3854 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules

DEPARTMENT OF TRANSPORTATION Regardless of how you submit your A. V2V Communications Proposal comments, you should mention the Overview National Highway Traffic Safety docket number of this document. You B. Proposed V2V Mandate for New Light Administration Vehicles, and Performance Requirements may call the Docket Management for Aftermarket for Existing Vehicles Facility at 202–366–9826. C. V2V Communication Devices That 49 CFR Part 571 Instructions: Direct your comments to Would Be Subject to FMVSS No. 150 Docket No. NHTSA–2016–0126. See the 1. Original Equipment (OE) Devices on [Docket No. NHTSA–2016–0126] SUPPLEMENTARY INFORMATION section on New Motor Vehicles 2. Aftermarket Devices RIN 2127–AL55 ‘‘Public Participation’’ for more information about submitting written D. Potential Future Actions Federal Motor Vehicle Safety comments. 1. Potential Future Safety Application Mandate Standards; V2V Communications Docket: All documents in the dockets 2. Continued Technology Monitoring are listed in the http:// E. Performance Criteria for V2V AGENCY: National Highway Traffic www.regulations.gov index. Although Communication Safety Administration (NHTSA), listed in the index, some information is 1. Proposed Transmission Requirements Department of Transportation (DOT). not publicly available, e.g., confidential 2. Proposed V2V Basic Safety Message ACTION: Notice of Proposed Rulemaking business information (CBI) or other (BSM) Content (NPRM). information whose disclosure is 3. Message Signing and Authentication 4. Misbehavior Reporting restricted by statute. Publicly available 5. Proposed Malfunction Indication SUMMARY: This document proposes to docket materials are available either establish a new Federal Motor Vehicle Requirements electronically in regulations.gov or in 6. Software and Security Certificate Safety Standard (FMVSS), No. 150, to hard copy at DOT’s Docket Management Updates mandate vehicle-to-vehicle (V2V) Facility, 1200 New Jersey Avenue SE., 7. Cybersecurity communications for new light vehicles West Building, Ground Floor, Rm. W12– IV. Public Acceptance, Privacy and Security and to standardize the message and 140, Washington, DC 20590. The Docket A. Importance of Public Acceptance To format of V2V transmissions. This will Management Facility is open between 9 Establishing the V2V System create an information environment in B. Elements That Can Affect Public a.m. and 5 p.m. Eastern Time, Monday Acceptance in the V2V Context which vehicle and device manufacturers through Friday, except Federal can create and implement applications 1. False Positives Holidays. 2. Privacy to improve safety, mobility, and the 3. Hacking (Cybersecurity) FOR FURTHER INFORMATION CONTACT: environment. Without a mandate to For 4. Health require and standardize V2V technical issues, Mr. Gregory Powell, 5. Research Conducted on Consumer communications, the agency believes Office of Rulemaking, NHTSA, 1200 Acceptance Issues that manufacturers will not be able to New Jersey Avenue SE., Washington, 6. User Flexibilities for Participation in move forward in an efficient way and DC 20590. Telephone: (202) 366–5206; System that a critical mass of equipped vehicles : (202) 493–2990; email: C. Consumer Privacy would take many years to develop, if [email protected]. For legal issues, 1. NHTSA’s PIA 2. Privacy by Design and Data Privacy ever. Implementation of the new Ms. Rebecca Yoon, Office of the Chief Counsel, NHTSA, 1200 New Jersey Protections standard will enable vehicle 3. Data Access, Data Use and Privacy manufacturers to develop safety Avenue SE., Washington, DC 20590. 4. V2V Privacy Statement applications that employ V2V Telephone: (202) 366–2992; email: 5. Consumer Education communications as an input, two of [email protected]. 6. Congressional/Other Government Action D. Summary of PIA which are estimated to prevent SUPPLEMENTARY INFORMATION: hundreds of thousands of crashes and 1. What is a PIA? prevent over one thousand fatalities Table of Contents 2. PIA Scope 3. Non-V2V Methods of Tracking annually. I. Executive Summary 4. V2V Data Flows/Transactions With II. Background DATES: Comments must be received on Privacy Relevance A. The Safety Need or before April 12, 2017. 5. Privacy-Mitigating Controls 1. Overall Crash Population That V2V 6. Potential Privacy Issues by Transaction ADDRESSES: You may submit comments Could Help Address Type to the docket number identified in the 2. Pre-Crash Scenarios Potentially E. Health Effects heading of this document by any of the Addressed by V2V Communications 1. Overview following methods: B. Ways To Address the Safety Need 2. Wireless Devices and Health and Safety • Online: Go to http:// 1. Radar and Camera Based Systems Concerns www.regulations.gov and follow the 2. Communication-Based Systems 3. Exposure Limits 3. Fusion of Vehicle-Resident and 4. U.S. Department of Energy (DOE) Smart online instructions for submitting Communication-Based Systems comments. Grid Implementation • 4. Automated Systems 5. Federal Agency Oversight & Mail: Docket Management Facility, C. V2V Research Up Until This Point Responsibilities M–30, U.S. Department of 1. General Discussion 6. EHS in the U.S. and Abroad Transportation, West Building, Ground 2. Main Topic Areas in Readiness Report 7. Conclusion Floor, Rm. W12–140, 1200 New Jersey 3. Research Conducted Between the V. Device Authorization Avenue SE., Washington, DC 20590. Readiness Report and This Proposal A. Approaches to Security Credentialing • Hand Delivery or Courier: West D. V2V International and Harmonization B. Federated Security Credential Building, Ground Floor, Rm. W12–140, Efforts Management (SCMS) E. V2V ANPRM 1200 New Jersey Avenue SE., between 1. Overview 1. Summary of the ANPRM 2. Technical Design 9 a.m. and 5 p.m. Eastern Time, Monday 2. Comments to the ANPRM 3. Independent Evaluation of SCMS through Friday, except Federal F. SCMS RFI Technical Design Holidays. III. Proposal To Regulate V2V 4. SCMS RFI Comments and Agency • Fax: (202) 493–2251. Communications Responses

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00002 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules 3855

5. SCMS ANPRM Comments and Agency B. Regulatory Flexibility Act additional information, such as path Response C. Executive Order 13132 (Federalism) predictions and driver actions (braking, 6. SCMS Industry Governance D. Executive Order 12988 (Civil Justice steering) not available from traditional C. Vehicle Based Security System (VBSS) Reform) sensors. This information can be used D. Multiple Root Authority Credential E. Protection of Children From Management Environmental Health and Safety Risks by receiving vehicles to more reliably VI. What is the agency’s legal authority to F. Paperwork Reduction Act predict potential collision events as well regulate V2V devices, and how is this G. National Technology Transfer and as reduce false warnings. This ability to proposal consistent with that authority? Advancement Act communicate certain information that A. What can NHTSA regulate under the H. Unfunded Mandates Reform Act cannot be acquired by vehicle-resident Vehicle Safety Act? I. National Environmental Policy Act onboard sensors makes V2V particularly B. What does the Vehicle Safety Act allow J. Plain Language good at preventing impending and require of NHTSA in issuing a new K. Regulatory Identifier Number (RIN) intersection crashes, such as when a FMVSS, and how is the proposal L. Privacy Act vehicle is attempting to make a left turn consistent with those requirements? Proposed Regulatory Text 1. ‘‘Performance-Oriented’’ from one road to another. V2V also 2. Standards ‘‘Meeting the Need for Motor I. Executive Summary offers an operational range of 300 meters Vehicle Safety’’ The National Highway Traffic Safety or farther between vehicles, nearly 3. ‘‘Objective’’ Standards Administration (NHTSA) is proposing double the detection distance afforded 4. ‘‘Practicable’’ Standards by some current and near-term vehicle- C. How are the regulatory alternatives to issue a new Federal Motor Vehicle Safety Standard (FMVSS) No. 150, to resident systems. These unique consistent with our Safety Act authority? characteristics allow V2V-equipped D. What else needs to happen in order for require all new light vehicles to be a V2V system to be successful? capable of Vehicle-to-Vehicle (‘‘V2V’’) vehicles to perceive and warn drivers of 1. SCMS communications, such that they will some threats sooner than vehicle- 2. Liability send and receive Basic Safety Messages resident sensors can. Furthermore, VII. Estimated Costs and Benefits to and from other vehicles. The proposal while the operational status or accuracy A. General Approach to Costs and Benefits contains V2V communication of vehicle-resident sensors may be Estimates performance requirements predicated affected by weather, sunlight, shadows, B. Quantified Costs on the use of on-board dedicated short- or cleanliness, V2V technology does not 1. Component Costs share these same system limitations. 2. Communication Costs range radio communication (DSRC) 3. Fuel Economy Impact devices to transmit Basic Safety As another source of information 4. Overall Annual Costs Messages (BSM) about a vehicle’s speed, about the driving environment, 5. Overall Model Year (MY) Costs heading, brake status, and other vehicle moreover, the agency also believes that C. Non-Quantified Costs information to surrounding vehicles, V2V can be fused with existing radar- 1. Health Insurance Costs Relating to EHS and receive the same information from and camera-based systems to provide 2. Perceived Privacy Loss them. When received in a timely even greater crash avoidance capability 3. Opportunity Costs of Spectrum for Other manner, this information would help than either approach alone. For vehicles Uses equipped with current on-board sensors, 4. Increased Litigation Costs vehicle systems identify potential crash D. Estimated Benefits situations with other vehicles and warn the fundamentally different, but 1. Assumptions and Overview their drivers. The proposal also provides complementary, information stream 2. Injury and Property Damage Benefits a path for vehicles to comply by provided by V2V has the potential to 3. Monetized Benefits deploying other technologies that meet significantly enhance the reliability and 4. Non-Quantified Benefits certain performance and interoperability accuracy of the sensor-based E. Breakeven Analysis requirements, including interoperability information available. Instead of relying F. Cost Effectiveness and Positive Net with DSRC. on each vehicle to sense its Benefits Analysis The agency believes that V2V has the surroundings on its own, V2V enables 1. Cost Effectiveness potential to revolutionize motor vehicle surrounding vehicles to help each other 2. Lifetime Net Benefits for a Specified Model Year safety. By providing drivers with timely by conveying safety information about 3. Summary warnings of impending crash situations, themselves to other vehicles. V2V G. Uncertainty Analysis V2V-based safety applications could communication can thus detect threat H. Estimated Costs and Benefits of V2V potentially reduce the number and vehicles that are not in the sensors’ field Alternatives severity of motor vehicle crashes, of view, and can use V2V information VIII. Proposed Implementation Timing thereby reducing the losses and costs to to validate a return signal from a A. New Vehicles society that would have resulted from vehicle-based sensor. Further, V2V can 1. Lead Time these crashes. provide information on the operational 2. Phase-In Period More specifically, the agency believes status (e.g., brake pedal status, B. Aftermarket IX. Public Participation that V2V will be able to address crashes transmission state, stability control A. How do I prepare and submit that cannot be prevented by current in- status, vehicle at rest versus moving, comments? vehicle camera and sensor-based etc.) of other V2V-equipped vehicles. B. Tips for Preparing Your Comments technologies (‘‘vehicle-resident’’ Similarly, vehicle-resident systems can C. How can I be sure that my comments technologies). This is because V2V augment V2V systems by providing the were received? would employ omnidirectional radio information necessary to address other D. How do I submit confidential business signals that provide 360 degree coverage crash scenarios not covered by V2V information? along with offering the ability to ‘‘see’’ communications, such as lane and road E. Will NHTSA consider late comments? around corners and ‘‘see’’ through other departure. These added capabilities can F. How can I read the comments submitted by other people? vehicles. V2V is not restricted by the potentially lead to more timely X. Regulatory Notices and Analyses same line-of-sight limitations as crash warnings and a reduction in the number A. Executive Order 12866, Executive Order avoidance technologies that rely on of false warnings, thereby adding 13563, and DOT Regulatory Policies and vehicle-resident sensors. Additionally, confidence to the overall safety system, Procedures V2V communications (BSMs) contain and increasing consumer satisfaction

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00003 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 3856 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules

and acceptance. Although some have mass: That V2V can only begin to vehicles and the resulting slow fleet contended that vehicle-resident systems provide significant safety benefits when turnover. This places inherent could evolve to the point where they a significant fraction of vehicles constraints on the rate at which have similar ranges to V2V comprising the fleet can transmit and diffusion of new technologies transmissions during the time it will receive the same information in an throughout the entire vehicle fleet can take V2V to penetrate the fleet, the interoperable fashion. occur. Thus in order to reach the critical agency believes that these technologies The improvement in safety that mass of participants, a significant will remain complementary rather than results from enabling vehicles to portion of the existing vehicle fleet will competing even as vehicle-resident communicate with one another depends need replacement and a sustained, systems continue to improve. directly on the fraction of the vehicle coordinated commitment on the part of In the longer-term, the agency fleet that is equipped with the necessary manufacturers. Due to the inherent believes that this fusion of V2V and technology, and on its ability to perform characteristics of the automobile market, vehicle-resident technologies will reliably. In turn, the effectiveness of any manufacturers will inevitably face advance the further development of V2V communications technology changing economic conditions and vehicle automation systems, including depends on its ability to reliably perhaps imperfect signals from vehicle the potential for truly self-driving transmit and receive recognizable and buyers and owners, and these signals vehicles. Although most existing verifiable standardized information. may not be based on complete automated systems currently rely on Because the value to potential buyers of information about the effectiveness of data obtained from vehicle-resident purchasing a vehicle that is equipped V2V technology, or incorporate the technologies, we believe that data with V2V communications technology necessary foresight to value the acquired from GPS and depends upon how many other vehicle potential life-saving benefits of V2V like V2V could owners have also purchased technology during the crucial phase of significantly augment such systems. comparably-equipped models, V2V its diffusion. Without government Communication-based technology that communications has many of the same intervention, the resulting uncertainty connects vehicles with each other could characteristics as more familiar network could undermine manufacturer plans or not only improve the performance of communications technologies. weaken manufacturers’ incentive to automated onboard crash warning Viewed another way, an important develop V2V technology to its full systems, but also be a developmental consequence of any improvement in potential. stage toward achieving widespread fleet-wide vehicle safety that results We are, therefore, confident that deployment of safe and reliable from an individual buyer’s decision to creating the information environment automated vehicles.1 purchase a V2V-capable model is the through this mandate would lead to Despite these potential benefits, V2V resulting increase in the safety of considerable advances in safety, and offers challenges that are not present in occupants of other V2V-equipped that those advances might not reach vehicle-resident systems. Without vehicles. Thus the society-wide benefits fruition if V2V communications were government action, these challenges of individual vehicle buyers’ decisions left to develop on their own.2 to purchase V2V-capable models extend could prevent this promising safety Overview of the Proposed Rule technology from achieving sufficiently well beyond the direct increase in their The agency believes the market will widespread use throughout the vehicle own safety; in economic parlance, their not achieve sufficient coverage absent a fleet to achieve these benefits. Most decisions can confer external benefits mandate V2V capability for all new light prominently, vehicles need to on other travelers. Thus a significant vehicles. A V2V system as currently communicate a standard set of ‘‘network externality’’ arises from a new envisioned would be a combination of information to each other, using vehicle buyer’s decision to purchase a many elements. This includes a radio interoperable communications that all vehicle equipped to connect to the technology for the transmission and vehicles can understand. The ability of existing V2V communications network. Conversely, however, the benefits that reception of messages, the structure and vehicles to both transmit and receive any individual consumer would receive contents of ‘‘basic safety messages’’ V2V communications from all other from voluntary adoption of V2V depend (BSMs), the authentication of incoming vehicles equipped with a V2V directly on the voluntary adoption of messages by receivers, and, depending communications technology is referred this technology by other consumers. on a vehicle’s behavior, the triggering of to in this document as Unless individual buyers believe that a one or more safety warnings to drivers. ‘‘interoperability,’’ and it is vital to significant number of other buyers will The agency is also proposing to V2V’s success. Without interoperability, obtain V2V systems, they may conclude require that vehicles be capable of manufacturers attempting to implement that the potential benefits they would receiving over-the-air (OTA) security V2V will find that their vehicles are not receive from this system are unlikely to and software updates (and to seek necessarily able to communicate with materialize. As a consequence, they are consumer consent for such updates other manufacturers’ vehicles and less likely to invest in V2V where appropriate). In addition, NHTSA equipment, defeating the objective of communications capabilities that would is also proposing that vehicles contain the mandate and stifling the potential be would be justified by the resulting ‘‘firewalls’’ between V2V modules and for innovation that the new information improvement in fleet-wide safety. The other vehicle modules connected to the environment can create. In addition, proposed requirement that all new data bus to help isolate V2V modules there is the issue of achieving critical vehicles be V2V-capable is thus likely to improve transportation safety more 2 This analysis for this proposal focuses on the 1 Equipping vehicles with V2V could also lead to benefits resulting from the implementation of safety deployment of connectivity hardware that could rapidly, effectively, and ultimately more applications that are projected to reduce vehicle potentially be used for other applications, such as extensively than would result from crashes. The agency did not incorporate any connectivity with roadway infrastructure (V2I) and relying on the private decisions of potential benefits from the anticipated expanded with pedestrians (V2P). These technologies individual vehicle buyers. use of DSRC for mobility and envirionment (collectively referred to as ‘‘V2X’’) could increase benefits. A list of potential mobility and the vehicle’s awareness of its surroundings and Another important consideration in environment applications can be found at http:// enable additional applications. We do not consider achieving safety benefits from V2V is www.its.dot.gov/pilots/cv_pilot_apps.htm (last these other potential applications here. the long product lifespan of motor accessed: Dec 7, 2016).

