U.S. NHTSA: Announcement of guidance for autonomous vehicles

Implementing a five-level system, requesting submission of fifteen safety assessments

2016/11/28

Overview

  On September 2016, the National Highway Traffic Safety Administration (NHTSA) announced the "Federal Automated Vehicle Policy", a set of guidelines for autonomous vehicles. As autonomous driving technology is evolving on a daily basis, this release was not the final version, but rather feedback from various sources will inform the agency's next update to this Policy, which it plans to issue within one year. Moreover, the NHTSA plans to revise its guidance annually.

  At the current stage, this guidance is not mandatory, but the NHTSA will request that manufacturers and other entities that test vehicles with autonomous driving technology on public roads, or plan to release them to the market, voluntarily provide reports regarding how the guidance and its fifteen safety assessments have been followed.

  The NHTSA is considering making the submission of reports mandatory in the future.

    The guidance consists of the following:
  1. Vehicle Performance Guidance for Automated Vehicles
  2. Model State Policy
  3. NHTSA's Current Regulatory Tools (Federal Motor Vehicle Safety Standards, etc.)
  4. Modern Regulatory Tools

  Additionally, the NHTSA has replaced its conventional four-level system with a new five-level autonomous driving evaluation system.

  This report will cover the new five autonomous driving technology levels and provide an overview of the guidance for the performance of autonomous vehicles (the fifteen safety assessments the NHTSA requests from OEMs).

Three models with level 2 automated systems

Mercedes-Benz E-Class Tesla Model X Volvo S90
Mercedes-Benz E-Class
(NAIAS 2016)
Tesla Model X
(courtesy of Tesla Motors)
Volvo S90
(NAIAS 2016)


Related reports:
Tesla Motors: Accelerating plans for production of 500,000 vehicles to 2018 (Oct. 2016)
Toyota's ADAS technologies: Autonomous Vehicle and ADAS Japan 2016 (1) (Aug. 2016)
TU-Automotive Detroit 2015: Impact of autonomous vehicle development (Jun. 2015)



The NHTSA evaluates the contributions autonomous driving technology has made towards safety favorably

  Today, the automobile industry is on the verge of a technological transformation that may lead to an unprecedented advance in safety on U.S. roads and highways. The development of advanced automated vehicle safety technologies, including fully self-driving cars, may prove to be a personal transportation revolution on the level of the popularization of the personal automobile nearly a century ago. Two numbers exemplify the need. First, 35,092 people died on U.S. roadways in 2015 alone. Second, 94 percent of crashes can be tied to a human choice or error. Automated vehicles also hold a learning advantage over humans. While a human driver may repeat the same mistakes as millions before them, an automated vehicle can benefit from the data and experience drawn from thousands of other vehicles on the road.

  The benefits don't stop with safety. Innovations have the potential to transform personal mobility and open doors to people and communities-people with disabilities, aging populations, communities where car ownership is prohibitively expensive, or those who prefer not to drive or own a car-that today have limited or impractical options. Recognizing this great potential, this policy sets out an ambitious approach to accelerate the automated vehicle revolution. (The sub-header for this guidance is "Accelerating the Next Revolution in Roadway Safety").

  Moreover, as important concerns emerge (concerns such as "will the human driver be fully replaced?" "What ethical judgments will autonomous vehicles be called upon to make?" "Will the nature of privacy and security be disrupted?"), there is a necessity to implement autonomous driving technology safely and free from new, major risks.



The NHTSA changes classifications for autonomous driving from four to five levels

  The NHTSA has until now classified autonomous driving with four levels, but from the September 2016 guidance, the levels have been divided into 5 classifications in accordance with those used by SAE International. Levels 3 and 4 have been reorganized into levels 3 to 5. The newly assigned level 4 designates "an automated system that can conduct driving task but is only able to operate in certain environments and under certain conditions (driving region, on designated routes, etc.)," and has been set in anticipation of an increased number of autonomous vehicles that meet this classification.

  The NHTSA has defined levels 1 and 2 as the driver having primary responsibility in monitoring driving conditions, and levels 3 to 5 as the system having primary responsibility, referring to vehicles that fall under levels 3 to 5 as "Highly Automated Vehicles" (HAV). The following chart displays the distribution of responsibility regarding operations such as "handling and acceleration," "monitoring driving conditions," and "minimizing risks during emergencies."

