Vehicle Automation Challenges and Regulatory Barriers

Deborah A.P. Hersman
President & CEO, National Safety Council
March 14, 2018 | Itasca, IL

Get the Full PDF DownloadGet the Full PDF Download

Comment Letter


March 14, 2018

Docket Management Facility
U.S. Department of Transportation
1200 New Jersey Avenue, SE
Room W12-140
Washington, D.C. 20590

Re: Docket Number NHTSA-2018-0009

Dear Docket Officer

We appreciate the leadership of the National Highway Traffic Safety Administration (NHTSA) to chart a course for the future of vehicle automation, and for maintaining the agency's mandated emphasis on safety. Thank you for allowing the National Safety Council (NSC) the opportunity to provide comments on identifying barriers in the existing Federal Motor Vehicle Safety Standards (FMVSS) to the testing, compliance certification and compliance verification of motor vehicles with Automated Driving Systems (ADS) and certain unconventional designs.

The National Safety Council is a 100-year-old nonprofit committed to eliminating preventable deaths in our lifetime by focusing on injuries in workplaces, in homes and communities, and on the road. Our more than 13,500 member companies represent employees at more than 50,000 U.S. worksites. We also educate more than 1 million drivers each year in defensive driving.

Like NHTSA, NSC believes advanced vehicle technology, up to and including fully automated vehicles, can reduce roadway fatalities and injuries, improve mobility for underserved populations and provide additional benefits to society. NSC is also one of the leaders of the Road to Zero coalition. ADAS and Automated Driving Systems are a large part of the Road to Zero vision to eliminate roadway fatalities by 2050. We are particularly supportive of policy efforts that encourage the inclusion and adoption of higher levels of vehicle automation as we believe these technologies will be vital to improving safety on our nation's roads. We appreciate your commitment to looking further down the road as the design of future vehicles may go so far as to lack controls for a human driver.

For the first time U.S. history, unintentional injuries have recently become the third leading cause of death for Americans. Motor vehicle crashes remain the leading cause of unintentional death for people from 1 to 24 years of age and a leading killer in all age groups.2 Driver behavior is the biggest single contributor to motor vehicle crashes and has proven to be the hardest problem to solve. If we are to eliminate preventable deaths in our lifetime, we must realize massive, near-term gains in roadway safety. NSC believes that as more crash prevention safety systems are introduced into the fleet, more lives will be saved.

However, as exciting technology enters the marketplace, we should not rush to remove safety requirements, especially occupant protections, from vehicles. NTHSA has already recognized that FMVSS may need to be adjusted to accommodate newer technology and designs by awarding the "Assessment, Evaluation, and Approaches to Technical Translations of FMVSS that may Impact Compliance of Innovative New Vehicle Designs Associated with Automated Driving Systems" to Virginia Tech. As such, this request for comment seems premature until the results of that recently awarded assessment are complete.

Changes to FMVSS should not degrade crash avoidance, crashworthiness and post­ crash protections and survivability


Even as new level 2 safety features are developed and implemented, the national fleet will be slow to turn over, and it may be decades before the majority of vehicles on the road will have ADS level 2, 3 or 4 on board. During the development and roll-out period for more advanced technologies in cars, tens of millions of vehicles will still lack many of the promised capabilities of automated cars. As the selling of legacy vehicles will likely continue for many years, and without the adoption of new, more advanced occupant protection standards, we do not see any merit in wholesale changes to the existing post-crash protections established in the FMVSS. In the near term, critical life-saving features in crashes will continue to be seat belts, air bags, and energy absorbing design and materials not related to the SAE level at which a vehicle operates. These important safety systems may need to be adjusted, but they should not be removed from vehicles, especially as all experts predict a mixed fleet of vehicles for decades to come.

Rather, NHTSA should examine the impact of FMVSS in saving lives on our roadways, in order to prioritize inclusion of those technologies in advanced vehicles and consider additional requirements in newer vehicles that have the greatest life-saving potential. For example, we know seat belts have saved tens of thousands of lives, but Americans do not buckle up at the same rate in the back seats as they do in front seats. Rear seat belt reminders have been required in cars sold in Europe and EU countries buckle up at a higher rate than the US and their fatality rates are consistently lower than the US. We could reduce fatalities involving unbelted passengers if rear seat belt reminders were installed in all cars sold in the US. NHTSA has a pending rulemaking regarding this technology.