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00004 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules 3857

being used as a potential conduit into able to ‘‘understand’’ the basic safety This approach enhances the ability of other vehicle systems. message content hindering the ability to V2V devices to identify and block The NPRM presents a comprehensive inform drivers of potential crashes. messages from other misbehaving or proposal for mandating DSRC-based malfunctioning V2V devices. Message Authentication V2V communications. That proposal • Misbehavior Detection Alternative includes a pathway for vehicles to • Public Key Infrastructure Proposal: Approach: An alternative for comply using non-DSRC technologies NHTSA proposes V2V devices sign and misbehavior detection imposes no that meet certain performance and verify their basic safety messages using requirement to report misbehavior or interoperability standards. A key a Public Key Infrastructure (PKI) digital implement device blocking based to an component of interoperability is a signature algorithm in accordance with authority. However, implementers ‘‘common language’’ regardless of the performance requirements and test would need to identify methods that communication technology used. procedures for BSM transmission and check a devices’ functionality, including Therefore, the agency’s proposal the signing of BSMs. The agency hardware and software, to ensure that includes a common specification for believes this will establish a level of the device has not been altered or basic safety message (BSM) content confidence in the messages exchanged tampered with from intended behavior. regardless of the potential between vehicles and ensure that basic Implementers would be free to include communication technology. The safety message information is being misbehavior detection and reporting proposal also provides potential received from devices that have been and as optional functions. The agency performance-based approaches for two certified to operate properly, are seeks comment on this alternative. security functions in an effort to obtain enrolled in the security network, and reaction and comment from industry are in good working condition. It is also Hardware Security and the public. Following is a more important that safety applications be NHTSA proposes that V2V equipment comprehensive discussion of the able to distinguish these from messages be ‘‘hardened’’ against intrusion (FIPS– proposal and potential alternatives for originated by ‘‘bad actors,’’ or defective 140 Level 3) by entities attempting to different aspects of V2V security: devices, as well as from messages that steal its security credentials. have been modified or changed while in Communication Technology transit. Effective Date • Proposal: NHTSA proposes to • Alternative Approach— The agency is proposing that the mandate DSRC technology—A DSRC Performance-based Only: This first effective date for manufacturers to begin unit in a vehicle sends out and receives alternative for message authentication is implementing these new requirements ‘‘basic safety messages’’ (BSMs). DSRC less prescriptive and defines a would be two model years after the final communications within the 5.850 to performance-based approach but not a rule is adopted, with a three year phase- 5.925 MHz band are governed by FCC specific architecture or technical in period to accommodate vehicle 47 CFR parts 0, 1, 2 and 95 for onboard requirement for message authentication. manufacturers’ product cycles. equipment and part 90 for road side This performance only approach simply Assuming a final rule is issued in 2019, units. In reference to the OSI model, the states that a receiver of a BSM message this would mean that the phase-in physical and data link layers (layers must be able to validate the contents of period would begin in 2021, and all 1and 2) are addressed primarily by IEEE a message such that it can reasonably vehicles subject to that final rule would 802.11p as well as P1609.4; network, confirm that the message originated be required to comply in 2023. transport, and session layers (3,4 and 5) from a single valid V2V device, and the are addressed primarily by P1609.3; message was not altered during Safety Applications security communications are addressed transmission. The agency seeks The agency is not proposing to require by P1609.2; and additional session and comment on this potential alternative. specific V2V safety applications at this prioritization related protocols are • Alternative Approach—No Message time. We believe the V2V addressed by P1609.12. This mandate Authentication: This second alternative communications we are proposing will could also be satisfied using non-DSRC stays silent on a specific message create the standardized information technologies that meet certain authentication requirement. BSM environment that will, in turn, allow performance and interoperability messages would still be validated with innovation and market competition to standards. a checksum, or other integrity check, develop improved safety and other and be passed through a misbehavior applications. Additionally, at this time, Message Format and Information detection system to attempt to filter the agency believes that more research • NHTSA proposes to standardize the malicious or misconfigured messages. is likely needed in order to create content, initialization time, and Implementers would be free to include regulations for safety applications. In transmission characteristics of the Basic message authentication as an optional support of this, we are seeking comment Safety Message (BSM) regardless of the function. The agency seeks comment on on information that could inform a V2V communication technology this potential alternative. future decision to mandate any specific potentially used. The agency’s proposed safety applications. content requirements for BSMs are Misbehavior Detection and Reporting largely consistent with voluntary • Primary Misbehavior Detection and Authority consensus standards SAE 2735 and SAE Reporting Proposal: NHTSA proposes to Under the Vehicle Safety Act, 49 2945 which contains data elements such mandate requirements that would U.S.C. 30101 et seq., the agency has the as speed, heading, trajectory, and other establish procedures for communicating legal authority to require new vehicles information, although NHTSA with a Security Credential Management to be equipped with V2V technology purposely does not require some System to report misbehavior; and learn and to use it, as discussed in Section VI elements to alleviate potential privacy of misbehavior by other participants. below. NHTSA has broad statutory concerns. Standardizing the message This includes detection methods for a authority to regulate motor vehicles and will facilitate V2V devices ‘‘speaking device hardware and software to ensure items of motor vehicle equipment, and the same language,’’ to ensure that the device has not been altered or to establish FMVSSs to address vehicle interoperability. Vehicles will not be tampered with from intended behavior. safety needs.

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00005 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 3858 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules

Privacy and Security hypothetical schedules similar to those applications could potentially prevent V2V systems would be required to be observed in the actual deployment of 424,901–594,569 crashes, and save 955– designed from the outset to minimize other advanced communications 1,321 lives when fully deployed risks to consumer privacy. The NPRM technologies. The agency believes that throughout the light-duty vehicle fleet. proposes to exclude from V2V IMA and LTA will reduce the frequency Converting these and the accompanying transmitting information that directly of crashes that cannot be avoided by reductions in injuries and property identifies a specific vehicle or vehicle-resident systems, and will thus damage to monetary values, we estimate individual regularly associated with a generate significant safety benefits that that in 2051 the proposed rule could vehicle, such as owner’s or driver’s would not be realized in the absence of reduce the costs resulting from motor name, address, or vehicle identification universal V2V communications vehicle crashes by $53 to $71 billion numbers, as well as data ‘‘reasonably capabilities. In addition, the marginal (expressed in today’s dollars). costs of including the IMA and LTA linkable’’ 3 to an individual. The agency conducted two applications are extremely low once the Additionally, the proposal contains accompanying analyses to identify specific privacy and security V2V system is in place, which the agency believes will speed their meaningful milestones in the future requirements with which manufacturers growth of benefits resulting from this would be required to comply. adoption. The agency has not quantified any proposed rule. These analyses highlight The Draft Privacy Impact Assessment the effect that the passage of time has on that accompanies this proposal contains benefits attributable to the wide range of other potential uses of V2V, although the accumulated benefits from this detailed information on the potential proposed rule. Benefits in the first privacy risks posed by the V2V we believe that such uses are likely to be numerous. Recognizing its several calendar years after it takes communications system, as well as the effect will be quite low, because only a controls designed into that system to experience with other technologies, the limited number of vehicles on the road minimize risks to consumer privacy. agency believes that focusing on two of the many potential uses of V2V will be equipped with V2V, but growth Estimated Costs and Benefits technology that are inexpensive to in these benefits will accelerate as time In this NPRM, the agency proposes implement provides a reasonable goes on. that all light vehicles be equipped with approach to estimating potential First, NHTSA used a ‘‘breakeven’’ technology that allows for V2V benefits of the proposed rule, and is analysis to identify the calendar year communications, but has decided not to likely to understate the breadth of during which the cumulative economic propose to mandate any specific safety potential benefits of V2V. value of safety benefits from the use of applications at this time, instead We estimate that the total annual V2V communications first exceeds the allowing them to be developed and costs to comply with this proposed cumulative costs to vehicle adopted as determined by the market. mandate in the 30th year after it takes manufacturers and buyers for providing This market-based approach to effect would range from $2.2 billion to V2V capability. The breakeven analysis application development and $5.0 billion, corresponding to a cost per indicated that this important threshold deployment makes estimating the new vehicle of roughly $135–$300. This would be reached between 2029 and estimate includes costs for equipment potential costs and benefits of V2V quite 2032, depending primarily on the installed on vehicles as well as the difficult, because the V2V effectiveness of the application annualized equivalent value of initial communication technology being technologies. mandated by the agency would improve investments necessary to establish the safety only indirectly, by facilitating the overarching security manager and the Next, NHTSA projected future growth deployment of previously developed communications system, among other in the proposed rule’s benefits and costs OEM safety application. However, the things, but, due to uncertainty, does not over successive model years after it agency is confident that these include opportunity costs associated would take effect. This analysis technologies will be developed and with spectrum, which will be included identified the first model year for which deployed once V2V communications are in the final cost benefit analysis. The the safety benefits from requiring mandated and interoperable. primary source of the wide range vehicles to be equipped with V2V Considerable research has already been between the lower and upper cost communications over their lifetime in done on various different potential estimates is based our assumption that the fleet would outweigh the higher applications, and the agency believes manufacturers could comply with the initial costs for manufacturing them. It that functioning systems are likely to rule using either one or two DSRC showed that this would occur in model become available within a few years if radios. year 2024 to 2026 if the proposed rule their manufacturers can be confident As discussed above, our benefit first took effect in model year 2021. This that V2V will be mandated and calculation examines a case where occurs sooner than the breakeven year, interoperable. manufacturers would voluntarily because focusing only on costs and In order to provide estimates of the include the IMA and LTA applications benefits over the lifetimes of individual rule’s costs and benefits, the agency has on a schedule that reflects adoption model years avoids including the considered a scenario where two V2V- rates the agency has observed for other burden of costs for installing V2V enabled safety applications, IMA and advanced, vehicle-resident safety communications on vehicles produced LTA, are voluntarily adopted on technologies. Together, these during earlier model years.

3 NHTSA intends for the term ‘‘reasonably as a practical matter linkable by the covered entity, suggested definition of personally identifiable linkable,’’ as used in this NPRM, to have the same to a specific individual, or linked to a device that information in its recent comment to the Federal meaning as the term ‘‘as a practical matter linkable’’ is associated with or routinely used by an Communications Commission at https:// as used in the definition of ‘‘personal data’’ in individual.’’ https://www.whitehouse.gov/sites/ www.ftc.gov/system/files/documents/ Section 4 of the White House Consumer Privacy Bill default/files/omb/legislative/letters/cpbr-act-of- advocacy_documents/comment-staff-bureau- of Rights: ‘‘data that are under the control of a 2015-discussion-draft.pdf (last accessed Dec 7, consumer-protection-federal-trade-commission- covered entity, not otherwise generally available to 2016). The Federal Trade Commission also uses the federal-communications-commission/ the public through lawful means, and are linked, or concept of ’’ linked or reasonably linkable’’ as a 160527fcccomment.pdf (last accessed Dec 7, 2016).

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00006 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules 3859

TABLE I–1—COSTS * AND BENEFITS IN YEAR 30 OF DEPLOYMENT [2051]

Monetary Total annual costs Per vehicle Crashes prevented and lives saved benefits costs (billions)

$2.2 billion–$5.0 billion ...... $135–$301 Crashes: 424,901–594,569 ...... $53–$71 Lives: 955–1,321 ...... * Note: Does not include spectrum opportunity costs, which will be included in the analysis of the final rule.

In order to account for the inherent vehicles would not lead a sufficient II. Background uncertainty in the assumptions fraction of the vehicle fleet to be A. The Safety Need underlying this cost-benefit analysis, the equipped with V2V to enable full agency also conducted extensive realization of the technology’s potential Safety technology has developed uncertainty analysis to illustrate the safety benefits. However, we seek rapidly since NHTSA began regulating variation in the rule’s benefits and costs further comment on adopting an ‘‘if- the auto industry 4—over the last several associated with different assumptions equipped’’ standard as the primary decades, vehicles have evolved to about the future number of accidents approach to V2V communications protect occupants much better in the that could be prevented, the assumed technology. We request commenters event of a crash due to advanced adoption rates and estimated provide any relevant research and data structural techniques propagated by more stringent crashworthiness effectiveness of the two safety that supports their position and standards, and some crash avoidance applications, and our assumptions about rationale for this approach to regulation. the costs of providing V2V technologies (e.g., electronic stability communications capability. Aside from Second, we considered a regulatory control) are now required standard opportunity costs, this analysis showed alternative of requiring that V2V- equipment. In fact, a recent study of that the proposed rule would reach its capable vehicles also be equipped with data from our Fatality Analysis breakeven year between 2030 and 2032 the two safety applications analyzed in Reporting System (FARS) estimates with 90 percent certainty, with even the this proposed rule—Intersection those safety technologies have saved most conservative scenario showing that Movement Assist (IMA) and Left Turn 613,501 lives since 1960.5 As a result of the breakeven year would be five to six Assist (LTA)—in addition to V2V existing NHTSA standards for years later than the previously estimated capability. This alternative would speed crashworthiness and crash avoidance years (2029–2032). Considering these the introduction and increase the technologies, along with market-driven same sources of uncertainty in the cost- certainty of safety benefits. However, improvements in safety, motor vehicles effectiveness and net benefits analyses because performance requirements and are safer now than they have ever been, showed that the proposed rule would test procedures for these safety as evidenced by a significant reduction become cost-effective and would accrue applications are still nascent, we are not in highway fatalities and injuries—from 6 positive net benefits between MY 2024 proposing this alternative at this time. 52,627 fatalities in 1970, to 32,675 and MY 2027 with 90 percent certainty. fatalities in 2015—a 38 percent However, the agency requests comment 7 This indicates that it is very likely to on whether sufficient information exists reduction. become cost-effectiveness at most one that could assist it in developing 4 NHTSA was established by the Highway Safety MY later than estimated in the primary FMVSS-quality test procedures and analysis, and that even under the most Act of 1970, as the successor to the National performance standards for these Highway Safety Bureau, to carry out safety conservative scenario, this would occur applications. programs under the National Traffic and Motor two to three model years later than the Vehicle Safety Act of 1966 and the Highway Safety initial estimate of 2024–2026. We seek comment on all aspects of Act of 1966. NHTSA also carries out consumer this proposed rule, as well as the programs established by the Motor Vehicle Regulatory Alternatives Preliminary Regulatory Impact Information and Cost Savings Act of 1972. 5 Kahane, C. J. (2015, January). Lives saved by The agency considered two regulatory Assessment (PRIA) and Draft Privacy vehicle safety technologies and associated Federal alternatives to today’s proposal. First, Impact Assessment (PIA) that Motor Vehicle Safety Standards, 1960 to 2012— the agency considered an ‘‘if-equipped’’ accompany it. Although a number of Passenger cars and LTVs—With reviews of 26 FMVSS and the effectiveness of their associated standard, which would entail simply specific questions and requests for safety technologies in reducing fatalities, injuries, setting a conditional standard stating comment appear in various locations and crashes. (Report No. DOT HS 812 069). that ‘‘if a new vehicle is equipped with throughout the text, we encourage Washington, DC: National Highway Traffic Safety devices capable of V2V comments broadly, particularly those Administration. 6 National Highway Traffic Safety Administration, communications, then it is required to that are supported by relevant Traffic Safety Facts 2012. Available at http://www- meet the following requirements.’’ documentation, information, or nrd.nhtsa.dot.gov/Pubs/812032.pdf (last accessed However, the agency did not adopt this analysis. Instructions for submitting Dec. 7, 2016). 7 alternative as the proposal because, as comments are located below in the National Highway Traffic Safety Administration, explained above, the agency believes Fatality Analysis Report System (FARS) final 2014 ‘‘Public Participation,’’ Section IX. data. For more information, see http://www- that anything short of a mandate for fars.nhtsa.dot.gov/Main/index.aspx (last accessed universal V2V capability on all new Dec 7, 2016).