  The NHTSA expects manufacturers to classify their HAV system(s) as described in SAE J3016. If the NHTSA disagrees with OEMs on the classification, it will provide advice. Determining the levels clarifies what OEMs need to address.



Summary of Levels of Driving Automation for On-Road Vehicles

Level Name Narrative definition Execution of steering and acceleration / deceleration Monitoring of driving environment Fallback performance of dynamic driving task System Capability (driving modes) Past NHTSA level
Human driver monitors the driving environment
0 No Automation   The human driver does everything; Human driver Human driver Human driver n/a 0
1 Driver Assistance   An automated system on the vehicle can sometimes assist the human driver in conducting some driving tasks; Human driver and system Human driver Human driver Some driving modes 1
2 Partial Automation   The automated system can actually conduct some driving tasks, while the human driver continues to monitor the driving environment and perform all other driving tasks; System Human driver Human driver Some driving modes 2
Automated driving systems ("systems") monitor the driving environment
3 Conditional Automation   The automated system can both conduct some driving tasks and monitor the driving environment in some instances, but the human driver must be ready to take back control when called upon; System System Human driver Some driving modes 3
4 High Automation   The automated system can conduct driving tasks and monitor the driving environment, and the human driver need not take back control. However, the automated system can operate only in certain environments and conditions; and System System System Some driving modes 3/4
5 Full Automation   The automated system can perform all driving tasks, under all conditions where a human driver would normally do so. System System System All driving modes
Source: NHTSA's Federal Automated Vehicle Policy (Sep. 2016), Preliminary Statement of Policy concerning Automated Vehicles (May 2013), SAE International's Levels of Driving Automation (Jan. 2014 "J30 16")
Note: The NHTSA previously classified level 3 as follows: Limited Self-Driving Automation: The automated system monitors driving controls and the environment. It does not assume that the driver is watching it at all times. However, in cases such as when unexpected construction is encountered and the system judges automated driving to be problematic, it will return control of the vehicle to the driver with sufficient advance notice.


Vehicle Performance Guidance for Automated Vehicles

  Regarding vehicles sold in the U.S., if a vehicle is compliant with the existing Federal Motor Vehicle Safety Standards (FMVSS) regulatory framework and maintains a conventional vehicle design, there is currently no specific federal legal barrier to an HAV being offered for sale. However, manufacturers and other entities designing new automated vehicle systems are subject to NHTSA's defects, recall, and enforcement authority. The Department of Transportation (DOT) anticipates that manufacturers and other entities planning to test and deploy HAVs will use this Guidance, as well as industry standards and best practices, to ensure that their systems will be reasonably safe under real-world conditions.

  Specifically, the NHTSA requests that automakers looking to test autonomous vehicles on public roads or planning to release vehicles to the public give a report on their compliance with the following fifteen guidance items. This reporting system may become mandatory in the future.

  If changes or revisions that may have an effect on the fifteen safety assessments are made, or there are major revisions to software, OEMs are also expected to provide a report.

  Of the fifteen items, eleven, including "data recording and sharing," "system safety," and "human-machine interface (HMI)," as well as "testing and validation," are applied to all autonomous vehicles. Moreover, "operational design domain (ODD)," "object and event detection and response (OEDR)," and "fall back (minimal risk condition)," are applied to HAVs at level 3 and above.