Additionally, making sound decisions about appropriate technologies will require data about actual ADS operation. NHTSA should establish a database of vehicle technologies and provide objective assessment regarding whether those technologies were involved in or prevented crashes to determine their effectiveness. Those systems that are deemed highly effective should be required on all vehicles or at the very least identified and promoted as part of the five star crashworthiness rating system.

The FMVSS provide and ensure minimum levels of protection and safety for drivers and occupants of vehicles as well as other roadway users. As such, NHTSA and the DOT should not degrade the crash avoidance, crashworthiness, survivability and post-crash survivability of motor vehicles in an effort to encourage deployment of ADS. While there are great benefits in higher levels of automation, the gains achieved through new technology could be lost if the basic standards and protections NHTSA has provided to the driving public, states and vehicle developers and manufacturers for the past 50 years are turned back. To ensure safe deployment of ADS, NHTSA should ask vehicle manufacturers to provide the equivalent or greater evidence-based crash protection and survivable space as current requirements, as seating configurations or cabin configurations change.

Infrastructure requirements


There have been various claims from those developing ADS about the need for infrastructure upgrades or modifications to improve machine and sensor recognition, but there is a lack of consensus in defining minimum requirements. Given there will be mixed traffic with all levels of vehicles for the next several decades, NHTSA should coordinate with DOT colleagues on repairing and rebuilding deteriorating infrastructure to at least current standards for the safety of all vehicles on the road.

Additionally, NSC supports ongoing development of V2V and V21 technologies. NHTSA estimates that just two potential V2V applications (intersection movement assist and left turn assist) could prevent up to 50% of crashes, injuries and fatalities- and this is only a glimpse into the life-saving potential of this new technology. 3 The additions of interoperable aftermarket devices and future vehicle-to-infrastructure (V21) devices may greatly enhance the lifesaving potential of this technology as well as achieve greater efficiency in roadway operations by managing traffic around acute events such as crashes, power outages affecting traffic control devices and infrastructure affected by severe weather.

Unlike ADAS sensors on vehicles, such as radar, Lidar and cameras, DSRC has the safety benefit of allowing the vehicle and the driver to discover potential hazards through and around vehicles, buildings and other objects. This capability potentially provides another level of awareness and introduces an important level of redundancy. V2V and eventually V21 enables a "safe system" environment on our roadways which we have not experienced before, and it is a technology that consumers may add as an aftermarket safety device.

We will experience the biggest gains from V2VN2I and similar technologies as more vehicles include them. The absence of a standard in this area has slowed deployment and resulted in fatalities that could have been prevented. Over half of state Departments of Transportation are already incorporating the technology in infrastructure, and it is imperative that the federal government take a leadership role in establishing appropriate standards for vehicle and infrastructure that has national and international implications. 4 NSC believes the rulemaking to require this technology in vehicles should move forward immediately.

Artificial Intelligence (Al)/cyber requirements


NHTSA should consider cyber and data protections for the electronic infrastructure in a vehicle and maintained externally in the cloud. As vehicles become more dependent on artificial intelligence for safety and critical operational elements, including over-the-air updates to operating systems, such protections should be required and enhanced.

  • Al: As vehicle manufacturers and suppliers start deploying artificial intelligence in ADS, critical software assumptions, validation techniques and verification procedures should be made explicit to ensure safety and help the public understand and thus begin to trust Al deployments.
  • Cybersecurity: NHTSA should require that each automaker and software supplier have a coordinated hacking/electronic infrastructure recovery plan in place to mitigate damage to individual, fleet-wide, and system-wide breaches.
  • Recall and update compliance: U.S. compliance with recalls is woefully low; in 2017 there were approximately 53 million open recalls equating to 1 in 4 vehicles on the road. NHTSA should consider how to address vehicles that do not comply with latest patches and/or software and hardware updates. If safety critical updates are not installed, NHTSA should allow a manufacturer to take actions up to and including automatically shutting down the technology or vehicle until the update is complete.
  • Latency minimum requirements: Vehicle sensor fusion tasks and communication with the cloud has to occur with minimum latency to ensure that ADS vehicles have the information they need at the right time to make the right decision(s). Additionally, some systems contemplated may require remote human or Al monitors. The effective control parameters in such a deployment need to be defined. NHTSA should evaluate minimum requirements with significant input from manufacturers and the industry, to enable onboard and remote ADS to make the best decisions at the right time.