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00007 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 3860 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules

NHTSA believes the greatest gains in these crashes. V2V message data can congestion costs, property damage, and highway safety in coming years will also be fused with existing radar- and workplace losses. When you add the result from broad-scale application of camera-based systems to provide even cost for less-tangible consequences like crash avoidance technologies along with greater crash-risk detection capability physical pain or lost quality-of-life, we continued improvements in vehicle (and thus, driver confidence levels) than estimate the total costs for those crashes crashworthiness that can reduce either approach alone. to be $721 billion.13 fatalities and injuries.8 To encourage Because V2V is a communications- adoption of such technologies, in 1. Overall Crash Population That V2V Could Help Address based technology, it is relevant to February 2015 the agency announced crashes where more than one vehicle is that it would add two types of automatic The first step in understanding how involved: if a single vehicle crashes by emergency braking systems—crash V2V could help drivers avoid crashes is itself, like by losing control and leaving imminent braking and dynamic brake determining how many crashes could the roadway and hitting a tree, V2V support—to the list of recommended potentially be addressed by V2V-based would not have been able to help the advanced safety features in our New Car technologies. We estimate crash harm driver avoid losing control because Assessment Program, known to most based on fatalities, injuries (described there would have been no other vehicle Americans as NHTSA’s Five Star Safety by MAIS),10 and what we call to communicate with. Of the 5.5 million Ratings. In March, 2016 the agency ‘‘property-damage-only,’’ meaning that crashes described above, 3.8 million (69 announced an agreement with vehicle no people were hurt, but vehicles percent of all crashes) were multi- manufacturers to voluntarily make sustained damage that will have to be vehicle crashes that V2V-based warning automatic emergency braking (AEB) a fixed and paid for. Based on 2010– technologies could help address, which standard safety on future vehicles.9 2013 11 General Estimates System (GES) would translate to approximately 13,329 These technologies, along with and FARS, the agency estimated that fatalities, 2.1 million MAIS1–5 injuries, technologies required as standard there were 5.5 million police-reported and 5.2 million PDOVs. equipment like electronic stability crashes annually in the U.S. during However, some multi-vehicle crashes control (ESC), help vehicles react to those years. About 33,020 fatalities and involve vehicles that would not be crash-imminent situations, but do not 2.7 million MAIS 12 1–5 injuries were covered by this rule, and therefore could help drivers react ahead of time to avoid associated with these crashes annually. not yet be assumed to have V2V crashes. In addition, about 6.3 million vehicles capability. As this proposal is currently This proposed rule would require were damaged in property damage only limited only to light vehicles,14 the vehicles to transmit messages about crashes. These property damage only crash population encompasses their speed, heading, brake status, and vehicles were noted as PDOVs. approximately 3.4 million (62 percent of other vehicle information to Overall, these crashes directly cost all crashes) light-vehicle to light-vehicle surrounding vehicles, and to be able to $195 billion to society in terms of lost (LV2LV) crashes, which would translate receive the same information from them. productivity, medical costs, legal and to 7,325 fatalities, 1.8 million MAIS 1– V2V range and ‘‘field-of-view’’ court costs, emergency service costs 5 injuries, and 4.7 million PDOVs. The capabilities exceed current and near- (EMS), insurance administration costs, economic and comprehensive costs for term radar- and camera-based systems— these crashes amount to approximately in some cases, providing nearly twice 10 MAIS (Maximum Abbreviated Injury Scale) $109 billion and $319 billion, the range. That longer range and 360 approach, which represents the maximum injury degree field of ‘‘view’’, currently severity of an occupant at an Abbreviated Injury respectively. Figure II–1 helps to Scale (AIS) level. AIS is an anatomically based, illustrate the process for deriving the supported by DSRC, provides a platform consensus-derived global severity scoring system enabling vehicles to perceive some target population of 3.4 million LV2LV that classifies each injury by body region according crashes that could be addressed by this threats that sensors, cameras, or radar to its relative importance to fatality on a 6-point cannot. ordinal scale (1=minor, 2=moderate, 3=serious, proposal. All percentages are By providing drivers with timely 4=severe, 5=critical, and 6=maximum (untreatable). percentages of ‘‘all police-reported The AIS was developed by the Association for the crashes,’’ rather than percentages of the warnings of impending crash situations, Advancement of Automotive Medicine (AAAM). V2V-based safety applications could See https://www.aaam.org/abbreviated-injury-scale- prior line. potentially reduce the number and ais/ (last accessed Dec 7, 2016) for more severity of motor vehicle crashes, information. 13 Costs are in 2014 dollars and, for clarity, 11 minimizing the losses and costs to 2014 GES and FARS data was not available at include the economic costs. See Blincoe, L.J., the time of NPRM development. Miller, T.R., Zaloshnja, E., & Lawrence, B.A. (2014, society that would have resulted from 12 GES and FARS only record the police-reported May), The economic and societal impact of motor crash severity scale known as KABCO: K=fatal vehicle crashes, 2010, (Report No. DOT HS 812 8 For more information, see the agency policy injury, A=incapacitating injury, B=non- 013), Washington, DC: National Highway Traffic statement on automated vehicles at http:// incapacitating injury, C=possible injury, O=no Safety Administration (Revised, May, 2015), www.nhtsa.gov/staticfiles/rulemaking/pdf/ injury. These KABCO injuries then were converted available at: http://www-nrd.nhtsa.dot.gov/pubs/ Automated_Vehicles_Policy.pdf (last accessed Dec to MAIS scale through a KABCO–MAIS translator. 812013.pdf (last accessed Dec 7, 2016). 7, 2016). The KABCO–MAIS translator was established using 14 Light vehicles include passenger cars, vans, 9 See https://www.nhtsa.gov/About-NHTSA/ 1982–1986 NASS (old NASS) and 2000–2007 minivans, sport utility vehicles, crossover utility Press-Releases/ Crashworthiness Data System (CDS). Old NASS and vehicles and light pickup trucks with a gross nhtsa_iihs_commitment_on_aeb_03172016 (last CDS recorded both KABCO and MAIS scales thus vehicle weight rating (GVWR) less than or equal to accessed Dec 7, 2016). enable us to create the KABCO-translator. 10,000 pounds.

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00008 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules 3861

2. Pre-Crash Scenarios Potentially deemed potentially addressable by V2V TABLE II—1 37 PRE-CRASH SCENARIO Addressed by V2V Communications communications. Further statistical TYPOLOGY—Continued analysis focusing on the frequency and In a separate analysis that has been 11. Pedestrian Crash with Prior Vehicle Ma- updated using an average of 2010 severity of those 17 pre-crash scenarios identified the top 10 (priority) pre-crash neuver. through 2013 General Estimate System 12. Pedestrian Crash without Prior Vehicle scenarios that V2V could potentially data (which does not include FARS Maneuver. address. Table II–1 provides a graphical data), the agency started with the initial 13. Pedalcyclist Crash with Prior Vehicle Ma- depiction of the flow of the pre-crash neuver. 37 pre-crash scenarios that have been scenario breakdown used in the 14. Pedalcyclist Crash without Prior Vehicle defined based on police-reported analysis. Maneuver. crashes from previous analyses for all 15. Backing Up into Another Vehicle. crashes.15 Of the 37 scenarios, 17 were 16. Vehicle(s) Turning—Same Direction. TABLE II—1 37 PRE-CRASH SCENARIO 17. Vehicle(s) Parking—Same Direction.

15 TYPOLOGY 18. Vehicle(s) Changing Lanes—Same Direc- Najm, W.G., R. Ranganathan, G. Srinivasan, J. tion. Smith, S. Toma, E. Swanson, and A. Burgett, 19. Vehicle(s) Drifting—Same Direction. ‘‘Description of Light Vehicle Pre-Crash Scenarios 1. Vehicle Failure. for Safety Applications Based on Vehicle-to-Vehicle 2. Control Loss with Prior Vehicle Action. 20. Vehicle(s) Making a Maneuver—Opposite Communications.’’ DOT HS 811 731, U.S. 3. Control Loss without Prior Vehicle Action. Direction. Department of Transportation, National Highway 4. Running Red Light. 21. Vehicle(s) Not Making a Maneuver—Op- Traffic Safety Administration, May 2013. http:// 5. Running Stop Sign. posite Direction. www.nhtsa.gov/Research/Crash-Avoidance/Vehicle 6. Road Edge Departure with Prior Vehicle 22. Following Vehicle Making a Maneuver. %E2%80%93to%E2%80%93Vehicle- Maneuver. 23. Lead Vehicle Accelerating. Communications-for-Safety (last accessed Dec 8, 7. Road Edge Departure without Prior Vehi- 24. Lead Vehicle Moving at Lower Constant 2016) see also Najm, W.G., J. Smith, and M. cle Maneuver. Speed. Yanagisawa, ‘‘Pre-Crash Scenario Typology for 8. Road Edge Departure While Backing Up. 25. Lead Vehicle Decelerating. Crash Avoidance Research.’’ DOT HS 810 767, U.S. 9. Animal Crash with Prior Vehicle Maneu- 26. Lead Vehicle Stopped. Department of Transportation, National Highway ver. 27. Left Turn Across Path from Opposite Di- Traffic Safety Administration, April 2007. Najm, 10. Animal Crash without Prior Vehicle Ma- rections at Signalized Junctions. W.G., B. Sen, J.D. Smith, and B.N. Campbell, neuver. 28. Vehicle Turning Right at Signalized Junc- ‘‘Analysis of Light Vehicle Crashes and Pre-Crash tions. Scenarios Based on the 2000 General Estimates http://www.nhtsa.gov/Research/Crash-Avoidance/ 29. Left Turn Across Path from Opposite Di- System.’’ DOT HS 809 573, U.S. Department of Vehicle%E2%80%93to%E2%80%93Vehicle- rections at Non-Signalized Junctions. Transportation, National Highway Traffic Safety Communications-for-Safety (last accessed Dec 8, 30. Straight Crossing Paths at Non-Signal- Administration, November 2002. Available at 2016). ized Junctions.

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00009 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 EP12JA17.000 3862 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules

TABLE II—1 37 PRE-CRASH SCENARIO TABLE II—1 37 PRE-CRASH SCENARIO TABLE II—1 37 PRE-CRASH SCENARIO TYPOLOGY—Continued TYPOLOGY—Continued TYPOLOGY—Continued 31. Vehicle(s) Turning at Non-Signalized 33. Evasive Action without Prior Vehicle Ma- 36. Object Crash without Prior Vehicle Ma- Junctions. neuver. neuver. 32. Evasive Action with Prior Vehicle Maneu- 34. Non-Collision Incident. 37. Other. ver. 35. Object Crash with Prior Vehicle Maneu- ver.

The 10 priority pre-crash scenarios the corresponding V2V-based safety listed in Table II–2 can be addressed by applications.

TABLE II–2—PRE-CRASH SCENARIO/SAFETY APPLICATION ASSOCIATION

Pre-crash scenarios Pre-crash groups Associated safety application

Lead Vehicle Stopped ...... Rear-end ...... Forward Collision Warning. Lead Vehicle Moving ...... Rear-end ...... Forward Collision Warning. Lead Vehicle Decelerating ...... Rear-end ...... Forward Collision Waring/Emergency Electronic Brake Light. Straight Crossing Path @ Non Junction Crossing ...... Intersection Movement Assist. Signal. Left-Turn Across Path/Opposite Left Turn @ crossing ...... Left Turn Assist. Direction. Opposite Direction/No Maneuver Opposite Direction ...... Do Not Pass Warning. Opposite Direction/Maneuver ...... Opposite Direction ...... Do Not Pass Warning. Change Lanes/Same Direction .... Lane Change ...... Blind Spot/Lane Change Warning. Turning/Same Direction ...... Lane Change ...... Blind Spot/Lane Change Warning. Drifting/Same Direction ...... Lane Change ...... Blind Spot/Lane Change Warning.

The six applications listed in Table Connected Vehicle Safety Model applications were (1) Forward Collision II–2 were developed and tested in the Deployment.17 These safety warning Warning (FCW), (2) Emergency Brake

16 Average of 2010–2013–GES data; * Includes connected vehicle safety technologies, applications, benefits of these technologies. The Safety Pilot only 2&3 vehicle crashes; ** Includes running red- and systems using everyday drivers. The effort will program includes two critical test efforts—the light and running stop sign. test performance, evaluate human factors and Safety Pilot Driver Clinics and the Safety Pilot 17 The Connected Vehicle Safety Pilot (‘‘Safety usability, observe policies and processes, and Model Deployment. See http://www.its.dot.gov/ Pilot’’) Program was a scientific research initiative collect empirical data to present a more accurate, research_archives/safety/cv_safetypilot.htm for that features a real-world implementation of detailed understanding of the potential safety more information. (last accessed Dec 7, 2016).

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00010 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 EP12JA17.001 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules 3863

Light (EEBL), (3) Intersection Move related crashes. IMA crashes are the breakdown of V2V pre-crash Assist (IMA), (4) Left Turn Assist (LTA), categorized into two major scenarios: scenarios and relationships to prototype (5) Do Not Pass Warning (DNPW), and Turn-into path into same direction or V2V safety applications. The 3.4 million (6) Blind Spot/Lane Change Warning opposite direction and straight crossing LV2LV are distributed among the pre- (BS/LCW). A description of each safety paths. IMA could potentially address crash scenarios that are associated with application and relationship to the pre- five of the pre-crash scenarios identified V2V safety applications and the crash scenarios is provided below. in Table II–2. economic and comprehensive costs. (1) Forward Collision Warning (FCW): (4) Left Turn Assist (LTA): Warns More specifically, Table II–3 provides a Warns drivers of stopped, slowing, or drivers to the presence of oncoming, breakdown of crashes associated with slower vehicles ahead. FCW addresses opposite-direction traffic when FCW, IMA, LTA, and LCW scenarios rear-end crashes that are separated into attempting a left turn. LTA addresses that are used later when discussing three key scenarios based on the crashes where one involved vehicle was potential benefits in Section VII. Crash movement of lead vehicles: Lead- making a left turn at the intersection scenarios associated with DNPW and vehicle stopped (LVS), lead-vehicle and the other vehicle was traveling EEBL are grouped with all remaining moving at slower constant speed (LVM), straight from the opposite direction. crashes under the ‘‘other’’ category due and lead-vehicle decelerating (LVD). (5) Do Not Pass Warning (DNPW): to the fact they are not used when (2) Emergency Electronic Brake Light Warns a driver of an oncoming, discussing benefits. The agency grouped (EEBL): Warns drivers of heavy braking opposite-direction vehicle when these two potential applications into the ahead in the traffic queue. EEBL would attempting to pass a slower vehicle on ‘‘other’’ category because of EEBL’s enable vehicles to broadcast its an undivided two-lane roadway. DNPW advisory nature that cannot be directly emergency brake and allow the would assist drives to avoid opposite- attributed to avoiding a specific crash surrounding vehicles’ applications to direction crashes that result from and the agency’s current understanding determine the relevance of the passing maneuvers. These crashes of DNPW indicates it only addresses a emergency brake event and alert the include head-on, forward impact, and limited amount of crashes per a specific drivers. EEBL is expected to be angle sideswipe crashes. situation and where there are three particularly useful when the driver’s (6) Blind Spot/Lane Change Warning equipped vehicles present, limiting the visibility is limited or obstructed. (BS/LCW): Alerts drivers to the presence amount of information available to (3) Intersection Movement Assist of vehicles approaching or in their blind develop comprehensive effectiveness (IMA): Warns drivers of vehicles spot in the adjacent lane. BS/LCW estimates. approaching from a lateral direction at addresses crashes where a vehicle made Overall the agency estimates that, an intersection. IMA is designed to a lane changing/merging maneuver prior together, these four potential safety avoid intersection crossing crashes, the to the crashes. applications that could be enabled by most severe crashes based on the fatality The final table, Table II–3, merges the this proposal could potentially address counts. Intersection crashes include estimated target crash population for nearly 89 percent of LV2LV crashes and intersection, intersection-related, LV2LV crashes detailed in Table II–2 85 percent of their associated economic driveway/alley, and driveway access with the separate analysis that provided costs.

