PRA Part A 050418_

Download: docx | pdf

Supporting Statement

Automated Driving Systems 2.0: A Vision for Safety

INTRODUCTION

This is a formal request to the Office of Management and Budget (OMB) to review and approve a modification to the National Highway Traffic Safety Administration (NHTSA) information collection request (ICR) with a revised title “Automated Driving Systems 2.0: A Vision for Safety” (previously titled “Vehicle Performance Guidance”) with OMB Clearance Number 2127-0723.

Part A. Justification

1. CIRCUMSTANCES THAT MAKE COLLECTION OF INFORMATION

NECESSARY

The National Highway Traffic Safety Administration (NHTSA), under the U.S. Department of Transportation, was established by the Highway Safety Act of 1970, as the successor to the National Highway Safety Bureau, to carry out safety programs under the National Traffic and Motor Vehicle Safety Act of 1966 and the Highway Safety Act of 1966. The Vehicle Safety Act was subsequently re-codified under Title 49 of the U. S. Code in Chapter 301, Motor Vehicle Safety.

Under the authority of the National Traffic and Motor Vehicle Safety Act of 1966, as amended, NHTSA’s purpose is to reduce traffic accidents and deaths and injuries resulting from traffic accidents. 49 U.S.C. § 30101. In support of that purpose, the Agency is authorized to carry out needed safety research and development. 49 U.S.C. § 30101(2).

The U.S. Department of Transportation (DOT) through the National Highway Traffic Safety Administration (NHTSA) is fully committed to reaching an era of crash-free roadways through deployment of innovative lifesaving technologies. Recent negative trends in automotive crashes underscore the urgency to develop and deploy lifesaving technologies that can dramatically decrease the number of fatalities and injuries on our Nations’ roadways. NHTSA believes that Automated Driving Systems (ADSs), including those contemplating no driver at all, have the potential to significantly improve roadway safety in the United States.

The purpose of Automated Driving Systems 2.0: A Vision for Safety is to support the automotive industry, the States, and other key stakeholders as they consider and design best practices relative to the testing and deployment of automated vehicle technologies.

Section 1 of ADS 2.0, Voluntary Guidance for Automated Driving Systems, contains 12 priority safety design elements. These elements were selected base on research conducted by the Transportation Research Board (TRB) universities, and NHTSA. Each element contains safety goals and approaches that could be used to achieve those safety goals. Entities are encouraged to consider each process for assessment, testing, and validation of the various elements. As automated driving technologies evolve at a rapid pace, no single standard exists by which an entity’s methods of considering a safety design element can be measured. Each entity is free to be creative and innovative when developing the best method for its system to appropriately mitigate the safety risks associated with their approach.

Entities engaged in ADS testing and deployment may demonstrate how they address – via industry best practices, their own best practices, or other appropriate methods – the safety elements contained in the Voluntary Guidance by publishing a Voluntary Safety Self-Assessment (VSSA). The VSSA is intended to demonstrate to the public (particularly States and consumers) that entities are: 1) considering the safety aspects of ADSs; 2) communicating and collaborating with DOT; 3) encouraging the self-establishment of industry safety norms for ADSs; and 4) building public trust, acceptance, and confidence through transparent testing and deployment of ADSs. It also allows companies an opportunity to showcase their approach to safety, without needing to reveal proprietary intellectual property.

2. HOW, BY WHOM, AND FOR WHAT PURPOSE THE INFORMATION IS TO BE USED

This information collection is comprised of two parts, the documentation that has been suggested in the Voluntary Guidance of ADS 2.0 and the public disclosure of information via the Voluntary Safety Self-Assessment.

The Agency expects some burden associated with the increased documentation suggested by the Voluntary Guidance to be incurred by entities. However, much of this documentation is already called for by both industry consensus standards (such as ISO 26262) or represent good systems engineering practices. The agency expects that any increase in documentation or recordkeeping will be to the benefit of those entities that choose to follow the Voluntary Guidance and not to their detriment.

Secondary to the consideration of the safety elements is the Voluntary Safety Self-Assessment that NHTSA suggests entities voluntarily disclose to the public. The VSSA is expected to be a high-level summary of how parties are considering safety element discussed in the Voluntary Guidance.

