the Department. This test license is $101 ($100 for testing license; $1.00 Technology Fee). The certificate must be carried at all times in each vehicle that has been approved for testing in Nevada and presented to a peace officer upon demand. Each vehicle must display the autonomous vehicle testing license plates. A set of plates are $21.00 per vehicle ($12.00 Business Plate Fee; $3.50 per plate Production Fee; $0.50 cents per plate Prison Industry Fee; $1.00 Technology Fee). Each test vehicle to be tested in Nevada must be listed on the application and proof of vehicle ownership and insurance must be attached. To add or remove test vehicles associated to the autonomous vehicle test license, notify the Department by *filling out the OBL326 (Application for Autonomous Vehicle Testing License). A new certificate will be provided by the Department.

OBL326 (8/2016)

Testing License Renewal Your autonomous vehicle testing license and testing plates will expire one (1) year from the date the testing license was approved. To renew, complete the OBL326 (Application for Autonomous Vehicle Testing License) and submit it to the Department thirty (30) days prior to the expiration date. Some changes may require additional documents, so please contact the Department for assistance. The renewal fee is $101 for the autonomous vehicle testing license, plus $13 per set of testing license plates for each vehicle.

Disabled Operators

Overview: In July 2016, the Department of Motor Vehicles was successful in expanding their existing regulatory requirements for autonomous testing. The new testing requirements are not intended for companies with test drivers possessing a valid driver’s license in the State they reside in. The new requirements are for test operators who would be required to apply for a “restricted” driver’s license with the Department and do not currently hold a valid driver’s license in any state due to their disability. If the operator of the autonomous vehicle has been disqualified from driving due to a disability, then a restricted driver’s license is required for the disabled operator to be able to operate the autonomous vehicle. The following restrictions will apply:

A detail form is carried by the restricted license holder authorizing that holder to only operate the autonomous test vehicle with the technology engaged.

The restricted license holder is employed by the company applying for this autonomous vehicle testing license.

A pilot vehicle, supplied by the autonomous test company, will be operated directly in front of the autonomous vehicle

The restricted license holder must be accompanied by a second person that: o Is seated in a position which allows the person to safely engage and disengage the autonomous

technology and take active or physical control of the vehicle. If, for any unforeseen reason, the above mentioned pilot vehicle is unable to continue to operate as such:

The operator of the autonomous vehicle must pull the autonomous vehicle safely to the side of the road, or

The second person in the autonomous vehicle must disengage the autonomous technology and take active or physical control of the vehicle.

If a restricted license, as mentioned above, is issued then the test license applicant must provide proof to the Department that:

The holder is an employee of the test license holder. The holder has completed no less than 50 hours of training in an autonomous vehicle.

o May include no more than 10 hours of operation of an autonomous vehicle simulator. o Must include no less than 40 hours of operation of an autonomous vehicle on any paved, graded,

or similar surface, including a race track or private course Any other information the Department may request.

OBL326 (8/2016)

Occupational and Business Licensing 555 Wright Way

Carson City, Nevada 89711 (775) 684–4690 www.dmvnv.com

APPLICATION FOR AUTONOMOUS VEHICLE TESTING LICENSE

Application Type: License Number (If new applicant, please leave blank)

New Renewal Change (Type of change):

Address Vehicles Geographic Categories Environmental Types Business Name: Mailing Address : Street City State Zip

Physical Address: Street City State Zip Business Telephone Number: Business Fax Number: Email address: FEIN:

Sole Proprietorship Partnership LLP LLC Corporation Incorporated in State of List name and title of each individual, each partner, whether general or limited, or each principal officer, director or stockholder participating in the direction, control or management of the policy of the project. Use separate page to list additional individuals, if necessary. Changes require notification to the Department.