TABLE II–3—CRASH SCENARIOS FOR LV2LV SAFETY POPULATION

Economic Comprehensive V2V Safety applica- Crash scenarios Crashes MAIS 1–5 Fatalities PDOVs costs costs tions—crashes injuries (billion) (billion)

FCW Rear-End Crashes Lead Vehicle Stopped .. 998,664 497,907 242 68,508 $27.4 $65.7 Lead Vehicle Moving .... 146,247 80,508 242 12,605 $4.6 $12.9 Lead Vehicle Decel- 343,183 173,538 78 25,599 $9.5 $23.1 erating.

Total ...... 1,488,094 751,953 562 106,712 $41.5 $101.6

IMA Intersection Cross- Turn-Into Path, Into 425,145 218,852 472 48,423 $12.6 $34.8 ing Crashes. Same Direction or Opposite Direction. Straight Cross Path ...... 346,187 251,488 1,399 66,580 $14.4 $49.4

Total ...... 771,332 470,340 1,871 115,003 $26.9 $84.3

LTA Left-Turning Crash- Turn Across Path, Initial 298,542 224,336 613 64,233 $11.7 $37.9 es. Opposite Direction. BS/LCW Lane Change/ Vehicle Changing Lane, 475,097 175,044 397 20,816 $11.4 $26.6 Merge Crashes. Same Direction. Others ...... 378,659 192,152 3,882 4,416,890 $16.7 $66.4

Total ...... 3,411,724 1,813,825 7,325 4,723,654 $108.2 $316.8 Note: Due to rounding, the total might not be equal to the sum of each componment.

B. Ways To Address the Safety Need and fatalities that occur annually from recent years, vehicle manufacturers motor vehicle crashes is to lessen the have begun to offer, or have announced The most effective way to reduce or severity of those crashes, or prevent plans to offer, various types of crash eliminate the property damage, injuries, those crashes from ever occurring. In avoidance technologies that are

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00011 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 3864 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules

designed to do just that. These exhibit reduced performance when (DNPW),23 and BSW/LCW safety technologies are designed to address a encountering lighting transitions and applications, all of which can benefit variety of crashes, including rear end, shadows. Most if not all current sensing from, or require, information on turn lane change, and intersection. technologies are susceptible to signal status or steering wheel angle. performance reductions through foreign Aftermarket devices, which are added 1. Radar and Camera Based Systems objects such as dirt or snow. For to a vehicle after its assembly, can vary Many of the advanced crash camera-based systems, some significantly from both fully-integrated avoidance technologies currently manufacturers have implemented vehicle communication systems, and available in the marketplace employ on- devices that attempt to keep the camera from one another. The simplest designs board sensor technologies such as clear for maximal operation. Both sensor may only transmit (and not also receive) cameras, RADAR, or LIDAR, to monitor types can be vulnerable to misalignment a BSM, may only connect to a power the vehicles’ surroundings.18 These or damage over time. On-board sensors source and otherwise operate technologies are what we call ‘‘vehicle- do, however, perform reliably in ‘‘urban independently from the systems in the resident’’ systems because they are canyons’’ and other situations in which vehicle, and may not run safety systems installed on one vehicle and, a clear view of the sky is not needed. applications or provide advisories/ unlike V2V, do not communicate with warnings to a driver.24 More other vehicles. Cameras, RADAR, and 2. Communication-Based Systems sophisticated options may have the LIDAR that are installed on the vehicle Devices enabling vehicles to ability to both receive and transmit a can gather information directly by communicate with one another or with BSM to nearby vehicles, may connect to sensing their surroundings, and vehicle- road-side equipment and/or the vehicle data bus (similar to fully resident crash avoidance technologies infrastructure have been prototyped and integrated devices), and may contain can use that information to warn the tested in field operational tests like the safety applications that can provide driver of impending danger so the driver Safety Pilot Model Deployment. These advisories/warnings to the driver. can take appropriate action to avoid or devices, when eventually developed for Depending on the type of aftermarket mitigate a crash. Crash scenarios that mass production, could be fully device, different data elements may or can currently be addressed by existing integrated into a vehicle when may not be available. This may limit crash avoidance technologies include, manufactured, or could be standalone what safety applications can be but are not limited to, Forward Collision aftermarket units not restricted to a supported. For example, a device that Warning (FCW),19 Blind Spot Warning single vehicle. These devices offer does not connect to a vehicle data bus (BSW), and Lane Change Warning varying degrees of functionality, but all may support FCW, but without having (LCW).20 Additionally, some crash- are designed to communicate safety access to turn signal information, may predicting safety applications leveraging information to help mitigate crashes. not be able to support LTA. these existing sensing technologies are Safety information that can help Regardless of whether they are beginning to emerge and NHTSA is mitigate crashes includes data elements integrated or aftermarket, all aggressively pursuing those like vehicle position, heading, speed, communication-based systems are technologies that demonstrate safety and so forth—data elements that could designed to, at a minimum; transmit benefits. help a computer-based safety BSM information such as vehicle Vehicle-resident systems can be application on a vehicle calculate position and heading to nearby vehicles. highly effective in mitigating certain whether it and another vehicle were in That information may be transmitted crash types, although their performance danger of crashing without driver using various communication varies by sensor type, and is limited in intervention. These pieces of methods—like cellular, Wi-Fi, certain situations. Perception range information are collected into what is radio, or dedicated short-range varies from 10 meters to 200 meters for known as a ‘‘Basic Safety Message,’’ or communication (DSRC)—each of which LIDAR and 77 GHz radar, respectively, ‘‘BSM.’’ In a fully-integrated vehicle has its own advantages and while field-of-view ranges from 18 communication system, the system is disadvantages. At this time, DSRC is the degrees to 56 degrees for 77 GHz radar built into the vehicle during production, only mature communication option that and 24 GHz radar,21 respectively. On- and consists of a general purpose meets the latency requirements to board sensors can also exhibit reduced processor and associated memory, a support vehicle communication based reliability in certain weather conditions radio transmitter and transceiver, crash avoidance, although future V2V (e.g., snow, fog, and heavy rain), and antennas, interfaces to the vehicle’s standards may also meet the latency camera systems, in particular, can sensors, and a GPS receiver. It generates requirements. the BSM using in-vehicle information Cellular networks currently offer 18 A LIDAR device detects distant objects and obtained from the vehicle’s on board fairly widespread coverage throughout determines their position, velocity, or other sensors. An integrated system can both the nation and are continuing to characteristics by analysis of pulsed laser light expand; however, there are still areas reflected from their surfaces. Lidar operates on the transmit and receive BSMs, and can same principles as radar and sonar. process the content of received (dead spots) where cellular service is 19 FCW warns the driver of an impending rear- messages to provide advisories and/or end collision with a vehicle ahead in traffic in the warnings to the driver of the vehicle in LTA applications currently trigger only when the same lane and direction of travel. which it is installed. Since the vehicle driver activates the turn signal. 20 BSW and LCW technologies warn the driver 23 DNPW warns the driver of a vehicle during a during a lane change attempt if the zone into which data bus provides a rich data set, passing maneuver attempt when a slower-moving the driver intends to switch to is, or will soon be, integrated systems have the potential to vehicle, ahead and in the same lane, cannot be occupied by another vehicle traveling in the same obtain information that could indicate safely passed using a passing zone that is occupied direction. The technology also provides the driver driver intent, which can help inform by vehicles travelling in the opposite direction. The with advisory information that a vehicle in an application may also provide the driver an advisory adjacent lane is positioned in his/her vehicle’s safety applications such as Left Turn warning that the passing zone is occupied when a 22 ‘‘blind spot’’ zone even when a lane change is not Assist (LTA), Do Not Pass Warning passing maneuver is not being attempted. being attempted. 24 Such a device could still be useful to users, 21 ‘‘Vehicle-to-Vehicle Communications: 22 LTA warns the driver of a vehicle, when because it would alert other drivers to the presence Readiness of V2V Technology for Application’’, entering an intersection, not to turn left in front of of their vehicle (i.e., it would help them be ‘‘seen August 2014, pp. 105. another vehicle traveling in the opposite direction. better’’).

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00012 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules 3865

not available. And, although the security risks are also inherent to DSRC Automotive Safety Council, Hyundai advancement of long-term evolution technology. Motor Group, IIHS, Motor & Equipment (LTE) technology is helping to deliver In this NPRM, the proposal would Manufacturers Association, and Volvo large amounts of data to cellular users require V2V communication to use Cars, believe that combining (‘‘fusing’’) more quickly, transmission rates slow DSRC devices to transmit messages communication-based systems with down if a user is moving or is in a high- about a vehicle’s speed, heading, vehicle-resident crash avoidance capacity area with many other LTE braking status, etc. to surrounding systems to exploit the functionality of users. While many new vehicles today vehicles, as well as to receive both system types presents a significant already are equipped with cellular comparable information from opportunity. Given the proposed V2V capability, this communication method surrounding vehicles. As DSRC is based system, we are confident that the could possibly introduce security risks, on radio signals, which are technology could be easily combined such as cyberattacks or privacy omnidirectional (i.e., offer 360 degrees with other vehicle-resident crash concerns,25 and high costs stemming of coverage), V2V offers the ability to avoidance systems to enhance the from cellular data costs and fitting new ‘‘see’’ around corners and ‘‘see’’ through functionality of both types of systems. vehicles with cellular capability. other vehicles. Consequently, V2V is not Together, the two systems can provide Wi-Fi technology offers generally restricted by the same line-of-sight even greater benefits than either system higher data rates than the other options, limitations as crash avoidance alone. but because of its intrinsic design for technologies that rely on vehicle- For vehicles equipped with current stationary terminals, and the need for a resident sensors. V2V also offers an on-board sensors, V2V can offer a vehicle to provide its MAC (media operational range of 300 meters, or fundamentally different, but access control) address, and obtain the farther, between vehicles, which is complementary, source of information MAC address of all other vehicles in a nearly double the detection distance that can significantly enhance the Wi-Fi hotspot before it can send afforded by some current and near-term reliability and accuracy of the communications, transmission rates are vehicle-resident systems. These unique information available. Instead of relying significantly reduced if a user is characteristics allow V2V-equipped on each vehicle to sense its moving. Cost concerns and potential vehicles to perceive and warn drivers of surroundings on its own, V2V enables security risks for Wi-Fi are similar to some threats sooner than current surrounding vehicles to help each other those for cellular communication.26 vehicle-resident sensors can. The by reporting safety information to each Satellite radio, or Satellite Digital proposal would also allow vehicles to other. V2V communication can also Audio Radio Service (SDARS), uses comply using non-DSRC technologies detect threat vehicles that are not in the to provide digital data that meet certain performance and sensors’ field of view, and can validate broadcast service nearly nationwide interoperability standards. a return from a vehicle-based sensor. (across approximately 98% of the U.S. V2V is subject to the current This added capability can potentially land mass—fundamentally not covering limitations of GPS technology. This lead to improved warning timing and a Alaska and Hawaii and covering the includes accuracy levels that are reduction in the number of false southern parts of Canada and northern perceived to be only sufficient for warnings, thereby adding confidence to parts of . Data download time for warning applications vs. control the overall safety system, and increasing satellite communication, however, is applications such as automatic braking. consumer satisfaction and acceptance. slow compared to the other The GPS dependency also poses Similarly, vehicle-resident systems can communication options which limits its challenges where sky visibility is augment V2V systems by providing the capability to ‘‘back office’’ type limited (e.g., under bridges, in tunnels, information necessary to address other communications versus actual vehicle in areas of heavy foliage, and in highly crash scenarios not covered by V2V to vehicle safety communications, and dense urban areas). Some of these communications, such as lane and road the costs and security risks associated issues, however, can be resolved departure. These systems can work with cellular and Wi-Fi communication through techniques such as ‘‘dead- collectively to advance motor vehicle also apply to satellite.27 reckoning.’’ 29 V2V also requires that a safety, as was further evidenced in the DSRC is a two-way short-range significant number of vehicles be comments submitted by the Automotive wireless technology that provides local, equipped with V2V technology to Safety Council and IIHS. nearly instantaneous network realize the effectiveness of the system, The Automotive Safety Council connectivity and message transmission. and similarly, whereas vehicle-resident commented that, in addition to the It has a designated licensed sensors can ‘‘see’’ stop signs and traffic safety advantages from increased to permit secure, reliable lights (and use that information to slow sensing range and the environment use communication, and provides very high or stop the vehicle), the infrastructure cases, V2V also offers advantages with data transmission rates in high-speed also would need to be able to send respect to operation status (e.g., brake vehicle mobility conditions which are messages to V2V-equipped vehicles if pedal status, transmission state, stability critical characteristics for detecting V2V was to have similar capability. control status, vehicle at rest versus potential and imminent crash moving, etc.) IIHS suggested that 3. Fusion of Vehicle-Resident and scenarios.28 Cost concerns and potential whereas current FCW systems are Communication-Based Systems designed to operate off the deceleration 25 BAH CDDS Final Report. See Docket No. Both vehicle-resident and of the vehicle directly ahead, V2V could NHTSA–2014–0022. communication-based safety systems permit communication with all vehicles 26 BAH CDDS Final Report. See Docket No. have certain strengths and limitations, ahead in the lane of travel, thus warning NHTSA–2014–0022. and as such, NHTSA and many 27 ‘‘Organizational and Operational Models for all vehicles, not just those equipped the Security Credentials Management System commenters to the ANPRM, like the with FCW, of the eminent need to slow (SCMS); Industry Governance Models, Privacy down or stop. Analysis, and Cost Updates,’’ dated October 23, 29 The process of calculating one’s position, IIHS contended, however, that 2013, prepared by Booz Allen Hamilton under especially at sea, by estimating the direction and contract to DOT, non-deliberative portions of which distance traveled rather than by using landmarks, onboard sensing systems may evolve may be viewed in docket: NHTSA–2014–0022. astronomical observations, or electronic navigation during the time it will take V2V to 28 Report and Order FCC–03–0324. methods. penetrate the fleet, potentially to the