Entities collecting information and disclosing that information via a Voluntary Safety Self-Assessment are given the flexibility to disclose the information as deemed appropriate for that particular entity. Thus, data users will access that information according to the respective means of public disclosure. Various stakeholders will retrieve the safety information in the VSSA for varying reasons. Entities will use the development and disclosure of the information to inform, educate, and communicate with the public and DOT.

Members of the public are expected to retrieve the VSSA in order to understand the technology, learn about how the testing and safety elements are incorporated in the design and function of a system or vehicle, and become aware of the testing and deployments in locations around the country.

State stakeholders have expressed they will use the information in the VSSA in assessing the safety of ADSs on their roadways. Those States looking to require application and permission to test and deploy ADSs plan to review the VSSA prior to issuing the permit. The States also expect to use information in the VSSA to communicate with law enforcement and first responders as well as educate the public.

Other consumer-based stakeholders are expected to access the information in the VSSA to gather information for comparison of systems, to identify risk, inform decisions, and educate, among other uses.

NHTSA expects industry and standards organizations to utilize the VSSA to work towards industry norms and best practices. Further technological development is expected through information shared in the VSSA and subsequent activity initiated through industry review.

3. EXTENT OF AUTOMATED INFORMATION COLLECTION

Collection of information by entities and a subsequent Voluntary Safety Self-Assessment are voluntary efforts. There are no stipulations regarding format or publication. NHTSA presumes that the vast majority of the information being collected, the methods of collection, discussion regarding safety elements, and publication of the Voluntary Safety Self-Assessment will be electronic. If an entity chooses to send NHTSA a courtesy copy of the Voluntary Safety Self-Assessment, this would likely be an electronic correspondence as well.

4. EFFORTS TO IDENTIFY DUPLICATION

NHTSA is not aware of any existing means of information collection and dissemination regarding vital safety information on ADSs, aside from that which an entity collects on its own. NHTSA expects much of the work associated with consideration of the safety elements in the Voluntary Guidance section of Automated Driving Systems 2.0: A Vision for Safety to be an extension of good and safe engineering practices already in place. It therefore believes that manufactures and other entities will have access to all the information needed to craft a Voluntary Safety Self-Assessment. The collation of information into the Self-Assessment is a new effort for industry.

5. EFFORTS TO MINIMIZE THE BURDEN ON SMALL BUSINESSES

The documentation burden that is contained in the Voluntary Guidance is a natural extension of things that are already current industry standard processes, and therefore minimizes for all companies, small business entities included.

The flexibility in publication of the collected information allows small businesses the ability to create a Voluntary Safety Self-Assessment that is appropriate for resources of that business. Additionally, the Agency only anticipates minimal information to be included in the VSSA, which will help to minimize the effort expended by small business entities that voluntarily choose to consider the Voluntary Guidance.

6. IMPACT OF LESS FREQUENT COLLECTION OF INFORMATION

Automated Driving Systems 2.0: A Vision for Safety is voluntary guidance. There is no requirement for collection of information, nor penalty for lack of collection. Information collection and publication of the Voluntary Safety Self-Assessment should reflect developments for each entity and ADS and frequency of collection should be associated with those developments. NHTSA believes that, to meet its safety objectives, stipulating a frequency of collection of information may allow for gaps in information sharing and understanding of the current state of technology.

7. SPECIAL CIRCUMSTANCES

There are no special circumstances related to this information collection and the procedures specified for this information collection are consistent with the guidelines set forth in 5 CFR 1320.6.

8. COMPLIANCE WITH 5 CFR 1320.8

The FEDERAL REGISTER (81 FR 43450), September 15, 2017 notice soliciting comments on the collection of information is attached. The Agency received 4 comments on this notice. Two of the four comments did not pertain to Automated Driving Systems, vehicles, automation technology, or the estimated burden associated with Automated Driving Systems 2.0. Rather they provided comments regarding various other Congressional Acts previously passed. One of the four comments pertained to the Automated Driving Systems 2.0 document in general with no comments regarding burden. The final of the four comments states the information collection request was inadequate; however, the description was based on the fundamental grounds of reduction of information in the Voluntary Guidance rather than the calculation of burden or respondents.

It is important to note that the Automated Driving Systems 2.0: A Vision for Safety was effective on September 15, 2017, and is intended to be updated frequently. Therefore, the burden hours outlined in the 60-day notice and this subsequent 30-day notice are reflective of that version of the policy. If the agency significantly changes the burden with any future updates, further modifications will be sought.