Name (Last, First, Middle) Title Contact Telephone Number

Registered Agent Information: Name Address Telephone Number

Licensed Operators: Name Driver’s License Number State Issued

http://www.dmvnv.com/

OBL326 (8/2016)

Autonomous Test Vehicle Information: (A $21 fee for each set of new Testing License Plates is required)

Year Make Vehicle Identification Number (VIN)

OBL326 (8/2016)

As a Nevada Autonomous Vehicle Testing Company, I affirm to the best of my knowledge and belief, each vehicle to be tested in Nevada is: 1) safe to operate on the highways of this State; 2) has a separate mechanism, in addition to, and separate from any other mechanism required by law, to capture and store, the autonomous technology sensor data for at least 30 seconds before a collision occurs between the autonomous vehicle and another vehicle, object or natural person. The autonomous technology sensor data must be captured and stored in a read-only format by the mechanism so that the data is retained until extracted from the mechanism by an external device capable of downloading and storing the data. Such data must be preserved for 3 years after the date of collision; 3) has a switch or mechanism to engage and disengage the autonomous vehicle that is easily accessible to the operator and is not likely to distract the operator from focusing on the road while engaging or disengaging the autonomous vehicle; 4) has a system to safely alert the operator to take control of the autonomous vehicle if a technology failure is detected; 5) is equipped with autonomous technology which does not adversely affect any other safety features of the vehicle which are subject to federal regulation. Additionally, I agree to operate my testing company in accordance with the requirements set forth in Chapter 482A of the Nevada Revised Statutes and Nevada Administrative Codes. I understand that providing of false information or the omission of the requested information in this application is grounds to deny, suspend, or revoke my testing license and constitutes a gross misdemeanor under Chapter 482A of the Nevada Revised Statutes. I declare under penalty of perjury that the information contained in my application, proof of 10,000 miles of prior autonomous vehicle operation, complete description of the autonomous technology, safety plan for testing on public roadways, plan for hiring and training of test vehicle operators, and any and all additional materials supplied to the Department are true and correct.

Applicant’s Signature Date Applicant’s Printed Name and Title State of _________________, County of ___________________ Subscribed and sworn before me this _____ day of ________, _____

Notary Public or Authorized Nevada DMV Representative Signature (Notary seal)

OFFICE USE ONLY BOX

Approved Geographic Categories Approved

Environmental Types

Testing License Plates Approved

Denied

Interstate Highways State Highways Urban Environments Unpaved/Unmarked Roads

Night Driving Rain Fog Snow/Ice Wind

Initials: __________

Employee ID: __________ Date:

OBL326 (8/2016)

LETTER OF AUTHORIZATION Business Name: ____________________________________________ License Number: _______________ Address: _________________________________________________________________________________________ City State Zip Code: ________________________________________________________________________________ Telephone Number: (_____) __________________________ Please check appropriate authorization boxes: Pick Up Licenses Pick Up Plates/Decals _____________________________________________ _____________________________________ Printed Name of Authorized Agent Signature _____________________________________________ _____________________________________ Printed Name of Authorized Agent Signature _____________________________________________ _____________________________________ Printed Name of Authorized Agent Signature _____________________________________________ _____________________________________ Printed Name of Authorized Agent Signature The listed Agent(s) is no longer authorized to represent my business: __________________________ ___________________________ ______________________________ Printed Name of Agent Printed Name of Agent Printed Name of Agent ___________________________ ___________________________ ______________________________ Printed Name of Agent Printed Name of Agent Printed Name of Agent I hereby authorize the changes as indicated above for my business with the Nevada Department of Motor Vehicles. _____________________________________________________ Printed Name of Principal _____________________________________________________ _______________________ Signature of Principal Date

To protect your business, notify the Department immediately of any changes to the above information.

OBL326 (8/2016)

CHILD SUPPORT INFORMATION

Nevada Administrative Code 482A requires the Department to request statements regarding child support from applicants for new and renewal of Autonomous Vehicle licenses. Each license applicant applying for a new or renewal of his or her license must complete and sign the Child Support Information below. Regulation prohibits the Department from processing your application without submission of the information below. Please mark the appropriate response and complete the remainder of the form. Failure to mark one of the three and completion of the form will result in denial of the application.

I am not subject to a court order for the support of a child.