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00013 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 3866 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules

point where they have similar ranges to since, as mentioned previously, vehicle may harm vehicle automation efforts. V2V transmissions, such that it may be communication-based systems, like The company cited Google and Bosch’s difficult to quantify how much V2V will V2V, are capable of providing warnings ability to develop vehicle automation reduce collision frequency and severity in several scenarios where vehicle-based systems that use onboard sensors and beyond the capabilities of sensor-based sensors and cameras cannot (e.g., computers to map vehicle surroundings systems. Along similar lines, the vehicles approaching each other at in real-time and make direction Automotive Safety Council countered intersections).30 Honda Motor Col, Ltd decisions without widespread vehicle- some of its earlier comments by stating commented that ‘‘. . . the ability of to-vehicle connectivity as reason to that ‘‘it is possible that DSRC vehicles to directly communicate with suggest that V2V is unnecessary for full- technology may be obsolete before the one another will greatly assist in the scale automation. The company also safety goals of V2V systems are ability to safety and effectively deploy’’ commented that if automated systems realized’’ such that it may be a better higher-level driver assistance and were required to interact with V2V approach to pursue the installation of automated technologies in Honda under a new Standard, this would well-tested, standalone technologies vehicles. Along similar lines, Meritor generate ‘‘large and as yet that are currently available. WABCO and the Automotive Safety uncontemplated cybersecurity, crash, The agency appreciates the Council both mentioned that V2V safety and products liability risks.’’ Similarly, commenters’ views on the co-existence applications with warning capability the Automotive Safety Council of the technologies with varying will enhance current active safety commented that the security system capability and expressing support for systems, but should not be considered a described in the V2V Readiness report the agency’s approach in this proposal. replacement for them. ‘‘does not provide sufficient protection We do disagree, however, with the Systems Research Associates, Inc. against all abuse of the V2V system’’ in comments indicating that V2V should stated that ‘‘it is irrefutable that V2V, the event that active safety applications not be pursued because onboard sensing V2I, and V2P communications will be which leverage the V2V infrastructure, systems exist in the marketplace. The absolutely critical to the successful are considered in the future. The group agency views these technologies as development of self-driving vehicles suggested that because ‘‘the data fed complementary and not competing. that can avoid collisions, navigate into the DSRC device from the vehicle Providing a data rich information responsibly, and achieve a transport sensors is not cryptographically environment should, most likely, enable objective efficiently and in a timely protected,’’ an attacker ‘‘could simply more capability to enhance vehicle manner.’’ Similarly, IEEE USA feed a DSRC device bad data, which is safety. commented that V2V can provide the subsequently cryptographically signed The agency requests comments its trusted map data and situation using the proposed PKI system and views concerning the potential of fusing awareness messages necessary for transmitted to nearby vehicles.’’ The connected and vehicle-resident innovative safety functions, and support Automotive Safety Council suggested technologies. In particular, the agency the flow of traffic with self-driving cars. that this could allow an attacker to requests comment on what specific Other commenters, including Robert ‘‘cause a vehicle to rapidly swerve off applications could use both Bosch LLC and Motor & Equipment the road to avoid a collision with a car technologies to enhance safety. The Manufacturers Association expressed that does not exist in reality but was agency also seeks comment on whether that V2V data should serve as a interpreted to exist’’ because the vehicle an if-equipped option for V2V would be supplemental input in developing received false, but cryptographically preferable, given the development of automated vehicles, but cautioned the signed and thus trusted, data from a vehicle-resident technologies. agency that vehicles should not have an nearby malicious vehicle. external, V2V exclusive infrastructure 4. Automated Systems and communication medium QUALCOMM Incorporated Automated systems perform at least dependency. This approach may maintained an opposing position to some aspects of a safety-critical control unnecessarily limit the adoption or Competitive Enterprise Institute and the function (e.g., steering, throttle, or implementation of automated systems. Automotive Safety Council. The braking) automatically—without direct Furthermore, the Automotive Safety company commented that, ‘‘while it is input by a human driver. Examples of Council commented that ‘‘V2V should possible to implement a certain level of automated systems include Crash be considered as one of the supporting vehicle automation . . . without V2V, Imminent Braking (CIB) and Dynamic sensor sets for automated vehicle V2V can enhance the overall reliability Brake Support (DBS). These systems are applications, where it can augment the and coverage of autonomous vehicle designed, respectively, to automatically information available to the vehicle technology.’’ Consequently, the apply the vehicle’s brakes if the human about the surrounding environment’’ by company contended that there is no driver does not respond at all to increasing the range and/or reliability of conflict between the deployment of warnings that are provided, or to data from sensors, but it is ‘‘. . . not DSRC and automated vehicles, and supplement the human driver’s braking sufficient alone as a sensor to support further suggested that the two effort if the driver’s response is automated vehicles nor a technology technological advances should be determined (by the system) to be that will inhibit the development of pursued simultaneously so that the insufficient, in order to mitigate the automated applications. In order to additional safety benefits offered by severity of a rear-end crash, or to avoid ensure robust decisions for autonomous DSRC can penetrate the fleet and be it altogether. functions, sensing redundancy at the realized in both autonomous and non- Although many automated systems vehicle level may still be required to autonomous vehicles. Overall, this currently rely on data obtained from on- meet functional safety requirements, approach is aligned with the agency’s board sensors and cameras to judge and/or for functions where the V2V view that V2V is complementary, and safety-critical situations and respond technology is not capable of providing not competing, with automated vehicle with an appropriate level of control, the necessary data or inputs to the deployment. data acquired from GPS and vehicle.’’ The agency requests comment on the telecommunications like V2V could Competitive Enterprise Institute interplay between V2V and autonomous significantly augment such systems, expressed concerns that a V2V mandate technologies.

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00014 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules 3867

C. V2V Research Up Until This Point signals of vehicle position and heading • The legal and policy issues information. Vehicles equipped with associated with requiring V2V for light 1. General Discussion integrated in-vehicle or aftermarket vehicles, the secure operation of the The U.S. Department of safety devices have the additional technology, and the implications of Transportation, along with other design functionality of being able to these issues for privacy; research partners in State DOTs, warn drivers of an impending crash • A description of the technology academia, and industry, has been situation involving another equipped required for V2V capability, the evaluating how to incorporate vehicle. different types of devices, and the communication technology into Data collected during the Model security needed for trusted transportation infrastructure since the Deployment was used to support an communications; and mid-1980s, in order to improve evaluation of functionality of the V2V • Based on preliminary data, how transportation (particularly on-road safety applications used in the Model much the technology may be expected vehicle) safety, mobility, and emissions. Deployment—in effect, whether the to cost (both for purchasers of new That broad research topic is generally prototypes and the system worked, but vehicles, and for the entities who referred to as ‘‘intelligent transportation not necessarily how well they worked. develop and build out the security and systems’’ or ‘‘ITS.’’ V2V research Overall, the Model Deployment communications networks, in terms of developed out of ITS research in the demonstrated that V2V technology can initial capital investments), and the mid-2000s, when NHTSA and CAMP be deployed in a real-world driving potential effectiveness (and thus, began to look at the potential for DSRC environment. The experimental design benefits) of certain V2V-based safety as a vehicle communication technology, was successful in creating naturalistic applications at helping drivers avoid for the purpose of warning drivers of interactions between DSRC-equipped crashes. imminent crash risks in time to avoid vehicles that resulted in safety (a) Key Findings of Readiness Report them. NHTSA’s decision to begin the applications issuing warnings in the rulemaking process to require V2V safety-critical driving scenarios that The Readiness Report listed the key communications capability on new light they were designed to address. The data findings of the research up to that point, vehicles thus represented the generated by warning events indicated as follows: • V2V (specifically, DSRC) devices culmination of several decades of that all the devices were interoperable, installed in light vehicles as part of the research by government and industry to meaning that they were successfully Safety Pilot Model Deployment were develop this communications communicating with each other. able to transmit and receive messages technology for vehicles from the ground The Model Deployment was the first from one another, with a security up. In the interest of brevity, NHTSA and largest test of V2V technology in a management system providing secure refers readers to the V2V Readiness real-world environment. The Model communications among the vehicles Report for a summary of the history of Deployment was a key step in during the Model Deployment. This was ITS research and NHTSA’s work with understanding whether the technology accomplished with relatively few CAMP and other partners prior to worked, the potential of this technology problems given the magnitude of this 2014.31 to help avoid crashes, and increase the One element of the V2V research that vehicle safety. first-of-its-kind demonstration project. • The V2V devices tested in the took place prior to 2014 is the Safety Besides explaining the history of the Model Deployment were originally Pilot Model Deployment. The Model research that led to NHTSA’s decision developed based on existing Deployment was the culmination of the to initiate rulemaking to require V2V communication protocols found in V2V research that had taken place in communications capability, the voluntary consensus standards from prior years. Using the Model Readiness Report also described SAE and IEEE. NHTSA and its research Deployment, DOT deployed prototype NHTSA’s understanding of the current partners participating in the Model V2V DSRC devices on real roads with state of the research in mid-2014, and Deployment (e.g., its vehicle real drivers that interacted for over a identified a number of areas where manufacturers and device suppliers) year and provided the data that allowed additional research could be necessary found that the standards did not contain DOT to evaluate the functional either to develop mandatory enough detail as-is and left too much feasibility of V2V under real world requirements for new vehicles equipped room for interpretation to achieve conditions. with DSRC, or to further develop The Model Deployment was information needed to inform potential interoperability. They therefore conducted in Ann Arbor, , and future requirements for DSRC-based developed additional protocols that ran from August 2012 to February 2014. safety applications. The following enabled interoperability between Sponsored by DOT and conducted by sections summarize the agency’s devices participating in the study. The the University of Michigan research-based findings in the Readiness valuable interoperability information Transportation Research Institute, the Report; list the areas where the agency learned during the execution of Model experiment was designed to support identified additional research as Deployment is planned to be included evaluation of the functionality of V2V necessary; and explain the status of in future versions of voluntary technology. Approximately 2,800 research conducted since the Readiness consensus standards that would support vehicles—a mix of cars, trucks, and Report in response to those identified a larger, widespread technology roll-out. • As tested in the Model Deployment, transit vehicles operating on public research needs. safety applications enabled by V2V, streets within a highly concentrated 2. Main Topic Areas in Readiness examples of which include IMA, FCW, area—were equipped with integrated in- Report and LTA, have proven effective in vehicle safety systems, aftermarket mitigating or preventing potential safety devices, or vehicle awareness Based on the agency’s research and crashes, but the agency recognized that devices, all using DSRC to emit wireless thinking at the time of issuance, the V2V Readiness Report comprehensively additional refinement to the prototype covered several key topic areas: safety applications used in the Model 31 See Section II.B of the Readiness Report, • available at http://www.safercar.gov/v2v/ (last What the safety need is that V2V Deployment would be needed before accessed Dec 7, 2016). can address, and how V2V addresses it; minimum performance standards could

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00015 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 3868 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules

be finalized and issued.32 Based on the The estimated total annual costs ranged devices transmitting and receiving agency’s understanding of how these from $0.3 to $2.1 billion in 2020, with information on the same or similar prototype safety applications operate, the specific costs depending upon the frequencies, which could potentially preliminary effectiveness estimates in technology implementation scenarios interfere with V2V communications in the Readiness Report indicated and discount rates. The costs peaked to ways harmful to its safety intent. More substantial ability to mitigate crashes, $1.1 to $6.4 billion between 2022 and research is needed on whether these Wi- injuries or fatalities in these crash 2024, and then gradually decreased to Fi enabled devices can share the scenarios. Also, the agency concluded $1.1 to $4.6 billion. spectrum successfully with V2V, and if that some safety applications could be • The analysis conducted for the V2V so, how. In December 2015 and January better tailored to the safety problem that Readiness Report estimated that just two 2016, the DOT, FCC, and the they are intended to solve (e.g., LTA of many possible V2V safety Department of Commerce sent joint applications currently trigger only when applications, IMA and LTA, would on letters to members of the U.S. Senate the driver activates the turn signal, but an annual basis potentially prevent Committee on Commerce, Science, and many drivers do not always activate 25,000 to 592,000 crashes, save 49 to Transportation, delineating a their turn signals in dedicated turn 1,083 lives, avoid 11,000 to 270,000 collaborative multi-phased approach lanes). MAIS 1–5 injuries, and reduce 31,000 to that will be used to provide real-world • The agency has the legal authority 728,000 property-damage-only crashes data on the performance of unlicensed to mandate V2V (specifically, DSRC) by the time V2V technology had spread devices that are designed to avoid devices in new light vehicles, and could through the entire fleet, if manufacturers interfering with DSRC operations in the also require them to be installed in implemented them.33 These two 5.85–5.925 GHz band. commercial vehicles already in use on applications were used for analysis • V2V device certification issues: the road if we also required them for because they were illustrations of V2V devices are different from other new medium and heavy duty vehicles. benefits that V2V can provide above and technologies regulated by NHTSA under The agency also has the authority to beyond the safety benefits of radar and the Federal Motor Vehicle Safety mandate safety applications that are camera based systems. Of course, the Standards, insofar as part of ensuring V2V-based, and to work with an outside number of lives potentially saved would their successful operation (and thus, the entity to develop the security and increase with the implementation of safety benefits associated with them) communications infrastructures needed additional V2V- and V2I-based safety requires ensuring that they are able to to support deployment of V2V applications that could be enabled if communicate with all other V2V technologies in motor vehicles. vehicles were equipped with V2V devices participating in the system. This • Based on preliminary information communications capability. means that auto manufacturers (and used for the report, NHTSA estimated that the V2V equipment and supporting (b) Additional V2V-Related Issues That V2V device manufacturers) attempting communications functions (including a Required the Agency’s Consideration to comply with a potential V2V mandate security management system) would The Readiness Report also recognized could have a significant testing cost approximately $341 to $350 per that additional items need to be in place obligation to guarantee interoperability vehicle in 2020, and it is possible that for a potential V2V system to be among their own devices and devices the cost could decrease to successful. These items were listed as produced by other manufacturers. At approximately $209 to $227 by 2058, as follows: the time of the Readiness Report, it was manufacturers gain experience • Wireless spectrum: V2V an open question whether individual producing this equipment (the ‘‘learning communications transmit and receive companies could meet such an curve’’ effect). These costs would also messages at the 5.85–5.925 GHz obligation themselves, or whether include an additional $9 to $18 per year frequency. The FCC, as part of an independent testing facilities might in fuel costs due to added vehicle ongoing rulemaking proceeding, is need to be developed to perform this weight from the V2V system. Estimated considering whether to allow function. Based on the security design costs for the security management ‘‘Unlicensed National Information evaluated for the report, it was thought system ranged from $1 to $6 per vehicle, Infrastructure’’ devices (that provide likely that an entity or entities providing and were estimated to increase over short-range, high-speed, unlicensed the security management system would time due to the need to support an wireless connections for, among other require that device manufacturers increasing number of vehicles with V2V applications, Wi-Fi-enabled radio local comply with interoperability technology. The estimated area networks, cordless telephones, and certification requirements to ensure the communications costs ranged from $3 to fixed outdoor broadband transceivers reliability of message content. The $13 per vehicle. Cost estimates were not used by wireless service agency currently believes the creation of expected to change significantly by the providers) to operate in the same area of a standardized test device should inclusion of V2V-based safety the wireless spectrum as V2V.34 Given mitigate manufacturer to manufacturer applications, since the applications that Wi-Fi use is growing exponentially, communication variances to help ensure themselves are software and their costs ‘‘opening’’ the 5.85–5.925 GHz part of interoperability. are negligible. the spectrum could result in many more • Test procedures, performance • Based on preliminary estimates requirements, and driver-vehicle used for the report, the total projected 33 The benefits estimated for this proposal vary interface (DVI) issues: Test procedures, preliminary annual costs of the V2V from those developed for the V2V Readiness Report. performance requirements, and driver- system fluctuated year after year but Please refer to Section VII for details on the costs vehicle interfaces appeared to work well and benefits of this proposal. generally indicated a declining trend. 34 See Revision of Part 15 of the Commission’s enough for purposes of the Model Rules to Permit Unlicensed National Information Deployment (as compared to a true 32 See, e.g., Nodine et al., ‘‘Independent Infrastructure (U–NII) Devices in the 5 GHz Band, production, real-world environment), Evaluation of Light-Vehicle Safety Applications Notice of Proposed Rulemaking, ET Docket No. 13– but NHTSA concluded that additional Based on Vehicle-to-Vehicle Communications Used 49 (Feb. 2013). Under the FCC Part 15 rules U–NII in the 2012–2013 Safety Pilot Model Deployment,’’ devices cannot cause interference to DSRC research and development would be USDOT Volpe Center, DOT HS 812 222, December operations and must accept interference from DSRC necessary to produce FMVSS-level test 2015. Available at Docket NHTSA–2016–0126. operations. procedures for V2V inter-device