9. PAYMENT OR GIFTS TO RESPONDENTS

NHTSA is not providing payment or gifts for respondents.

10. ASSURANCES OF CONFIDENTIALITY

Confidentiality is not applicable because the Voluntary Safety Self-Assessment is public. Should an entity wish to submit confidential business information to NHTSA, CFR 49 Part 512 is available for instruction.

11. JUSTIFICATION FOR COLLECTION OF SENSITIVE INFORMATION

Automated Driving Systems 2.0: A Vision for Safety does not collect sensitive information.

12. ESTIMATES OF BURDEN HOURS FOR INFORMATION REQUESTED

Estimated Burden for this Collection: We estimate the following collection burden on the public. The numbers below are based on estimates that NHTSA has generated, and the Agency seeks comment on the burden calculations below.

There are currently 45 manufacturers that have registered with the State of California as licensed entities capable of testing automated systems. NHTSA expects this number will continue to increase over the next three years, and for purposes of estimated the burden of this collection, NHTSA believes there will be 60 respondents annually during the three years covered by this information collection request. This increase takes into account the addition of new entrants as well as the fact that many entities have already begun testing of ADSs and thus already included in this figure.

The adjustments from the previous approved collection are a result of the Voluntary Guidance reducing the number of priority safety design elements for consideration from 15 to 12 (removal of Privacy, Registration and Certification, and Ethical Considerations). It also removes the data sharing aspect of the Voluntary Guidance, and limits the scope of the Voluntary Guidance to SAE system Levels 3-5 instead of also including Level 2. The Voluntary Guidance encourages public disclosure rather than providing information to NTHSA; however, this change is not expected to change burden.

NHTSA expects the industry burden of following the Voluntary Guidance to be comprised of efforts entities would already incur in normal business operation and existing documentation; however, there may be an increased burden for documentation of procedures and some minor analysis or review. In calculating the burden for an entity to consider the safety elements in the Voluntary Guidance, NHTSA has adjusted its estimates in accordance with the new Voluntary Guidance from the original estimated annual burden of 1,630 hours for each reporting entity plus an additional 20 hours for select entities. By limiting the scope and safety elements in the Voluntary Guidance, the estimated annual burden for an entity to consider the safety elements in the Voluntary Guidance is now 835 hours.

In addition to the estimated annual burden associated with existing documentation and business operation to follow the Voluntary Guidance, disclosure of a Voluntary Safety Self-Assessment may involve additional burden for format and content adherence, varying by safety element. NHTSA estimates that each entity will spend an additional 600 hours to use the documentation recommendations contained in the Voluntary Guidance. This estimate of burden is comprised of efforts to transmit information from existing format into a summary format that would be consumable by the public, including data translation, analysis, and discussion of traditionally technical information. This is a reduction from the original estimate of 1,380 burden hours per year.

Safety Element in Voluntary Guidance	Burden Hours Associated	Voluntary Assessment Development	Voluntary Assessment Summary
System Safety (components below)	200	20	10
Industry Standards Followed	10	-	-
Best Practices, Design, and Guidance Followed	10	-	-
Hazard Analysis	40	-	-
Safety Risk Assessment	40	-	-
Redundancies	20	-	-
Software Development, Verification, and Validation	40	-	-
System Testing and Traceability	40	-	-
B. Operational Design Domain	20	20	5
C. Object and Event Detection and Response	20	40	5
D. Fall Back	60	80	10
E. Validation Methods	0	80	10
F. Human Machine Interface	80	20	5
G. Vehicle Cybersecurity	60	20	5
H. Crashworthiness	20	20	5
I. Post-Crash Behavior	40	20	5
J. Data Recording (components below)	200	80	10
Crash Recorder	40	-	-
Positive Outcomes	40	-	-
Event Triggers, Schema	40	-	-
Data Privacy	40	-	-
Data Management	40	-	-
K. Consumer Education and Training (components below)	115	40	5
System Intent	5	-	-
Operational Parameters	10	-	-
System Capabilities	10	-	-
Engagement/Disengagement	20	-	-
HMI	20	-	-
Fallback	20	-	-
Driver Responsibilities	10	-	-
Changes in System Performance in Service	10	-	-
On-Road Hands on Training	5	-	-
On-Track Hands on Training	5	-	-
L. Federal, State, and Local Laws	20	80	5
Total Burden Hours Per ADS	835	520	80