Framework for Vehicle Performance Guidance

Source: NHTSA's Federal Automated vehicle Policy



Eleven items applicable to all autonomous vehicles

Eleven guidance items applicable to level 2 or above autonomous vehicles

(1) Data Recording and Sharing   Data should be collected for both testing and operational purposes. DOT (Department of Transportation) recommends that manufacturers and other entities collect data associated with events involving: (1) fatalities and personal injuries or (2) damage to the extent that any motor vehicle involved cannot be driven under its own power in the customary manner, without further damage or hazard to itself, other traffic elements, or the roadway, and therefore requiring towing. This data should also contain information relating to the status of the HAV system and if the HAV system or the human driver was in control of the vehicle at the time.
  HAVs have great potential to use data sharing to enhance and extend safety benefits. Thus, each entity should develop a plan for sharing its event reconstruction and other relevant data with other entities. Such shared data would help to accelerate knowledge and understanding of HAV performance, and could be used to enhance the safety of HAV systems and to establish consumer confidence in HAV technologies. Manufacturers and other entities should take steps to ensure that data shared is in accordance with privacy and security agreements and notices applicable to the vehicle (which typically permit sharing of de-identified data) or with owner/user consent.
(2) Privacy   The Department and the Administration strongly believe in protecting individuals' right to privacy. This is exemplified by the White House Consumer Privacy Bill of Rights and the Federal Trade Commission's privacy guidance.
(3) System Safety   The Safety system should encompass designing the intended functions such that the vehicle will be placed in a safe state even when there are electrical, electronic, or mechanical malfunctions or software errors. The software development process should be well-planned, well-controlled, and well-documented to detect and correct unexpected results from software development changes.
  The process should describe design redundancies and safety strategies for handling cases of HAV system malfunctions. The automotive industry should monitor the evolution, implementation, and safety assessment of Artificial Intelligence (AI), machine learning, and other relevant software technologies and algorithms to improve the effectiveness and safety of HAVs.
(4) Vehicle Cybersecurity   Entities should consider and incorporate guidance, best practices, and design principles published by National Institute for Standards and Technology (NIST), SAE International, and other relevant organizations. As with safety data, industry sharing on cybersecurity is important.
(5) Human Machine Interface   New complexity is introduced as HAVs take on driving functions, in part because the vehicle must be capable of accurately conveying information to the human driver regarding intentions and vehicle performance. This is particularly true of SAE Level 3 systems in which human drivers are expected to return to the task of monitoring and be available to take over driving responsibilities, but drivers' ability to do so is limited by humans' capacity for staying alert when disengaged from the driving task. Manufacturers and other entities should consider whether it is reasonable and appropriate to incorporate driver engagement monitoring to Level 3 HAV systems.
  At a minimum, indicators should be capable of informing the human operator or occupant that the HAV system is:
1. Functioning properly;
2. Currently engaged in automated driving mode;
3. Currently "unavailable" for automated driving;
4. Experiencing a malfunction with the HAV system; and
5. Requesting control transition from the HAV system to the operator.
In designs where an HAV is intended to operate without a human driver or occupant, the remote dispatcher or central control authority should be able to know the status of the HAV at all times.
(6) Crashworthiness a. Occupant Protection
  An HAV is expected to meet NHTSA crashworthiness standards, because, regardless of the effectiveness of crash avoidance capabilities of an HAV, manufacturers and other entities still need to consider the possibility of another vehicle crashing into them. Regardless of whether the HAV is operating in fully automated mode or is being driven by a human driver, the occupant protection system should maintain its intended performance level in the event of a sensor failure.
b. Compatibility
  The expectation of due care also extends to the crash safety performance of non-occupied automated vehicles. These vehicles should provide geometric and energy absorption crash compatibility with existing vehicles on the road.
(7) Consumer Education and Training   Manufacturers and other entities should develop, document, and maintain employee, dealer, distributor, and consumer education and training programs to address the anticipated differences in the use and operation of HAVs from those of the conventional vehicles that the public owns and operates today. Consumer education should cover topics such as an HAV system's intent, operational parameters, capabilities and limitations, engagement/disengagement methods, HMI, emergency fall back scenarios, operational boundary responsibilities, and potential mechanisms that could change function behavior in service.