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00016 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules 3869

communication and potential safety than on-board safety systems because possibility that the government or a applications. V2V warning technologies rely on private entity could use V2V • As a result of this item from the information received from other communications to track their daily Readiness Report, NHTSA undertook vehicles via communication systems activities and whereabouts. However, additional research to examine the that they themselves do not control. NHTSA has worked hard to ensure that minimum performance measures for However, the decision options under the V2V system both achieves the DSRC communication and system consideration by NHTSA at the time of agency’s safety goals and protects security.35 The research included the Readiness Report involved safety consumer privacy appropriately. functional and performance warning technologies—not control • Consumer acceptance: If consumers requirements for the DSRC device, the technologies. NHTSA’s legal analysis do not accept a required safety results of which directly informed the indicated that, from a products liability technology, the technology will not development of this proposal. As we standpoint, V2V safety warning create the safety benefits that the agency concluded in the Readiness Report, to technologies, analytically, are quite expects. At the time of the report, the eventually go forward with rulemaking similar to on-board safety warnings agency believed that one potential issue involving safety applications, V2V and systems found in today’s motor with consumer acceptance could be safety application standards need to be vehicles. For this reason, NHTSA did maintenance. More specifically, if the objective and practicable, meaning that not view V2V warning technologies as security system is designed to require technical uncertainties are limited, that creating new or unbounded liability consumers to take action to obtain new tests are repeatable, and so forth. exposure for the industry. security certificates—depending on the Additionally, the agency deferred • Privacy: NHTSA explained in the mechanism needed to obtain the consideration of whether Readiness Report that, at the outset, certificates—consumers may find the standardization of DVIs would improve readers should understand some very required action too onerous. For the effectiveness of safety applications, important points about the V2V system example, rather than accept new and whether some kind of as then contemplated and understood certificate downloads, consumers may standardization could have significant by NHTSA. The system will not collect choose instead to live with non- effects on costs and benefits. • or store any data directly identifying functioning V2V capabilities.37 Standing up security and specific individuals or their vehicles, communications systems to support nor will it enable the government to do 3. Research Conducted Between the V2V: In order to function safely, a V2V so. There is no information in the safety Readiness Report and This Proposal system needs security and messages exchanged by vehicles or communications infrastructure to enable The findings of the V2V Readiness collected by the V2V system that Report also yielded a series of research, and ensure the trustworthiness of directly identifies the driver of a communication between vehicles. The policy and standards needs. The agency speeding or erratic vehicle for law source of each message needs to be believed some of these needs were enforcement purposes, or to third trusted and message content needs to be significant enough that they should be parties. The system—expected to be protected from outside interference. A addressed to properly inform any operated by private entities—will make V2V system must include security potential regulatory action; such as this it difficult to track through space and infrastructure to credential each NPRM. The agency also identified some time specific vehicles, owners or drivers message, as well as a communications needs from the Readiness Report that on a persistent basis. Third parties network to get security credentials and could be addressed later to potentially attempting to use the system to track a related information from vehicles to the support other aspects of V2V vehicle would find that it requires entities providing system security (and deployment such as safety applications. vice versa).36 significant resources and effort to do so, Following is a list of needs identified in • Liability concerns from industry: particularly in light of existing means the V2V Readiness Report and their Auto manufacturers repeatedly have available for that purpose. The system current status. The agency has expressed concern to the agency that will not collect financial information, completed what it believes is the V2V technologies will increase their personal communications, or other necessary research for to inform and liability as compared with other safety information directly linked to support this proposal, although the technologies. In their view, a V2V individuals. The system will enroll V2V agency is continuing to study these and system exposes them to more legal risk enabled vehicles automatically, without other issues. The agency notes that collecting any information that Table II–4 shows the status of the 35 ‘‘Development of DSRC Device and identifies specific vehicles or owners. research related to safety applications, Communication System Performance Measures’’ The system will not provide a ‘‘pipe’’ which are not being proposed in this Booz Allen Hamilton, Final Report—May, 2016; into the vehicle for extracting data. The NPRM. FHWA–JPO–17–483 available at http://ntl.bts.gov/ system is designed to enable NHTSA lib/60000/60500/60536/FHWA-JPO-17-483.pdf (last accessed Dec 12, 2016) and, CAMP research and motor vehicle manufacturers to find 37 As follow-up to other consumer acceptance supporting SAE J2945–1, ‘‘On-Board System lots or production runs of potentially topics, the agency undertook additional consumer Requirements for V2V Safety Communications’’ defective V2V equipment without use of acceptance research (both qualitative and April, 2016. VIN numbers or other information that quantitative) to better understand potential 36 Section II.F discusses NHTSA’s Request for consumer concerns. This research was used to Information (RFI) regarding the development of a could identify specific drivers or directly inform this proposal. See Section III for potential Security Credential Management System vehicles. Our research to date suggests discussion of this research and how the agency (SCMS). that drivers may be concerned about the used it to develop this proposal.

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00017 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 3870 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules

TABLE II–4—DSRC PERFORMANCE REQUIREMENTS AND COMPLIANCE TESTING RESEARCH [NPRM RELEVANT]

Readiness report research Research projects initiated to need Description address Description Completion date

Standards Need V–1 SAE Currently Standards are being Crash Avoidance Metrics Part- Crash Avoidance Metrics Part- April 2016. Standards Maturity. developed by outside stand- nership V2V Interoperability nership providing results of ards organizations. and V2V System Engineer- DSRC device performance ing Projects. requirements to SAE stand- ards development committee for SAE J2735 and J2945. Research Need V–2 Impact of [V–2] V2V device software up- DSRC On-Board Unit Perform- BAH project will Develop per- BAH Completion date—Re- Software Implementation on dates may be required over ance Measures Booze Allen formance measures for quirements October 2015/ DSRC Device Performance. its lifecycle. NHTSA will and Hamilton. Dedicated Short Range Test Procedures October need to determine how to Crash Avoidance Metrics Part- Communication (DSRC) de- 2015. ensure necessary V2V de- nership—Documentation of vice; and develop security CAMP System Engineering vice software updates are On-Board Unit Requirements performance measures for Completion date—Require- seamless for consumers and and Certification Procedures the following, but not limited ments Aug 2015/Test Proce- confirmed. for V2V Systems (System to Critical components on dures Sept 2015. Engineering Project). the DSRC device, Firmware and on the DSRC device, Pre- V2V-Comminication Research dominant elements in a Pub- project. lic Key Infrastructure (PKI). Research Need V–3 DSRC [V–3] The purpose of this re- ...... CAMP Communications re- System search is to finalize the oper- search completion date—Au- Performance Measures. ational modes and sce- gust 2016. narios, key functions, and qualitative performance measures that indicate min- imum operational perform- ance to support DSRC safe- ty and security communica- tion functions. Research Need V–5 BSM [V–5] Complete congestion ...... CAMP will develop a single Congestion Sensitivity. mitigation and scalability re- comprehensive document search to identify bandwidth summarizing the minimum congestion conditions that level of Connected Vehicle could impair performance of (CV) V2V safety system on- safety or other applications, board requirements and cer- and develop appropriate tification procedures.. mitigation approaches. Research Need V–6 Relative [V–6] Research will be re- ...... CAMP V2V Communications Positioning Performance quired to determine how to Research Project will identify Test. test relative positioning per- requirement in relation to formance across GPS re- BSM message congestion ceivers produced by different mitigation and misbehavior suppliers and yield a gener- detection. alized relationship between relative and absolute posi- tioning. Research Need V–7 Vehicle [V–7] Research to understand and Receiver Positioning Bi- potential erroneous position ases. reporting due to positional biases across multiple GPS receiver combinations. Research Need VI–7 Compli- [VI–7] Development of per- ance Specifications and Re- formance requirements, test quirements. procedures, and test sce- narios to evaluate a device’s compliance with interoper- ability standards, security communication needs; and to support safety applica- tions.

TABLE II–5—SYSTEM, SECURITY, AND ACCEPTANCE RESEARCH [NPRM RELEVANT]

Readiness report research Research projects initiated to need Description address Description Completion date

Policy Need IV–1 Road Side NHTSA will evaluate the need Authority evaluation conducted ...... Issuance of NPRM. Equipment Authority. for DOT to regulate aspects for NPRM. of RSE operation and as- sess its authority for doing so.

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00018 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules 3871

TABLE II–5—SYSTEM, SECURITY, AND ACCEPTANCE RESEARCH—Continued [NPRM RELEVANT]

Readiness report research Research projects initiated to need Description address Description Completion date

Policy Need IV–2 V2V Device V2V device software updates Crash Avoidance Metrics Part- The System Engineering Completion Date for Require- Software Updates. may be required over its nership V2V System Engi- project will investigate soft- ments—Sept 2015. lifecycle. NHTSA will need to neering project and Crash ware update requirements determine how to ensure Avoidance Metrics Partner- from the vehicle perspective necessary V2V device soft- ship Security Credential as the Security Credential ware updates are seamless Management System Proof Management Systems for consumers and con- of Concept project. project investigates software firmed. update from the security sys- tem perspective. Both projects will identify require- ments that will facilitate the software update of V2V de- vices. Research Need V–1 Spectrum Evaluate the impact of unli- Testing spectrum sharing fea- A test plan for testing unli- The evaluation of spectrum Sharing Interference. censed U–NII devices on the sibility. censed devices that would sharing interference is pend- transmission and reception share the band with licensed ing the conduct of tests with of safety critical warnings in DSRC devices has been de- representative U–NII–4 de- a shared spectrum environ- veloped. The testing will vices that operate in the 5.9 ment. evaluate the feasibility of GHz (DSRC) frequency sharing spectrum with unli- band.Testing could be com- censed devices. pleted within 12 months of receipt of prototype devices. Research Need VII–1 Con- Supplement the driver accept- V2V Crash Avoidance Safety This review needs to extend September 2015. sumer Acceptance. ance analysis completed per Technology Public Accept- the current evaluation of the Driver Clinics and Safety ance Review. driver acceptance to a Pilot Model Deployment with broader public acceptance further research that in- context and evaluate how cludes a focused assess- public acceptance may im- ment of privacy in relation to pact and or influence the de- V2V technology. sign, performance, oper- ation, and implementation of this technology. Research Need VIII–1 V2V Lo- [VIII–1] Assess the availability Independent Evaluation of V2V The objective of this Task March 2016. cation Tracking via BSM. of information and tech- Security Design and Tech- Order is to perform: (1) an nologies that facilitate linking nical Analysis of the Poten- independent and com- data in the BSM to deter- tial Privacy Risk of V2V Sys- prehensive technical anal- mine a motor vehicle’s path. tems. ysis of the V2V security sys- tem design that is currently proposed specifically for a V2V connected vehicle envi- ronment; and (2) a technical analysis of the potential pri- vacy risks of the entire V2V system that includes security but also focuses on the op- eration of V2V communica- tions in support of crash avoidance safety applica- tions. Research Need VIII–2 V2V [VIII–2] Understanding and Identification Capabilities. quantifying risk of linking ve- hicle tracking or other infor- mation in the BSM to a spe- cific vehicle, address, or indi- vidual via available re- sources (including but not limited to database matching or data mining). Research Need VIII–3 V2V In- [VIII–3] Inventory and assess ventory of Privacy Controls. the privacy controls applica- ble to the SCMS in connec- tion with our comprehensive privacy assessment. Research Need VIII–4 V2V Pri- [VIII–4] A comprehensive pri- vacy Risk Assessment. vacy risk analysis of all as- pects of the V2V system in- cluding infrastructure equip- ment, on-board vehicle sys- tems, wireless and wired communications, as well as organizational and manage- ment issues.

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00019 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 3872 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules

TABLE II–5—SYSTEM, SECURITY, AND ACCEPTANCE RESEARCH—Continued [NPRM RELEVANT]

Readiness report research Research projects initiated to need Description address Description Completion date

Research Need IX–2 Cryp- [IX–2] The chosen cryp- tographic flexibility. tographic algorithms are esti- mated to be resilient against brute force attack for a few decades with some suscepti- bility through an unantici- pated weakness. In the fu- ture new algorithms could enable better performance but may require redesign of functions or operations with- in the SCMS. Research Need IX–3 Inde- [IX–3] Independent evaluation pendent Security Design As- of CAMP/USDOT security sessment. design to assess alignment with Government business needs, identify minimum re- quirements, assess the se- curity designs ability to sup- port trusted messages and appropriately protect privacy, identify and remove misbe- having devices, and be flexi- ble enough to support future upgrades. Research Need IX–1 Mis- Development of the processes, Crash Avoidance Metrics Part- The CAMP System engineer- Initial Misbehavior Detection in- behavior Authority. algorithms, reporting require- nership System Engineering ing project will investigate formation to be completed ments, and data require- project, Security Credential the implementation and de- December 2015. ments for both local and Management Proof of Con- vice requirements for local global detection functions; cept project, and Commu- (vehicle based) misbehavior and procedures to populate nication Research Project. detection and global (sys- and distribute the CRL. tem-wide) misbehavior de- tection. The Communication Research project will re- search local and global mis- behavior detection needs. The SCMS Proof of Concept will investigate implementa- tion aspects from the secu- rity system perspective.

TABLE II–6—V2V SAFETY APPLICATION IMPROVEMENT AND PERFORMANCE VERIFICATION RESEARCH [NPRM IRRELEVANT]

Readiness report research Research projects initiated to need Description address Description Completion date

Research Need V–4 Develop- [V–4] This research will take Volpe False Alert Scenarios The Volpe project will support Volpe Completion Date—De- ment of Safety Application the performance measures and Objective Test Proce- NHTSA development of cember 2018. Test Metrics and Procedures. and objective test proce- dures for Crash Avoidance false-positive warning objec- VRTC Completion Date—April Research Need VI–2 Safety dures used during the re- Applications project and Ve- tive test procedures in con- 2019. Application Performance search of V2V applications hicle Research and Test junction with development of Measure Rationale. and develop FMVSS level Center project. objective test procedures performance measures and and performance criteria for safety application objective IMA, LTA, FCW, and BS/ tests. LCW applications. The re- sults of this IAA will con- tribute to potential Federal Motor Vehicle Safety Stand- ards (FMVSS) for these crash avoidance applications. Research Need VI–3 Practica- [VI–1] Assess the capability ...... The VRTC project will incor- bility of Non-Ideal Driving and capacity of possible re- porate results and informa- Condition Testing. finements to reduce fre- tion from the Volpe project to quency of false positive develop Federal Motor Vehi- warning while maintaining cle Safety Standards crash avoidance effective- (FMVSS) for these crash ness. avoidance applications. [VI–2] Develop a rationale to support each performance and test metric rec- ommended for incorporation into an FMVSS.

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00020 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules 3873

TABLE II–6—V2V SAFETY APPLICATION IMPROVEMENT AND PERFORMANCE VERIFICATION RESEARCH—Continued [NPRM IRRELEVANT]

Readiness report research Research projects initiated to need Description address Description Completion date

[VI–3] Evaluate test variations for non-ideal driving condi- tions (e.g., curved roads, turn signal use, weather, ob- lique intersections) and de- velop a rationale supporting the inclusion or exclusion of those test conditions. Research Need VI–4 Fused [VI–4] Develop test procedures and Non-Fused V2V Safety that can be applied to sys- Application Test Procedures. tems relying solely on V2V information as well as ‘‘fused’’ systems, those rely- ing on both V2V and other sources of information (e.g., on-board sensors). Research Need VI–5 Perform- [VI–5] Conduct test validation ance and Test Metric Valida- to ensure that the perform- tion. ance and test metrics are objective, repeatable, and practicable. Research Need VI–1 False Assess the capability and ca- Volpe False Alert Scenarios The Volpe project will support Volpe Completion Date—De- Positive Mitigation. pacity of possible refine- and Objective Test Proce- NHTSA development of cember 2018. ments to reduce frequency dures for Crash Avoidance false-positive warning objec- of false positive warning Applications project and. tive test procedures in con- while maintaining crash junction with development of avoidance effectiveness. objective test procedures and performance criteria for IMA, LTA, FCW, and BS/ LCW applications. Research Need VI–6 DVI Min- Determine DVI’s impact on ef- V2V On-Road DVI Project ...... Testing DVIs for Intersection VTTI Completion Date: No- imum Performance Require- fectiveness of system and Movement Assist and Left vember 2016. ments. safety benefits applications Turn Assist for stopped vehi- to establish minimum per- cles. formance for crash avoid- ance and objective test pro- cedures.