Estimated Number of Respondents	60
Estimated Burden for Voluntary Guidance	835 hours
Estimated Burden for Voluntary Assessment Development	520 hours
Total Estimated Burden for Summarizing	80 hours
Total Burden Hours	1,435 hours
Frequency of Collection per Year	1
Total Estimated Burden for Industry Per Year	86,100

Safety Elements in the Voluntary Guidance

1. System Safety

Entities are encouraged to follow a robust design and validation process based on a systems-engineering approach with the goal of designing ADSs free of unreasonable safety risks. The overall process should adopt and follow industry standards, such as the functional safety process standard for road vehicles, and collectively cover the entire operational design domain (i.e., operating parameters and limitations) of the system. Entities are encouraged to adopt voluntary guidance, best practices, design principles, and standards developed by established and accredited standards-developing organizations (as applicable) such as the International Standards Organization (ISO) and SAE International, as well as standards and processes available from other industries such as aviation, space, and the military and other applicable standards or internal company processes as they are relevant and applicable. See NHTSA’s June 2016 report, Assessment of Safety Standards for Automotive Electronic Control Systems, which provides an evaluation of the strengths and limitations of such standards.

The design and validation process should also consider including a hazard analysis and safety risk assessment for ADSs, for the overall vehicle design into which it is being integrated, and when applicable, for the broader transportation ecosystem. Additionally, the process shall describe design redundancies and safety strategies for handling ADS malfunctions. Ideally, the process should place significant emphasis on software development, verification, and validation. The software development process is one that should be well-planned, well-controlled, and well-documented to detect and correct unexpected results from software updates. Thorough and measurable software testing should complement a structured and documented software development and change management process and should be part of each software version release.

Industry is encouraged to monitor the evolution, implementation, and safety assessment of artificial intelligence and other relevant software technologies and algorithms to improve the effectiveness and safety of ADSs.

Design decisions should be linked to the assessed risks that could impact safety-critical system functionality. Design safety considerations should include design architecture, sensors,

actuators, communication failure, potential software errors, reliability, potential inadequate control, undesirable control actions, potential collisions with environmental objects and other road users, potential collisions that could be caused by actions of an ADS, leaving the roadway, loss of traction or stability, and violation of traffic laws and deviations from normal (expected) driving practices.

All design decisions should be tested, validated, and verified as individual subsystems and as part of the entire vehicle architecture. Entities are encouraged to document the entire process; all actions, changes, design choices, analyses, associated testing, and data should be traceable and transparent.

2. Operational Design Domain

Entities are encouraged to define and document the Operational Design Domain (ODD) for each ADS available on their vehicle(s) as tested or deployed for use on public roadways, as well as document the process and procedure for assessment, testing, and validation of ADS functionality with the prescribed ODD. The ODD should describe the specific conditions under which a given ADS or feature is intended to function. The ODD is the definition of where (such as what roadway types and speeds) and when (under what conditions, such as day/night, weather limits, etc.) an ADS is designed to operate.

The ODD would include the following information at a minimum to define each ADS’s capability limits/boundaries:

• Roadway types (interstate, local, etc.) on which the ADS is intended to operate safely;

• Geographic area (city, mountain, desert, etc.);

• Speed range;

• Environmental conditions in which the ADS will operate (weather, daytime/nighttime, etc.); and

• Other domain constraints.

An ADS should be able to operate safely within the ODD for which it is designed. In situations where the ADS is outside of its defined ODD or in which conditions dynamically change to fall outside of the ADS’s ODD, the vehicle should transition to a minimal risk condition. For a Level 3 ADS, transitioning to a minimal risk condition could entail transitioning control to a receptive, fallback- ready user. In cases the ADS does not have indications that the user is receptive and fallback-ready, the system should continue to mitigate manageable risks, which may include slowing the vehicle down or bringing the vehicle to a safe stop. To support the safe introduction of ADSs on public roadways and to speed deployment, the ODD concept provides the flexibility for entities to initially limit the complexity of broader driving challenges in a confined ODD.