  As part of their education and training programs, HAV manufacturers, dealers, and distributers should consider including an on-road or on-track hands-on experience demonstrating HAV operations and HMI functions prior to release to the consumer.
(8) Registration and Certification   NHTSA understands that vehicles may change levels of automation over the vehicle's lifecycle as a result of software updates. As more HAVs are tested and sold commercially to be used on public roadways, older vehicles may be modified to provide similar functionality to new vehicles.
  NHTSA currently requires manufacturers of motor vehicles and motor vehicle equipment that produce FMVSS relevant products to submit identifying information and a description of the items they produce. Manufacturers and other entities also should submit to the Agency identifying information and a description of the items they produce for use by or in coordination with HAV systems and features.
  Manufacturers and other entities should fully describe the capabilities and limitations of the HAV systems in each operational design domain, including operational speeds, geographical areas, weather conditions and other pertinent information in the vehicle's owners and/or operator's manual, or through an in-vehicle HMI.
(9) Post-crash Behavior   Manufacturers and other entities should have a documented process for the assessment, testing, and validation of how their HAV is reinstated into service after being involved in a crash. If sensors or critical safety control systems are damaged, the vehicle should not be allowed to operate in HAV mode. When problems are diagnosed, the HAV should be maintained in a minimal risk condition until properly serviced.
(10) Federal, State and Local Laws   Manufacturers and other entities should have documented plans detailing how they intend to comply with all applicable Federal, State, and local laws.
  In certain safety-critical situations (e.g., having to cross double lines on the roadway to travel safely past a broken-down vehicle on the road, other road hazard avoidance, etc.) human drivers currently have the ability to temporarily violate certain State motor vehicle driving laws. It is expected that HAVs have the capability of handling such foreseeable events safely. Maintaining video records is also conceivable.
  Traffic laws vary from State to State (and even city to city); the HAV should be able to follow all laws that apply to its ODD. This should include speed limits, traffic control devices, one-way streets, access restrictions (e.g., crosswalks, bike lanes), U-turns, right-on-red situations, metering ramps, and other traffic circumstances and situations. Given that laws and regulations will inevitably change over time, manufacturers and other entities should develop processes to update and adapt HAV systems to address new or changed legal requirements.
(11) Ethical Consideration   Various decisions made by an HAV's computer "driver" will have ethical dimensions or implications. Different outcomes for different road users may flow from the same real-world circumstances depending on the choice made by an HAV computer, which, in turn, is determined by the programmed decision rules or machine learning procedures. Even in instances in which no explicit ethical rule or preference is intended, the programming of an HAV may establish an implicit or inherent decision rule with significant ethical consequences. Manufacturers and other entities, working cooperatively with regulators and other stakeholders (e.g., drivers, passengers and vulnerable road users), should address these situations to ensure that such ethical judgments and decisions are made consciously and intentionally.
  Three reasonable objectives of most vehicle operators are safety, mobility, and legality. In most instances, those three objectives can be achieved simultaneously and without conflict. In some cases, achievement of those objectives may come into conflict. For example, most States have a law prohibiting motor vehicles from crossing a double-yellow line in the center of a roadway. When another vehicle on a two-lane road is double-parked or otherwise blocking a vehicle's travel lane, the mobility objective (to move forward toward an intended destination) may come into conflict with safety and legality objectives (e.g., avoiding risk of crash with oncoming car and obeying a law).
  Similarly, a conflict within the safety objective can be created when addressing the safety of one car's occupants versus the safety of another car's occupants. In such situations, it may be that the safety of one person may be protected only at the cost of the safety of another person. In such a dilemma situation, the programming of the HAV will have a significant influence over the outcome for each individual involved. Algorithms for resolving these conflict situations should be developed transparently using input from Federal and State regulators, drivers, passengers and vulnerable road users, and taking into account the consequences of an HAV's actions on others.
Source: NHTSA's Federal Automated Vehicle Policy