D. V2V International and reduce costs,38 and also to facilitate harmonization efforts have effectively Harmonization Efforts cross-border traffic, as between NAFTA already resulted in a single hardware countries.39 A number of commenters platform being possible, and that Section V.F of NHTSA’s Readiness discussed existing or under- different software could run in each Report detailed key similarities and development technical standards by region.46 Some industry commenters some differences between U.S., bodies such as ETSI, ISO, and the EU– cautioned, however, that NHTSA European, and Asian V2X US Task Force on ITS, and called on implementation approaches. There are should not let harmonization objectives NHTSA to support them,40 and some 47 several organizations in and impede safety. Mercedes expressed commenters suggested that NHTSA concern that harmonization should not Asia conducting activities related to work to develop a Global Technical V2V and V2I communications and the just be global, but also consider the risk Regulation (GTR) and facilitate of a patchwork of differing State U.S. DOT has established ongoing harmonization through that approach.41 coordination activities with these regulations for advanced technologies, With regard to what specifically regions and their representing and asked that NHTSA work with State should be harmonized, commenters organizations. For Europe, these DOTs to avoid this.48 mentioned hardware,42 software,43 organizations include DG CONNECT DVI,44 and BSM,45 although Cohda NHTSA recognizes the value of and the CAR 2 CAR Communications Automotive argued that global implementing V2V in a globally- Consortium (C2C–CC). DG CONNECT is harmonized way. Consistency could the EU directorate responsible for 38 Mercedes at 7; Alliance at 50; Automotive reduce costs, complexity, and contribute conducting research and pilot projects Safety Council at 3; Harley-Davidson at 2; Volvo to a successful, long-term sustainable related to connected vehicles and C2C– Group at 3; deployment. As discussed in the V2V CC has been working closely with 39 Alliance at 50; Global at 19–20; Pennsylvania Readiness Report, significant V2V DOT at 7; TRW Automotive at 7. CAMP as part of the EU–US V2X research and development activities Harmonization Program. 40 Mercedes at 7; Systems Research Associates, Inc., at 10; SAE International at 5; Delphi at 10; have been completed and continue in A number of commenters to the Continental Automotive Systems at 3. both Europe and Asia. Real-world ANPRM/Readiness Report addressed 41 Automotive Safety Council at 3; Volvo Group deployments have been announced in at 4. the issue of global harmonization. Most both regions focusing on V2I systems to commenters addressing the issue 42 Mercedes at 7. 43 encouraged the agency to pursue global Mercedes at 7. 44 Automotive Safety Council at 3; TRW 46 Cohda Wireless at 9. harmonization between the U.S., EU, Automotive at 7. 47 Alliance at 50, Global at 19–20. and Asia-Pacific regions as a way to 45 TRW Automotive at 7. 48 Mercedes at 8.

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00021 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 3874 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules

aid drivers and to attempt infrastructure equipment and this need, a third HTG (HTG6) was improvements in traffic flow. applications emerging on the market. established to explore and find Collaboration between organizations Canada has reserved spectrum at 5.9 consensus on management policies and and governmental bodies in the U.S. GHz for V2X and is watching security approaches for cooperative ITS. and Europe has led to extensive developments in the U.S. closely. • HTG2 on Harmonization of US BSM harmonization of the criteria for Harmonization and joint and EU CAM: The goal of HTG2 was to hardware, message sets, security, and standardization is performed under an harmonize the vehicle-to-vehicle safety other aspects needed to support V2V Implementing Arrangement for messages that had been developed between the two regions. It will be Cooperative Activities. This within the EU and separately within the possible to use common radios and memorandum between the U.S. DOT U.S. The group was able to harmonize antennas in both regions. and the European Commission on the hardware issues. However, Harmonization could potentially be established a collaborative relationship differing U.S. and EU software enhanced by this proposal by prompting in 2009 and it was renewed in approaches and institutional issues 49 solidification of the work focusing on December 2014. constrained the extent to which a single, security and message performance The harmonization and collaboration cross-region safety message set could be requirements for common applications. on standards is governed by a developed. While a single message set The connected vehicle applications Harmonization Work Plan that has did not result, the HTG was able to being developed in Europe place a generated a set of smaller, flexible task evolve the two messages in a manner groups to focus on specific subjects. The much stronger priority on mobility and such that simple software translation completed and ongoing task groups and sustainability compared to U.S. focus on between the two message sets is their status are the following: sufficient to allow cross-compatibility. It safety applications. • Harmonization Task Group (HTG) 1 was a significant step to be able to have Japan, Korea and Australia are the on Security Standards and HTG3 on the two message sets become Asia-Pacific countries most involved in Communications Standards performed substantially closer in nature. These pursuing DSRC-based V2X their analysis in 2011 with completion advancements will facilitate communications. In Japan, MLIT’s of results in 2012. HTG1 (which deployment across multiple regions current V2X approach centers on the included experts from ISO, CEN, ETSI, using similar or identical hardware and adaptation of their electronic tolling IEEE) worked in coordination with system operating at 5.8 GHz. software modules. HTG3 to identify the subset of available • Additionally, some Japanese OEMs standards to provide assurance of HTG4/5 on Infrastructure Message (mainly Toyota) are actively supporting interoperable security measures in a Standards: HTG 4/5 is currently in- the deployment of V2X using 760 MHz cooperative, interoperable environment. progress. Its scope is to address the need communications. Development of Because HTG 1 and HTG 3 issues were for standardized Vehicle-to- message sets in Japan is not yet sufficiently interrelated and the HTGs Infrastructure message sets and complete but appears to be moving in a interfaces, including: had a significant overlap in Æ similar direction as the message sets membership, work on these topics was Signalized intersections harmonized between Europe and the conducted jointly. The analysis applications such as Signal Phase and U.S. Korea currently uses the 5.835– Timing, Signal Request, Signal Status, documented how implementations of Æ 5.855 GHz band for Electronic Toll the protocol stack might not be In-vehicle data message sets. Collection and DSRC experimentation. interoperable because the specification At this point, there is general Korea has performed field tests for V2V of technical features from various agreement on the data concepts in these communication in this band. Industry Standards Development Organizations message sets, but there remain sources indicate that Korea may shift (SDOs) was different or incomplete. differences in how the data is conveyed DSRC for ITS to 5.9 GHz to be more These differences presented between the infrastructure and the aligned internationally. interoperability challenges. HTG1 and 3 vehicles. These differences are due to In Australia, Austroads is the results provide guidance to the SDOs for project and communications association of Australian and New actions to be taken that raise the restrictions. For example, the U.S. is Zealand road transport and traffic assurance of security interoperability of planning for additional message sets for authorities. This organization is deployed equipment. Vehicle enhanced functionality; whereas the currently investigating potential connectivity through harmonization of European approach may limit the initial interference issues, and working with standards and architecture will reduce applications and simply add data affected license holders to evaluate the costs to industry and consumers, in that elements to the messages over time. ISO feasibility of use of the 5.9 GHZ hardware and/or software development Technical Specification 19091, a spectrum for V2X in Australia. Another costs will be spread over a larger user standard covering to V2I and I2V agency, Transport Certification base, resulting in reduced unit costs. communications for signalized Australia, is leading the design for Differences between vehicles intersections, is currently under security requirements, supporting field manufactured for different markets will development and is incorporating both deployments, and working with the also be minimized, allowing private- harmonized content and recognizing Australian Communications and Media sector markets to have a greater set of region-specific content—a practical Authority (ACMA) on identifying global opportunities. A final outcome of compromise resulting from existing requirements for spectrum usage. the HTG1 and HTG3 work was differences in signal standards. Overall, Because the Australian vehicle market is recognition of the need to harmonize 19091 allows for substantial hardware predominantly comprised of imports security policies and standards. To meet congruity while acknowledging that from the U.S., Europe, and Asia, these fully identical message standards are Australian agencies have joined in the 49 ‘‘Continuation of the Implementing not viable at this time. international harmonization efforts to Arrangement between the U.S. Department of • HTG6 on Harmonized Development Transportation and the European Commission’’ ensure that the vehicle brought into the http://www.its.dot.gov/press/2015/ of a Cooperative-ITS Security Policy country are interoperable with each euro_commission.htm#sthash.URMW4OOH.dpuf Framework: HTG6 assessed security other and with the new cooperative (last accessed Dec 8, 2016). policy needs across international,

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00022 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules 3875

regional, and local levels. Analysis was evolution of systems that must be leadership. Members are provided by performed to determine optimal considered from the start. the EC DG–CONNECT and U.S. DOT, candidate guidelines for policy areas. • Critical near-term steps for policy and typically chosen from among the HTG6’s intent was to identify where and decision makers to perform include: editors of many of the current harmonization is desirable by exploring Æ Minimize the number of CCMS: cooperative ITS standards in the the advantages and limitations of global Policy makers must determine the different SDOs providing direct linkages versus local security policy alternatives, number of CCMS that will be into those SDO activities, as well as including economic benefits. operational within a local, regional, or representatives of the EU and U.S. DOT Implementation of harmonized policies national jurisdiction. Increasing the and the Vehicle Infrastructure engenders and sustains public trust in number of CCMS, in particular the root Integration Consortium (VIIC), and the C–ITS system and applications, authorities, significantly increases expert representatives from roadway complexity and cost. particularly with a highly mobile Æ and infrastructure agencies, system environment that expects C–ITS Assess risk and set appropriate integrators, and policy analysts. HTG6 services to remain available as they parameters for risk and privacy: No expanded the membership beyond the cross borders as well as over time. The system will ever be without risk. Policy EC and U.S. DOT to include Transport task group is identifying the largest set and decision makers must set acceptable Certification Australia (TCA) plus of common approaches and interfaces levels of internal and external risk, as observers from Canada and Japan. for harmonization, recognizing that well as levels of privacy protection. As the U.S. is taking the lead in there will be multiple instantiations of Further, systems managers must assess potential V2V deployment, whereas security entities within and adjacent to these levels continuously throughout Asia and Europe are focusing primarily geographic/jurisdictional borders. the lifecycle both of the security on V2I implementation, the agency Although minimizing the number solution as well as end-entity (user) expects that a finalized implementation significantly decreases cost and devices and applications. Risk and driven by this proposal will set complexity, decisions to own and privacy levels come with trade-offs that precedent and potentially adjust will need to be assessed by policy operate security occur for diverse standards for V2V implementation makers. reasons, specifically because of differing globally. Æ Choose appropriate trust models: jurisdictional requirements for security After system managers assess and E. V2V ANPRM levels, privacy, cryptographic choices, categorize risk, they can identify policy To begin the rulemaking process, or trust model choices. The group’s and technical controls to mitigate risk. analysis recognizes the benefits for NHTSA issued an ANPRM on August Collectively, these controls support the 20, 2014.51 Accompanying the ANPRM, commonality and identifies those implementation of trust models that policies and harmonized interfaces that NHTSA also published a research report range from no trust among security discussing the status of V2V technology support regional implementations that entities to full trust that allows users might diverge. At the time of developing and its readiness for application (‘‘V2V (‘‘trusted actors’’ that are accepted into Readiness Report’’).52 NHTSA’s goal in this proposal, most of the reports from the C–ITS security environment) to this activity are posted.50 releasing these two documents in 2014 receive security services even after was to not only announce the agency’s The SCMS development activity has leaving their ‘‘native’’ system in which incorporated key outcomes of this intent to move forward with the they are enrolled. Decisions are also rulemaking process, but also to activity, some of which include: required to establish criteria that define • Implementation of harmonized comprehensively collect all of the who are trusted actors and policies and available information on V2V and policies engenders and sustains public procedures for certification, enrollment, trust in the C–ITS system and present this information to the public to removal in the event of misbehavior, collect comments that would further applications, particularly within a and reinstatement. highly mobile environment that expects Æ help the agency refine its approach with Establish Governance: These regard to V2V. C–ITS services to remain available as decisions include the identification and networks evolve over time and as convening of key stakeholders who will 1. Summary of the ANPRM services cross borders. require representation in ongoing In the ANPRM and the accompanying • To support cross-border/cross- decision-making. Once convened, this V2V Readiness Report, we emphasized jurisdictional operations of C–ITS group will establish processes for the capability of V2V to be an enabler applications, individual security decision-making, define criteria for new for many advanced vehicle safety systems (known as C–ITS Credential entrants into the governance process, applications as well as an additional Management Systems or CCMS) require assign roles and responsibilities, data stream for future automated a defined range of harmonized processes establish authority to provide vehicles.53 We also stated our belief that as well as specific, secure data flows to governance and enforcement, and a mandate to include DSRC devices in support digital auditing and system determine enforcement procedures. all vehicles would facilitate a market- transparency. Æ Implement harmonized processes: driven approach to safety, and possibly • Planning for inter-CCMS or intra- The HTG6 team identified the priority other, application deployment.54 CCMS communications will require areas for harmonization in report Current advanced vehicle safety decisions when developing near-term HTG6–3 and identified the interfaces applications (e.g., forward collision operational systems but those decisions and data flows where the policies would warning, automated braking, lane may have longer-term impacts on be applied in HTG6–4. Policy makers keeping, etc.) use on-board sensors (e.g., crypto-agility, system flexibility, and will need to examine them to determine cameras, radars, etc.) to perceive a which ones are appropriate both to vehicle’s surroundings. Because each 50 ‘‘Harmonized security policies for cooperative support their choice in trust models and Intelligent Transport Systems create international throughout the CCMS lifecycle. 51 benefits’’ October 16, 2016. https://ec.europa.eu/ 79 FR 49270. digital-single-market/news/harmonized-security- HTG group members comprise a small 52 Docket No. NHTSA–2014–0022–0001. policies-cooperative-intelligent-transport-systems- group of international experts who 53 79 FR 49270. create-international (last accessed: Dec 8, 2016). worked together intensively with co- 54 Id.

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00023 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 3876 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules

type of sensor has advantages and information with each other and issued crash scenarios for calculating disadvantages under different warnings to their drivers.60 benefits.75 On the same subject, we conditions, manufacturers seeking to We further discussed and summarized asked if preferring certain technologies incorporate advanced functions in their our preliminary information regarding over others in the situation of a network vehicles are increasingly relying on many of the technical aspects of a good 76 such as V2V would lead to any sensor fusion (i.e., merging information potential rule including: The types of detrimental impact.77 from different sources) to ensure reliable safety problems that could be addressed The ANPRM questions also covered information is available to the vehicle by V2V,61 the potential technological policy issues such as legal interpretation when it makes crash-imminent solutions to those problems (V2V-based of NHTSA’s authorities under the Motor decisions. When compared to on-board or otherwise),62 the potential hardware/ Vehicle Safety Act,78 and how sensors, V2V is a complementary, and software component that could be used commenters view the public’s potential unique, source of information that can in DSRC devices,63 the applications that acceptance/non-acceptance of V2V significantly enhance the reliability of could be enabled by V2V,64 and technology.79 The ANPRM also posed information available to vehicles. preliminary design concepts for a technical questions such as, how can Instead of relying on each vehicle to security system for the V2V the agency mandate V2V can help sense its surroundings on its own, V2V environment.65 ensure interoperability, whether the enables surrounding vehicles to help The report also explored various Safety Pilot Model Deployment each other by communicating safety important policy issues including: the sufficiently demonstrated information to each other. In addition, agency’s legal authority over the various interoperability, and whether standards V2V enables new advanced vehicle aspects of the V2V environment (e.g., under development by organizations safety functionality because it enables the vehicle components, aftermarket such as IEEE and SAE could help ensure vehicles to receive information beyond devices, etc.),66 issues that may be interoperability.80 the range of ‘‘traditional’’ sensing outside the scope of NHTSA’s We raised important questions technology. activities,67 privacy and public regarding the potential sharing of the One important example that we acceptance concerns over V2V DSRC spectrum allocation by soliciting mentioned in the ANPRM is technology,68 and potential legal comments on potential sharing and, if intersection crashes.55 Because of V2V’s liability implications.69 In addition, we so, ideas on how to share the spectrum ability to provide vehicles with began the process of analyzing the costs safely.81 In addition, we requested information beyond a vehicle’s range of of a potential rule to require V2V comment on the usefulness of our perception, V2V is the only source of capability in vehicles based on different concepts for a potential security design information that supports applications technology assumptions and different (i.e., PKI)—including specific elements like Intersection Movement Assist (IMA) scenarios for adoption.70 While we like the certificate revocation list (CRL), and Left Turn Assist (LTA). These acknowledged that there are a variety of whether the system would create new applications have the unique ability to potential benefits of V2V, we conducted ‘‘threat vectors,’’ sufficiently protect address intersection crashes, which are a preliminary estimate of the benefits privacy, how DSRC devices could be among the most deadly crashes that attributable to two V2V-specific safety updated, and potential cybersecurity drivers currently face in the U.S.56 applications.71 Finally, throughout the threats.82 V2V Readiness Report, we also However, in spite of the benefits of 2. Comments to the ANPRM the technology, we explained in the identified various research and policy ANPRM that we did not expect that V2V gaps in each of the substantive areas In response to the ANPRM, the V2V technology would be adopted in the that we discussed.72 Readiness Report, and our questions, we vehicle fleet absent regulatory action by In the context of the V2V Readiness received more than 900 comments.83 the agency.57 Due to the cooperative Report, the ANPRM asked 57 questions The agency received responses to the nature of V2V, we stated that early to help solicit comments from the ANPRM from a diverse set of adopters of the technology would not public more effectively.73 While the commenters representing a wider range realize immediate safety benefits until a questions we asked in the ANPRM of perspectives than with other agency sufficient number of vehicles in their covered a variety of subjects, many of safety rules. They range from more geographical area have the technology.58 our questions covered issues relating to traditional commenters to NHTSA In other words, early adopters incurring estimating costs and benefits.74 For safety rulemakings (e.g., automobile the costs to equip their vehicle to example, we asked the public about manufacturers/suppliers, trade transmit BSM information about their potential ways to obtain real-world test associations, standards development vehicle would not realize the benefit of data concerning the effectiveness of V2V organizations, safety advocacy groups, the V2V information environment safety applications and whether we individual citizens, etc.) to newer unless other vehicles in their have identified the relevant potential participants in such rulemakings such surroundings are also transmitting and as technology/communications receiving BSM information. 60 Id. at xv. companies, other state/federal agencies, In the V2V Readiness Report,59 we 61 Id. at 15. and privacy groups. The comments also 62 Id. at 25. observed that, based on the data 63 Id. at 65. 75 Id. at 49271. collected from the Safety Pilot Model 64 Id. at 119. 76 A network good’s value to each user increases Deployment Project, V2V systems work 65 Id. at 158. when the number of users of that good increase in real world testing. V2V-equipped 66 Id. at 33. (e.g., telephone). In other words, increasing the vehicles successfully exchanged BSM 67 Id. at xvi. number of users creates a positive externality. 68 Id. at 133. 77 Id. 55 Id. 69 Id. at 208. 78 Id. 56 Id. 70 Id. at 216. 79 Id. at 49273. 57 Id. 71 Id. at 259. 80 Id. at 49272. 58 Id. 72 See e.g., id. at xix. 81 Id. 59 V2V Readiness Report. Docket No. NHTSA– 73 79 FR 49270, 49271. 82 Id. at 49273. 2014–0022–0001. Page xv. 74 Id. See also id. at 49273–24. 83 See Docket No. NHTSA–2014–0022.