Data Recording, Sharing and Privacy


The National Safety Council is very bullish on vehicle automation, and eventually fully automated vehicles, because we know when implemented safely and properly, they will help us realize huge gains in reducing roadway fatalities. If we are to realize the life-saving benefits, at minimum we must ensure that we have reliable event data recorders that produce downloadable data in a standardized format for investigators, law enforcement, state highway safety offices, insurers and other relevant stakeholders. Following a crash, we must be able to answer simple questions like whether the vehicle systems or the human driver had control of the car, if and how the vehicle was communicating with the driver or remote operators, and if all systems were working as designed.

Understanding the circumstances and causes surrounding malfunctions, including at lower levels of automation, will help make this technology safer, and ensure failures are less likely to occur as technology evolves. This will be especially important in assuring consumers of the reliability of ADAS and ADS systems. NSC believes that minimum parameters should be set for data preservation, standardization of formats, ease of access for post-crash evaluation, and privacy protections early in the process. Reliable data-sharing programs require greater maturity and a strong safety culture committed to continuous improvement.

There is a strong public health argument for collecting data from electronic devices in the event of a crash. Acquiring an understanding of what happens when systems perform as intended, fail as expected, or fail in unexpected ways will yield valuable information for manufacturers­ some of whom have common suppliers. Further, in-service data, as well as near miss and post-crash information sharing, can help engineers and planners design better and safer roadways, as well as help safety and health professionals design better interventions to discourage risky driving or affect the behaviors of other roadway users.

De-identified data sharing has been in existence in the aviation industry for many years and proven highly successful. The Aviation Safety Information Analysis and Sharing (ASIAS) system allows for sharing of de-identified data across the aviation industry, making it possible for the industry to identify trends and act on them. Analysis of de-identified data will provide windows into leading indicators in the motor vehicle industry. Leading indicators are "proactive, preventative and predictive measures that monitor and provide current information about the effective performance, activities and processes of a ... system that drive the identification and eliminate or control of risks." The NSC Campbell Institute, a leader in workplace safety, health and sustainability, states that tracking leading indicators allows world-class safety organizations to make further improvements to their safety records.

Auto manufacturers should use event data recorders (EDRs) to gain a better understanding of how human operators engage with advanced technology. And, more sophisticated EDRs connected to the cameras and other technology can better record and allow for greater understanding of how ADS vehicles react in the real world. This knowledge will allow manufacturers to be nimbler and make adjustments in near real-time for technology and systems based on what is actually occurring in the driver's seat, rather than making changes based on assumptions and estimations that must be accommodated in a later model year. Collecting and sharing de-identified data about near misses and other relevant problems could also help by aggregating useful information for the automotive industry, allowing them to take proactive steps based on leading indicators rather than waiting for a crash or a series of crashes to occur. Finally, this data would be useful to researchers and the safety community in analyzing the safety benefits-and potential drawbacks-of these technologies as they continue to mature.

While there are competing priorities regarding protecting personal privacy and proprietary systems or designs, NSC believes that safety should be the ultimate priority, and that other concerns need to be accommodated to prioritize safety. NHTSA should facilitate data sharing as widely as possible and require that manufacturers provide accessible, standardized data to law enforcement, state highway safety offices, investigators, insurers, and/or other relevant stakeholders.