3. Object and Event Detection and Response

Object and Event Detection and Response (OEDR) refers to the detection by the driver or ADS of any circumstance that is relevant to the immediate driving task, as well as the implementation of the appropriate driver or system response to such circumstance. For the purposes of this Guidance, an ADS is responsible for performing OEDR while it is engaged and operating in its defined ODD.

Entities are encouraged to have a documented process for assessment, testing, and validation of their ADS’s OEDR capabilities. When operating within its ODD, an ADS’s OEDR functions are expected to be able to detect and respond to other vehicles (in and out of its travel path), pedestrians, bicyclists, animals, and objects that could affect safe operation of the vehicle.

An ADS’s OEDR should also include the ability to address a wide variety of foreseeable encounters, including emergency vehicles, temporary work zones, and other unusual conditions (e.g., police manually directing traffic or other first responders or construction workers controlling traffic) that may impact the safe operation of an ADS.

Normal Driving

Entities are encouraged to have a documented process for the assessment, testing, and validation of a variety of behavioral competencies for their ADSs. Behavioral competency refers to the ability of an ADS to operate in the traffic conditions that it will regularly encounter, including keeping the vehicle in a lane, obeying traffic laws, following reasonable road etiquette, and responding to other vehicles or hazards. While research conducted by California PATH provided a set of minimum behavioral competencies for ADSs, the full complement of behavioral competencies a particular ADS would be expected to demonstrate and routinely perform will depend upon the individual ADS, its ODD, and the designated fallback (minimal risk condition) method. Entities are encouraged to consider all known behavioral competencies in the design, test, and validation of their ADSs.

Crash Avoidance Capability – Hazards

Entities are encouraged to have a documented process for assessment, testing, and validation of their crash avoidance capabilities and design choices. Based on the ODD, an ADS should be able to address applicable pre-crash scenarios that relate to control loss; crossing-path crashes; lane change/merge; head-on and opposite-direction travel; and rear-end, road departure, and low-speed situations such as backing and parking maneuvers. Depending on the ODD, an ADS may be expected to handle many of the pre-crash scenarios that NHTSA has identified previously.

4. Fallback (Minimal Risk Condition)

Entities are encouraged to have a documented process for transitioning to a minimal risk condition when a problem is encountered or the ADS cannot operate safely. ADSs operating on the road should be capable of detecting that the ADS has malfunctioned, is operating in a degraded state, or is operating outside of the ODD. Furthermore, ADSs should be able to notify the human driver of such events in a way that enables the driver to regain proper control of the vehicle or allows the ADS to return to a minimal risk condition independently.

Fallback strategies should take into account that, despite laws and regulations to the contrary, human drivers may be inattentive, under the influence of alcohol or other substances, drowsy, or otherwise impaired.

Fallback actions are encouraged to be administered in a manner that will facilitate safe operation of the vehicle and minimize erratic driving behavior. Such fallback actions should also consider minimizing the effects of errors in human driver recognition and decision-making during and after transition to manual control.

In cases of higher automation in which a human driver may not be available, the ADS must be able to fallback into a minimal risk condition without the need for driver intervention. A minimal risk condition will vary according to the type and extent of a given failure, but may include automatically bringing the vehicle to a safe stop, preferably outside of an active lane of traffic. Entities are encouraged to have a documented process for assessment, testing, and validation of their fallback approaches.

5. Validation Methods

Given that the scope, technology, and capabilities vary widely for different automation functions, entities are encouraged to develop validation methods to appropriately mitigate the safety risks associated with their ADS approach. Tests should demonstrate the behavioral competencies an ADS would be expected to perform during normal operation, the ADS’s performance during crash avoidance situations, and the performance of fallback strategies relevant to the ADS’s ODD.

To demonstrate the expected performance of an ADS for deployment on public roads, test approaches may include a combination of simulation, test track, and on-road testing.

Prior to on-road testing, entities are encouraged to consider the extent to which simulation and track testing may be necessary. Testing may be performed by the entities themselves, but could also be performed by an independent third party.

Entities should continue working with NHTSA and industry standards organizations (SAE, International Organization for Standards [ISO], etc.) and others to develop and update tests that use innovative methods as well as to develop performance criteria for test facilities that intend to conduct validation tests.