I am subject to a court order for the support of one or more children and am in compliance with a plan approved by the district attorney or other public agency enforcing the order for the repayment of the amount owed pursuant to the order; or

I am subject to a court order for the support of one or more children and am not in compliance with

the order or plan approved by the district attorney or other public agency enforcing the order for the repayment of the amount owed pursuant to the order.

Applicant’s Social Security No. Applicant’s Name (please print)

Signature of Applicant Date

OBL326 (6/2016)

AUTONOMOUS VEHICLE TEST LICENSE BOND

Bond Number License Type: Testing Company

Certification Facility

KNOW ALL MEN BY THESE PRESENTS: That ,as principal,

(Corporate Name and Doing Business As Name) located in the County of , State of Nevada, obligee, and, (Name of Surety) a corporation organized and existing under and by virtue of the laws of the State of , and authorized to transact a surety business in the State of Nevada, as surety, are held and firmly bound unto the State of Nevada in the penal sum of $5,000,000 for the payment of which well and truly to be made we hereby bind ourselves, our respective heirs, administrators, executors, successors and assigns jointly and severally, firmly by these presents: To be effective on the day of , THE CONDITION OF THIS OBLIGATION IS SUCH THAT: WHEREAS, the above-named principal has been licensed to carry on or conduct in this State the business of testing and/or certifying Autonomous Vehicles; and WHEREAS, the above-named surety herein agrees that any person injured by the action or actions of the principal and/or his employees involved in any fraud or fraudulent representation or in violation of any of the provisions of Chapter 482A of the Nevada Revised Statutes or Nevada Administrative Codes may bring action in said injured person’s own name against the said surety. This bond is continuous in form and the total aggregate liability of the bond is limited to the payment of the total amount of the bond. In the event of a dispute of a claim by the surety company, application may be made to the Director, Department of Motor Vehicles for good cause shown. After notice and hearing, the director may authorize payment of funds from here said surety coverage.

(SEE NEXT)

OBL326 (6/2016)

Bond Number This bond may be canceled by the surety at any time by giving written notice by registered mail of its desire and intention so to do. Said cancellation shall be effective thirty (30) days after the receipt of said notice by the State of Nevada, Department of Motor Vehicles, Occupational and Business Licensing Section. Signed, sealed and dated this day of ,

(Printed Name, Principal)

(Signature, Principal)

(Surety) Telephone Number of Surety: ( ) -

(Mailing Address of Surety Company, Street)

(City, State and Zip Code) By

(Signature, Attorney-In-Fact for Surety) (Printed Name, Attorney-In-Fact) (Surety Seal) Countersigned on behalf of:

(Surety) this day of ,

(Signature, Agent)

(Printed Name, Agent)

(Business Name, Agent)

(Business Address, Agent)

OBL326 (6/2016)

AUTONOMOUS TECHNOLOGY CAPABILITIES CHECKLIST

This checklist is to identify the geographic categories, environmental types and specific capabilities that the autonomous vehicle can perform. Please check the box that indicates the geographic categories and/or environmental types that you intend to test your AV technology in. Geographic Categories: Environmental Types:

Interstate Highways Night Driving Rain State Highways Snow/Ice Fog Urban Environments High Crosswinds (gusts above 30 mph) Unpaved/Unmarked Roads

Please check the box next to each capability that indicates how the technology will handle these specific road characteristics. Also, in the space provided, give a brief description as to how the technology will conduct that action. Autonomous = the vehicle performs the required action in autonomous mode without operator control Operator Controlled = the vehicle is taken out of autonomous mode to perform the required action Stop Signs Autonomous Operator Controlled

________________________________________________ ________________________________________________

Speeds up to 80 mph Autonomous Operator Controlled ________________________________________________ ________________________________________________ Pedestrian Traffic Autonomous Operator Controlled ________________________________________________ ________________________________________________ Children at Play Autonomous Operator Controlled ________________________________________________ ________________________________________________

OBL326 (6/2016)