Items applied to level 3 to 5 highly automated vehicles

  Of the following four items, three are applied to HAVs classified at levels 3 to 5, and "Testing and Validation" are applied to all automated vehicles.

  For all HAVs, 12) "Operational Design Domain" (under what conditions (region, road type, vehicle speed, etc.) does the vehicle operate as an HAV) will be clarified, and 13) "Object and Event Detection and Response" (what sort of driving conditions can be expected, how the vehicle recognizes them, and what sort of support it will provide (28 examples are given, such as high-speed freeway merges) will be validated. Additionally, during a collision, it is necessary to clarify under what conditions a collision is possible, and how it can be avoided.

  Furthermore risk must be minimized in the event a system loses control capability by providing 14) "Fall back" measures that minimize risk through means such as by safely stopping on the side of the road. For level 3 vehicles, drivers are required to assume driving responsibility when called on to do so by the system, and at levels 4 and 5, the system must autonomously transition to a minimal risk condition.



Guidance applied to HAVs (levels 3 to 5)

(12) Operational Design Domain (ODD)   The ODD should describe the specific operating domain(s) in which the HAV system is designed to properly operate. The defined ODD should include the following information to define HAV systems' capabilities:
--Roadway types on which the HAV system is intended to operate safely;
--Geographic area;
--Speed range;
--Environmental conditions in which the HAV will operate (weather, daytime/nighttime, etc.); and
--Other domain constraints.
In situations where the HAV is outside of its defined ODD or in which conditions dynamically change to fall outside of the HAV's ODD, the vehicle should transition to a minimal risk condition.
(13) Object and Event Detection and Response (OEDR)   Object and Event Detection and Response (OEDR) refers to the detection by the driver or HAV system of any circumstance that is relevant to the immediate driving task, as well as the implementation of the appropriate driver or HAV system response to such circumstance. For purposes of this Guidance, the HAV system is responsible for performing the OEDR while in its ODD and automation is engaged. Entities should have a documented process for assessment, testing, and validation of their OEDR capabilities.
  Driving operations are classified into two categories: Normal Driving and Crash Avoidance Capability-hazards.
a. Normal driving
  28 situations are listed for normal driving, and these include performing high-speed merging on freeways; detecting passing and no-passing zones and performing passing maneuvers; detecting traffic signals and stop/yield signs; as well as navigating roundabouts.
b. Crash Avoidance Capability - Hazards
  Based on the ODD, the HAV should be able to address pre-crash scenarios that relate to control loss, crossing path crashes, lane change/merge, head-on and opposite direction, rear-end, road departure, and low speed situations such as backing and parking maneuvers. Events such as road repair and construction changes in traffic patterns, traffic flow directed by a police officer, disabled vehicles in travel lane, and other events should be addressed if they reasonably could be anticipated for a given ODD. In cases where the HAV cannot operate safely, the HAV should fall back to a minimal risk condition.
(14) Fall Back (Minimal Risk Condition)   Fall back refers to avoiding complete shut down when a failure occurs through continuation of limited operations.
  Manufacturers and other entities should have a documented process for transitioning to a minimal risk condition when a problem is encountered. HAVs operating on the road should be capable of detecting that their HAV systems have malfunctioned, are operating in a degraded state, or are operating outside of their ODD, and of informing the human driver in a way that enables the driver to regain proper control of the vehicle or allows the HAV system to return to a minimal risk condition independently. A minimal risk condition will vary according to the type and extent of a given failure, including automatically bringing the vehicle safely to a stop, preferably outside of an active lane of traffic (assuming availability).
  Fall back strategies should take into account that-despite laws and regulations to the contrary-human drivers may be inattentive, under the influence of alcohol or other substances, drowsy, or physically impaired in some other manner. Fall back actions should be administered in a manner that will facilitate safe operations of the vehicle and minimize erratic driving behavior. Such fall back actions should also minimize the effects of errors in human driver recognition and decision-making during and after transitions to manual control.
(15) Testing and Validation   Given that the scope, technology, and capabilities vary widely for different automation functions, manufacturers and other entities should develop tests and validation methods to ensure a high level of safety in the operation of their HAVs.
  Tests should demonstrate the performance of the behavioral competencies that the HAV system would be expected to demonstrate during normal operation; the HAV system's performance during crash avoidance situations, and performance of fall back strategies relevant to the HAV's ODD. To demonstrate the expected performance of an HAV system, test approaches should include a combination of simulation, test track, and on-road testing. Manufacturers and other entities should determine and document the mix of methods that are appropriate for their HAV system(s). Testing may be performed by manufacturers and suppliers but could also be performed by an independent third party.
Source: NHTSA's Federal Automated Vehicle Policy


Level 2 guidance: Requiring measures to prevent the risk of drivers becoming overconfident in the system

  The eleven items mentioned above and "testing and validation" guidance can be applied to level 2 autonomous vehicles.

  Furthermore, in level 2 autonomous driving systems conduct some driving tasks, but the driver must constantly monitor the driving environment. However, it can be assumed that in some situations the driver could become overconfident in the system and stop paying full attention to the surrounding environment, or be unable to take control when needed. The NHTSA emphasizes that semi-autonomous driving systems that fail to adequately account for the possibility a distracted or inattentive driver might fail to retake control of the vehicle in a safety-critical situation may be defined as an unreasonable risk to safety and subject to recall, and has called for thorough support.

  Additionally, systems can also monitor the condition of the driver, and minimize risks autonomously, if it is determined that the driver is not ready to handle driving operations.

  Level 2 guidance is believed to have been established in response to a fatal accident that occurred in May 2016 with a Tesla Model S that featured the Autopilot system, which corresponds to a level 2 system.



Applicability of Guidance Area by automation level

  The following chart is a representation of the reorganized safety assessments by level.

Applicability of
Guidance Areas to SAE Level 2-5 Automated Vehicle Systems

Source: NHTSA's Federal Automated vehicle Guidance


------------------
Keywords

autonomous vehicles, NHTSA, guidance

<Automotive Industry Portal MarkLines>