6. Human Machine Interface

Understanding the interaction between the vehicle and the driver, commonly referred to as “human machine interface” (HMI), has always played an important role in the automotive design process. New complexity is introduced to this interaction as ADSs take on driving functions, in part because in some cases the vehicle must be capable of accurately conveying information to the human driver regarding intentions and vehicle performance. This is particularly true for ADSs in which human drivers may be requested to perform any part of the driving task. For example, in a Level 3 vehicle, the driver always must be receptive to a request by the system to take back driving responsibilities. However, a driver’s ability to do so is limited by their capacity to stay alert to the driving task and thus capable of quickly taking over control, while at the same time not performing the actual driving task until prompted by the vehicle. Entities are encouraged to consider whether it is reasonable and appropriate to incorporate driver engagement monitoring in cases where drivers could be involved in the driving task so as to assess driver awareness and readiness to perform the full driving task.

Entities are also encouraged to consider and document a process for the assessment, testing, and validation of the vehicle’s HMI design. Considerations should be made for the human driver, operator, occupant(s), and external actors with whom the ADS may have interactions, including other vehicles (both traditional and those with ADSs), motorcyclists, bicyclists, and pedestrians. HMI design should also consider the need to communicate information regarding the ADS’s state of operation relevant to the various interactions it may encounter and how this information should be communicated.

In vehicles that are anticipated not to have driver controls, entities are encouraged to design their HMI to accommodate people with disabilities (e.g., through visual, auditory, and haptic displays). In vehicles where an ADS may be intended to operate without a human driver or even any human occupant, the remote dispatcher or central control authority, if such an entity exists, should be able to know the status of the ADS at all times. Examples of these may include unoccupied SAE Automation Level 4 or 5 vehicles, automated delivery vehicles, last-mile special purpose ground drones, and automated maintenance vehicles.

Given the ongoing research and rapidly evolving nature of this field, entities are encouraged to consider and apply voluntary guidance, best practices, and design principles published by SAE International, ISO, NHTSA, the American National Standards Institute (ANSI), the International Commission on Illumination (CIE), and other relevant organizations, based upon the level of automation and expected level of driver engagement.

7. Vehicle Cybersecurity

Entities are encouraged to follow a robust product development process based on a systems engineering approach to minimize risks to safety, including those due to cybersecurity threats and vulnerabilities. This process should include a systematic and ongoing safety risk assessment for each ADS, the overall vehicle design into which it is being integrated, and when applicable, the broader transportation ecosystem.

Entities are encouraged to design their ADSs following established best practices for cyber vehicle physical systems. Entities are encouraged to consider and incorporate voluntary guidance, best practices, and design principles published by National Institute of Standards and Technology (NIST), NHTSA, SAE International, the Alliance of Automobile Manufacturers, the Association of Global Automakers, the Automotive Information Sharing and Analysis Center (Auto-ISAC), and other relevant organizations, as appropriate.

NHTSA encourages entities to document how they incorporated vehicle cybersecurity considerations into ADSs, including all actions, changes, design choices, analyses, and associated testing, and ensure that data is traceable within a robust document version control environment.

Industry sharing of information on vehicle cybersecurity facilitates collaborative learning and helps prevent industry members from experiencing the same cyber vulnerabilities. Entities are encouraged to report to the Auto-ISAC all discovered incidents, exploits, threats and vulnerabilities from internal testing, consumer reporting, or external security research as soon as possible, regardless of membership. Entities are further encouraged to establish robust cyber incident response plans and employ a systems engineering approach that considers vehicle cybersecurity in the design process. Entities involved with ADSs should also consider adopting a coordinated vulnerability reporting/disclosure policy.

8. Crashworthiness

Occupant Protection

Given that a mix of vehicles with ADSs and those without will be operating on public roadways for an extended period of time, entities still need to consider the possible scenario of another vehicle crashing into an ADS-equipped vehicle and how to best protect vehicle occupants in that situation. Regardless of whether the ADS is operating the vehicle or the vehicle is being driven by a human driver, the occupant protection system should maintain its intended performance level in the event of a crash.

Entities should consider incorporating information from the advanced sensing technologies needed for ADS operation into new occupant protection systems that provide enhanced protection to occupants of all ages and sizes. In addition to the seating configurations evaluated in current standards, entities are encouraged to evaluate and consider additional countermeasures that will protect all occupants in any alternative planned seating or interior configurations during use.