Freeway On/Off Ramps Autonomous Operator Controlled ________________________________________________ ________________________________________________ Crosswalks Autonomous Operator Controlled ________________________________________________ ________________________________________________ Turns Autonomous Operator Controlled ________________________________________________ ________________________________________________ Railroad Crossings Autonomous Operator Controlled ________________________________________________ ________________________________________________ Roundabouts Autonomous Operator Controlled ________________________________________________ ________________________________________________ Road Construction Signs Autonomous Operator Controlled ________________________________________________ ________________________________________________ Speed Limit Signs Autonomous Operator Controlled ________________________________________________ ________________________________________________ High Traffic Congestion Autonomous Operator Controlled ________________________________________________ ________________________________________________ Debris/Obstacles in Roadway Autonomous Operator Controlled ________________________________________________ ________________________________________________ Lane Changes Autonomous Operator Controlled ________________________________________________ ________________________________________________

OBL326 (6/2016)

School Zones Autonomous Operator Controlled ________________________________________________ ________________________________________________ Passing School Buses Autonomous Operator Controlled ________________________________________________ ________________________________________________ Emergency Vehicles Autonomous Operator Controlled ________________________________________________ ________________________________________________ Intersections Autonomous Operator Controlled ________________________________________________ ________________________________________________ Degraded Pavement Quality Autonomous Operator Controlled ________________________________________________ ________________________________________________ Speed Bumps Autonomous Operator Controlled ________________________________________________ ________________________________________________ Parallel Parking Autonomous Operator Controlled ________________________________________________ ________________________________________________ “No Zones” Passing Autonomous Operator Controlled ________________________________________________ ________________________________________________ Right Turn on Red Autonomous Operator Controlled ________________________________________________ ________________________________________________ Passing Bicycles Autonomous Operator Controlled ________________________________________________ ________________________________________________

OBL326 (6/2016)

Metered On Ramp Autonomous Operator Controlled ________________________________________________ ________________________________________________ Highway Markings Autonomous Operator Controlled (Broken/Dashed White/Yellow) ________________________________________________ (Solid/Double Yellow/White Lines) ________________________________________________ Traffic Lights Autonomous Operator Controlled (Flashing red/yellow light) ________________________________________________ (Red/Yellow/Green light) ________________________________________________ If there are any other capabilities that are not listed that your technology can perform in autonomous mode, please list them in the space provided below. If not, please use this ________________________________________________________________________________ ________________________________________________________________________________ ________________________________________________________________________________ ________________________________________________________________________________ ________________________________________________________________________________ ________________________________________________________________________________ ________________________________________________________________________________ ________________________________________________________________________________ ________________________________________________________________________________ ________________________________________________________________________________

OBL326 (6/2016)

AUTONOMOUS VEHICLE TESTING LICENSE APPLICATION REQUIREMENTS

□ Application for Autonomous Vehicle Testing License (OBL326).

□ A nonrefundable licensing fee of $101.00, plus $21 for each set of Testing License Plates required for each vehicle.

□ A Letter of Authorization (OBL276).

□ A Child Support Information form (OBL268).

□ A Surety Bond (OBL328), Cash Deposit, or proof of insurance or self-insurance in the amount of $5,000,000.

□ Submit proof sufficient to the Department of Motor Vehicles that one or more of the applicant’s AV’s have been driven for a combined minimum of at least 10,000 miles in Autonomous mode, under varying types of roads, weather conditions and times of day and night.

□ Proof of ownership for each AV listed on the application (i.e. Title, Manufacturer’s Certificate of

Origin, Security Agreement, Vehicle Registration or other proof sufficient to the Department).

□ An Insurance Certificate that meets or exceeds Nevada’s minimum liability requirements pursuant to NRS 485.185 for each autonomous testing vehicle listed on the application. May not be an Operator’s Policy as described in NRS 485.186.

□ Submit a complete description of your autonomous technology.

□ Submit documentation detailing your safety plan for testing on public roadways. □ Submit your plan for hiring and training the test vehicle operators.

□ Autonomous Technology Capabilities Checklist