Education and Training


Initial development and deployment of vehicles with partial automation (levels 1 and 2) through the U.S. fleet provides the driving public, as well as government, OEMs and all interested parties, a real world opportunity to experience first-hand how technology can provide an added margin of safety on the road. However, the manner in which drivers are introduced to these systems affects the rate of acceptance and adoption. Media and other interested parties may portray today's technology in a way that is confusing to the public with regard to the capabilities of particular systems. For the near term, drivers will need to remain in control of their vehicles for more practical reasons.

As ADS levels 3, 4 and 5 come onto the public roadway system, we can look to the national experience introducing the public to level 2 systems. Notably, we find confusion about capabilities, domains and a general lack of knowledge. Particular problems will remain, with level 2 and level 3 will require drivers to take over the system anytime an operational boundary is breached and level 4 systems will not be able to operate in all Operational Design Domains. Communicating the appropriate operation of these systems may prove difficult without consistent education. Marketing is not education. With greater system complexity, we need greater knowledge and understanding of the system. We strongly recommend a robust and widely-accessible consumer education and training effort as we introduce level 2, 3 and 4 vehicles into the fleet.

NSC agrees with DOT that there is a driver understanding gap as new technologies are deployed, and older technologies are updated or retired. It is our belief that education and training are required to speed adoption and proper use of these features. It is also our belief that education will need to continue through the life of the vehicle, as software and hardware updates in turn modify the operational parameters for vehicle systems. As you may know, NSC created the nation's premier research-based vehicle automation education program - MyCarDoesWhat.

The need for education and training arises from a lack of knowledge or confusion because:

  • Many of today's drivers did not learn to drive on vehicles equipped with ADAS features (automation levels 1, 2 or 3), and thus have no background in how to interface with or properly operate them.
  • ADAS safety features have different generic names and brand names that vary among manufacturers. These names may contain phrases that give the impression that systems have more capabilities than they truly do, potentially resulting in driver over­ reliance. NHTSA should consider standardizing generic nomenclature and/or taxonomy. For instance, depending on the manufacturers, Automatic Emergency Braking is also referred to as forward collision mitigation, front crash protection, or autobraking, among others.
  • Warning or icon standardization issues persist resulting in confusion for the driver.
  • Not all systems clearly indicate if safety features have been disabled.
  • Safety features have different operational parameters and limitations across manufacturers, and potentially even within the same manufacturer's varying models or trim levels.
  • Safety features may change over time - as software is updated, for example - and drivers need to be properly educated on how these changes affect the operation of their vehicle.
  • Safety feature operational parameters and limitations may not be intuitive or obvious, particularly if drivers use different vehicles.
  • Operational Design Domain or Object Detection and Response Characteristics are not explicitly and succinctly communicated to the driver, so they can be aware of limitations, shortcomings or differences in systems.

We appreciate the difficult task of ensuring a safe roadway system as we move into the future. For the foreseeable future, tens of millions of vehicles will be sold to the American public that are not levels 3, 4 or 5. How the public experiences the introduction and safe operation of higher levels of automation in vehicles will directly impact the rate of adoption of these technologies and how rapidly the vehicle fleet turns over to more advanced levels of automation. A strong federal presence in preserving safety protections will go a long way to help speed adoption.

Just as the National Safety Council educated the driving public about the benefits of seat belts and airbags 20 years ago, NSC stands ready to work with NHTSA, as well as auto manufacturers, suppliers and technology developers, auto dealers, regulators, state government officials, law enforcement, first responders, driving training educators, and highway safety advocates to develop education and training materials and platforms that will address the requirements of this policy, as well as the potential confusion points noted above.

As stated earlier, NSC believes that fully automated vehicles have the potential to save lives and prevent injuries and ADAS and Automated Driving Systems are an essential component of the Road to Zero vision to eliminate roadway fatalities by 2050.

NSC applauds both NHTSA and the DOT for your continued efforts to promote safe and appropriate use of increasing levels of driving automation, while at the same time, encouraging innovation and continuous improvement among automakers and suppliers. We support research and development to achieve fully automated vehicles and needed investment in the infrastructure needed to support such a mobility option.

Thank you for your leadership role into how to safely integrate these vehicles in our fleet, and I appreciate your ongoing consideration of NSC input.

Sincerely,

Deborah A.P. Hersman
President & CEO