Compatibility

Unoccupied vehicles equipped with ADSs should provide geometric and energy absorption crash compatibility with existing vehicles on the road. ADSs intended for product or service delivery or other unoccupied use scenarios should consider appropriate vehicle crash compatibility given the potential for interactions with vulnerable road users and other vehicle types.

9. Post-Crash ADS Behavior

Entities engaging in testing or deployment should consider methods of returning ADSs to a safe state immediately after being involved in a crash. Depending upon the severity of the crash, actions such as shutting off the fuel pump, removing motive power, moving the vehicle to a safe position off the roadway (or safest place available), disengaging electrical power, and other actions that would assist the ADSs should be considered. If communications with an operations center, collision notification center, or vehicle communications technology exist, relevant data is encouraged to be communicated and shared to help reduce the harm resulting from the crash.

Additionally, entities are encouraged to have documentation available that facilitates the maintenance and repair of ADSs before they can be put back in service. Such documentation would likely identify the equipment and the processes necessary to ensure safe operation of the ADSs after repairs.

10. Data Recording

Learning from crash data is a central component to the safety potential of ADSs. For example, the analysis of a crash involving a single ADS could lead to safety developments and subsequent prevention of that crash scenario in other ADSs. Paramount to this type of learning is proper crash reconstruction. Currently, no standard data elements exist for law enforcement, researchers, and others to use in determining why an ADS-enabled vehicle crashed. Therefore, entities engaging in testing or deployment are encouraged to establish a documented process for testing, validating, and collecting necessary data related to the occurrence of malfunctions, degradations, or failures in a way that can be used to establish the cause of any crash. Data should be collected for on-road testing and use, and entities are encouraged to adopt voluntary guidance, best practices, design principles, and standards issued by accredited standards developing organizations such as SAE International. Likewise, these organizations are encouraged to be actively engaged in the discussion and regularly update standards as necessary and appropriate.

To promote a continual learning environment, entities engaging in testing or deployment should collect data associated with crashes involving: (1) fatal or nonfatal personal injury or (2) damage that requires towing, including damage that prevents a motor vehicle involved from being driven under its own power in its customary manner or damage that prevents a motor vehicle involved from being driven without resulting in further damage or causing a hazard to itself, other traffic elements, or the roadway.

For crash reconstruction purposes (including during testing), it is recommended that ADS data be stored, maintained, and readily available for retrieval as is current practice, including applicable privacy protections, for crash event data recorders. Vehicles should record, at a minimum, all available information relevant to the crash, so that the circumstances of the crash can be reconstructed. These data should also contain the status of the ADS and whether the ADS or the human driver was in control of the vehicle leading up to, during, and immediately following a crash. Entities should have the technical and legal capability to share with government authorities the relevant recorded information as necessary for crash reconstruction purposes. Meanwhile, for consistency and to build public trust and acceptance, NHTSA will continue working with SAE International to begin the work necessary to establish uniform data elements for ADS crash reconstruction.

11. Consumer Education and Training

Education and training is imperative for increased safety during the deployment of ADSs. Therefore, entities are encouraged to develop, document, and maintain employee, dealer, distributor, and consumer education and training programs to address the anticipated differences in the use and operation of ADSs from those of the conventional vehicles that the public owns and operates today. Such programs should consider providing target users the necessary level of understanding to utilize these technologies properly, efficiently, and in the safest manner possible.

Entities, particularly those engaging in testing or deployment, should also ensure that their own staff, including their marketing and sales forces, understand the technology and can educate and train their dealers, distributors, and consumers.

Consumer education programs are encouraged to cover topics such as ADSs’ functional intent, operational parameters, system capabilities and limitations, engagement/disengagement methods, HMI, emergency fallback scenarios, operational design domain parameters (i.e., limitations), and mechanisms that could alter ADS behavior while in service. They should also include explicit information on what the ADS is capable and not capable of in an effort to minimize potential risks from user system abuse or misunderstanding.

As part of their education and training programs, ADS dealers and distributors should consider including an on-road or on-track experience demonstrating ADS operations and HMI functions prior to consumer release. Other innovative approaches (e.g., virtual reality or onboard vehicle systems) may also be considered, tested, and employed. These programs should be continually evaluated for their effectiveness and updated on a routine basis, incorporating feedback from dealers, customers, and other sources.

12. Federal, State, and Local Laws

Entities are also encouraged to document how they intend to account for all applicable Federal, State, and local laws in the design of their vehicles and ADSs. Based on the operational design domain(s), the development of ADSs should account for all governing traffic laws when operating in automated mode for the region of operation. For testing purposes, an entity may rely on an ADS test driver or other mechanism to manage compliance with the applicable laws.

In certain safety-critical situations (such as having to cross double lines on the roadway to travel safely past a broken-down vehicle on the road) human drivers may temporarily violate certain State motor vehicle driving laws. It is expected that ADSs have the capability of handling such foreseeable events safely; entities are encouraged to have a documented process for independent assessment, testing, and validation of such plausible scenarios. Given that laws and regulations will inevitably change over time, entities should consider developing processes to update and adapt ADSs to address new or revised legal requirements.

13. ESTIMATES OF TOTAL ANNUAL COSTS TO RESPONDENTS

NHTSA assumes an average cost to manufacturers or entities of $100 per hour, thus the total estimated annual burden on all respondents to this collection is $8,610,000.

14. ESTIMATE OF COST TO THE FEDERAL GOVERNMENT

ADS 2.0 suggests entities publicly disclose the VSSA rather than submit any documentation to NHTSA. NHTSA is not reviewing the VSSA nor approving the assessment, thus no additional burden for such activity. Staff will monitor activity for awareness and read any VSSAs publicly disclosed. With an estimated 60 responses annually, each VSSA may take an hour to review thoroughly for staff overseeing work on ADSs. Thus an average of 60 hours per year at a cost of $50 per hour. The total annual cost to the government therefore is estimated at $3,000 per year.

15. EXPLANATION OF PROGRAM CHANGES OR ADJUSTMENTS

This is a adjustment to an existing request. The initial request received OMB clearance number 2127-0723.

The original modification from the previous estimate, provided in the 60-day Federal Register Notice incorporated the addition of new entrants for testing and deployment of ADS, as indicated by the number of entities registered to test in the state of California. At the time, on August 30, 2017, 39 entities were registered which NHTSA then estimated to increase for new entrants resulting in an estimated 50 respondents per year. Further adjustments of burden hours from the January 2017-approved collection are a result of the following changes to the Voluntary Guidance: reducing the number of priority safety design elements for consideration from 15 to 12, removing data sharing from the data element in the Voluntary Guidance, and limiting the scope to SAE system levels 3-5 rather than levels 2-5.

By limiting the scope and safety elements in the Voluntary Guidance, the estimated annual burden for an entity to consider the safety elements in the Voluntary Guidance was reduced from an estimated 1,630 hours per entity (plus an additional 20 hours for select entities) to 835 hours. The change in burden hours for an entity per year with relation to the VSSA has been reduced to 600 hours from 1,380 hours – based largely on the limiting of scope of ADS level. Thus total burden hours are now estimated at 1,435 (835 hours + 600 hours).

From the 60-day Federal Register notice published on September 15, 2017 to the 30-day Federal Register notice, an additional six entities registered to test ADSs in California. Thus, NHTSA has further increased the estimated number of respondents per year to 60.

NHTSA estimates the total burden associated with conforming with the documentation and disclosure recommendations contained in the Voluntary Guidance would be 1,435 hours per manufacturer or entity per year. The estimated cost for following this Voluntary Guidance is $100 per hour. Therefore, the total annual cost is estimated to be $8,610,000 (1,435 hours x 60 respondents x $100/hour).

16. PUBLICATION OF RESULTS OF DATA COLLECTION

The public side of this data collection will be disclosure of a Voluntary Safety Self-Assessment. Automated Driving Systems 2.0: A Vision for Safety does not require the Self-Assessment, nor does it stipulate formatting, specific content, or manner of publication. NHTSA presumes entities may make a Voluntary Safety Self-Assessment publicly available on their own company website.

17. APPROVAL FOR NOT DISPLAYING THE EXPIRATION DATE OF OMB

APPROVAL

Approval is not sought to not display the expiration date for OMB approval.

18. EXCEPTIONS TO THE CERTIFICATION STATEMENT

No exceptions to the certification statement are made.

File Type	application/vnd.openxmlformats-officedocument.wordprocessingml.document
Author	Amanda DiFiore
File Modified	0000-00-00
File Created	2021-01-21