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00024 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules 3877

covered a wide variety of topics ranging than just the vehicles contemplated in this area, technology/communications from the technical details of V2V the ANPRM and that the technology device manufacturers expressed two technology to the policy implications of should be developed in conjunction general concerns. Through their trade any potential rule. While this document with the vehicle-resident systems.90 associations,98 such manufacturers discusses the relevant comments in Safety advocacy groups also raised questions about NHTSA’s much greater detail when discussing expressed support, but emphasized the authority to regulate software and each aspect of the proposal (in the importance of ensuring interference-free mobile devices.99 In addition, sections that follow), the paragraphs spectrum for V2V. For example, the individual companies (e.g., here contain a sampling of the types of American Motorcyclist Association Qualcomm 100) and other associations commenters and the major issues they stressed the need for interference-free (e.g., the Wi-Fi Alliance 101) expressed raised. spectrum to ensure the safety their opinion regarding the viability of While expressing general support, the applications will function. V2V, in their spectrum sharing with unlicensed Wi-Fi automotive manufacturers stated their view, has the unique capability to devices and the ability of V2V to belief that the Federal government address crashes that represent a flourish alongside other technologies needs to assume a large role in significant portion of motorcycle that will benefit automotive and establishing key elements of the V2V crashes (e.g., left turn across path highway safety. Finally, the Information environment (e.g., establishing common crashes).91 They also emphasized the Technology Industry Council stated its operating criteria for V2V devices, importance of a uniform human- belief that NHTSA needs to ensure that establishing a security credentials machine interface for safety applications connected vehicle technologies are system, preserving the 5.9 GHz (regardless of whether the applications allowed to develop using different spectrum for V2V safety, and mandating use V2V or vehicle-resident based technological solutions (e.g., other devices in new vehicles).84 The information).92 Other safety advocacy communications mediums beyond automotive manufacturer commenters groups (e.g., the Automotive Safety DSRC).102 discussed their legal concerns Council) covered a large variety of Other government agencies also (including concerns over practicability topics (e.g., emphasizing the importance submitted comments. The NTSB of an FMVSS if certain aspects of the of interoperability, the ability of V2V to commented that both V2V and vehicle- V2V environment are missing and work in conjunction with vehicle- resident crash avoidance technologies potential legal liability for resident systems, and expressing are important and they are manufacturers).85 While generally concern that the security system complementary—especially when one agreeing with our assessment regarding described in the report would not (vehicle-resident) fills the gap during the readiness of some of the industry sufficiently protect against all forms of the deployment of the other (V2V).103 technical standards to ensure that V2V ‘‘abuse’’ of the V2V environment).93 State agencies also commented.104 communications work, the automotive Two standards development AASHTO also mentioned that manufacturer commenters also organizations also submitted comments. interference-free spectrum is critical and emphasized the importance of privacy The two organizations (SAE and IEEE) commented that supporting future and public acceptance to the success of were involved in developing various upgrades to the system through software the technology.86 In spite of some of standards incorporated in this proposed rather than hardware changes would be these open policy and technical rule. Both generally expressed support important for state agencies.105 questions, many automotive for the agency’s proposal and stated A significant number of commenters manufacturer commenters also agreed that—in spite of on-going research—the also raised privacy concerns with this that a regulation or requirement standards are mature enough to support rulemaking. In addition to a large defining key items needed for deployment of DSRC devices and ensure number of individual commenters, interoperability is necessary to realize that they are interoperable.94 Where the organizations such as EPIC stated that, the full potential benefits of V2V.87 standards organizations differed was since a potential rule would create Automotive suppliers generally their opinion concerning spectrum significant privacy risks, they expressed support for the technology as availability. SAE reiterated its concern recommend that the government take well. They further generally opined that that ‘‘interference-free spectrum’’ is various actions to protect the the technology and standards for the critical for the V2V environment.95 information (e.g., establish when PII can technology are mature enough for initial While IEEE suggested that spectrum be collected, when/where information deployment. For example, DENSO 88 sharing is feasible, they opined that can be stored, additional encryption stated that DSRC is a suitable DSRC deployment should not wait for technology for implementing V2V safety further research on spectrum sharing.96 98 CTIA—The Wireless Association and the applications and that the current BSM is Instead ‘‘acceptable sharing parameters’’ Consumer Electronics Association. 99 adequate to support those purposes. may be determined at a later date after See e.g., Docket No. NHTSA–2014–0022–0483. Continental further commented that 100 See Docket No. NHTSA–2014–0022–0665. DSRC deployment and further 101 See Docket No. NHTSA–2014–0022–0644. V2V demonstrations thus far show that 97 research. 102 the system works and is interoperable.89 See Docket No. NHTSA–2014–0022–0403. While expressing general support for 103 See Docket No. NHTSA–2014–0022–0267. Raising different points, Delphi the technology and NHTSA’s efforts in 104 State DOTs from also stress the need to have commented that the coverage of a uniform HMI—serving a purpose similar to the potential V2V rule should include more 90 See Docket No. NHTSA–2014–0022–0266. MUTCD for traffic signs and signals. They also 91 See Docket No. NHTSA–2014–0022–0646. commented that other vehicle types that could benefit from V2V (e.g., vehicles with GVWR greater 84 See e.g., Comments from the Alliance of 92 Consumers Union discussed the HMI and how than 10,000) and mentioned the potential of other Automobile Manufacturers, Docket No. NHTSA– warnings need to be effectively communicated to V2X applications (e.g., vehicle to rail, agricultural 2014–0022–0603. the driver. See Docket No. NHTSA–2014–0022– equipment, horse-drawn vehicles). Further they 85 0533. See id. opine that mandate is needed to deploy quickly. 93 86 See id. See e.g., Docket No. NHTSA–2014–0022–0511. See e.g., Comment from PennDOT, Docket No. 87 See e.g., Comments from , 94 See e.g., Docket No. NHTSA–2014–0022–0597. NHTSA–2014–0022–0371; TxDOT, Docket No. Docket No. NHTSA–2014–0022–0953. 95 See id. NHTSA–2014–0022–0218; Wisconsin DOT, Docket 88 See Docket No. NHTSA–2014–0022–0655. 96 See Docket No. NHTSA–2014–0022–0693. No. NHTSA–2014–0022–0507. 89 See Docket No. NHTSA–2014–0022–0414. 97 Id. 105 See Docket No. NHTSA–2014–0022–0420.

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00025 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 3878 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules

methods, and require adherence to how respondents believed the SCMS (or III. Proposal To Regulate V2V Consumer Privacy Bill of Rights).106 In the components that they were Communications addition, Professor Dorothy Glancy interested in operating) could generate A. V2V Communications Proposal expressed concern that NHTSA plans to revenue and be financially sustainable Overview conduct its privacy analysis after the (in order to ensure its uninterrupted ANPRM stage of the rulemaking process operation), what respondents thought of The agency believes that it will not be and is concerned that not all potential the current SCMS design and, finally, possible to begin to address the 3.4 data collection is accurately portrayed the respondent’s interest in standing up million crashes identified in Section 107 in the ANPRM. On the other hand, and operating some or all of the II.A, especially the intersection crashes and left-turning crashes, given today’s while the FTC agreed that privacy components of the national V2V SCMS. concerns could exist in the V2V vehicle-resident technology offerings. environment related to (1) obtaining the NHTSA received 21 responses by the As described earlier, the limitations of vehicle location information and (2) December 15, 2014 response closing current sensor-based safety systems, in pricing insurance premiums over the date, and approximately 11 respondents terms of direction and distance, likely driving habits, it believes NHTSA has indicated an interest in running some or will not be able to address intersection taken these concerns into account.108 all components of the SCMS. The and left-turning crashes, among other Finally, many individual citizen remaining responses commented more potential crash scenarios, as effectively commenters (in addition to the topics generally on issues of potential as V2V communications could. covered above) discussed their governance and liability with two The agency’s proposal to regulate V2V perception that this rulemaking common themes: (1) That the Federal technology is broken into distinct proposes to mandate a technology that Government should take the lead in functional components, some of which poses a potential health concern. The standing up and operating the SCMS; have alternatives that could potentially EMR Policy Institute 109 expressed and (2) that the Federal Government be employed ‘‘in-conjunction-with’’ or similar concerns stating that NHTSA should indemnify companies ‘‘in-place-of’’ the agency’s proposal. The should postpone this rulemaking until participating in the SCMS from liability. distinct functional components are: The the FCC changes their guidelines actual communications technology itself regarding human radiation exposure to The RFI respondents included vehicle (Section III.E), proposed messaging wireless communications. manufacturers, software component format and content requirements developers and suppliers, cryptography (Section III.E.2), authenticating V2V F. SCMS RFI experts, certificate management entities, messages (Section III.E.3), V2V device Approximately 30 days after issuing satellite and cellular service providers misbehavior detection and reporting the agency’s Advance Notice of and academia. Because the process of (Section III.E.4), malfunction indication Proposed Rulemaking (ANPRM) 110 and deploying cooperative V2V technology requirements (Section III.E.5), software V2V Readiness Report, NHTSA released and supporting establishment of an and certificate updating requirements a Request for Information (RFI) 111 SCMS both are unprecedented (Section III.E.6), and proposed regarding a Security Credential activities, the agency believed it was cybersecurity related requirements Management System (SCMS) that could appropriate to meet with the subset of (Section III.E.7). support a national deployment of a V2V eleven respondents who expressed B. Proposed V2V Mandate for New Light communication system. NHTSA was interest in operating aspects of the Vehicles, and Performance interested in hearing from entities SCMS or the SCMS as a whole. These Requirements for Aftermarket for interested in establishing components of meetings ensured that the agency and Existing Vehicles an SCMS or the SCMS, itself. The RFI the individual respondents shared a NHTSA’s proposal would require that was issued separately from the ANPRM mutual understanding of each new light vehicles include vehicle-to- and V2V Readiness Report to give respondent’s comments, their potential potential respondents additional time to vehicle communication technology able role in an SCMS, and the agency’s views review the more-detailed V2V Readiness to transmit standardized BSMs over on the ways in which an SCMS could Report content on the SCMS, allowing DSRC as described in Section III.E be established and deployed. time for respondents to formulate below, beginning two years after informed responses to the Agency’s Meeting discussions covered a wide issuance of a final rule and phasing in questions about how an SCMS should range of topics—including details of over the following three years at rates of be designed and whether they would be cryptography intricacies, certificate 50 percent, 75 percent, and 100 percent, interested in developing or operating distribution methodologies, root storage respectively. ‘‘Light vehicles,’’ in the components or the SCMS, as a whole. and protection, to potential overall context of this rulemaking, refers to As discussed in the ANPRM and V2V SCMS management. NHTSA found passenger cars, multipurpose passenger Readiness Report, we explained that these meetings to be very beneficial in vehicles, trucks, and buses with a gross NHTSA would not require the SCMS by terms of introducing the agency to some vehicle weight rating of 10,000 pounds regulation and did not expect to new potential stakeholders and service (4,536 kilograms) or less.112 The agency establish, fund or operate the SCMS. providers different than the vehicle 112 Questions in the RFI covered topics OEMs and suppliers with whom ‘‘Passenger cars,’’ ‘‘multipurpose passenger such as potential governance structures vehicles,’’ ‘‘trucks,’’ and ‘‘buses’’ are defined in 49 NHTSA typically. The diversity of RFI CFR 571.3. Some commenters suggested that the for the SCMS, requests for estimates of respondents exemplified the multi- agency’s proposal also cover vehicles like necessary initial capital investment, stakeholder and cross-cutting nature of motorcycles and horse-drawn buggies (Wisconsin DOT), or heavy vehicles (Bendix, among others). the V2V ecosystem. 106 See Docket No. NHTSA–2014–0022–0689. Both motorcycles and HVs were included in the Safety Pilot Model Deployment, but in very small 107 See Docket No. NHTSA–2014–0022–0331. Additional details on the SCMS RFI numbers, and the agency believes that more 108 See Docket No. NHTSA–2014–0022–0502. responses can be found in Section research is needed than what is available at the time 109 See Docket No. NHTSA–2014–0022–0682. V.B.4. of this NPRM before we are ready to propose 110 79 FR 49270 (Aug. 20, 2014). requirements for those vehicles. The agency will be 111 79 FR 61927 (Oct. 15, 2014). making a decision on how to proceed with V2V

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00026 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules 3879

believes that this amount of lead time vehicles in order to determine whether deployment and ensure the full safety and phase-in is needed based on the to warn their drivers of an imminent potential of this technology is realized. potential for device supply constraints crash situation. BSMs must be Allowing manufacturers to choose to generate production-level quantities accompanied by message authentication whether to apply V2V technology in of devices required by automotive OEMs capabilities so that the receiving V2V new vehicles could have two main risks to meet the standard 113 and to allow communication will allow suppliers in terms of holding back potential safety flexibility for vehicle refresh and re- and vehicle manufacturers to innovate benefits. First, it is uncertain how design cycles. The proposal also allows and spur the market for applications manufacturers would voluntarily deploy vehicles to comply using non-DSRC that will provide consumers increased V2V capability. Manufacturers typically technologies that meet certain safety. have implemented new vehicle-resident performance and interoperability The agency believes that a mandate technologies in their more expensive standards. for all light vehicles is necessary to vehicles first. If manufacturers take this In addition to requiring new light achieve the safety goals of this proposal. approach for V2V, NHTSA believes that vehicles to be able to transmit and The two vital pieces in order to achieve a segmented approach to receive BSMs over DSRC, the proposal these crash avoidance benefits are (1) implementation of V2V technology will would also require that similarly- ensuring interoperable V2V not be enough to quickly precipitate the capable aftermarket devices achieve the communications, and (2) achieving a data-rich environment needed to same DSRC performance. critical mass of communicating vehicles support development of manufacturer- Besides being the first FMVSS to in the American fleet. NHTSA believes supplied safety applications, or to involve vehicles relying on information that this proposal is the only way to support the needed establishment of a transmitted by other vehicles, this achieve these two pieces because of the V2V communications security system. FMVSS would also be the first to lagging adoption of advanced safety Leaving the pace of that development to incorporate elements of secure wireless technologies in the marketplace. As the market will, we believe, delay the communication protection directly into evidenced by the slow voluntary life-saving benefits of those safety the performance requirements.114 New deployment of vehicle sensor-based applications because the effectiveness of motor vehicles are increasingly advanced driving assistance systems, applications depends on receiving computerized, and given the importance the agency believes that it will be even messages from all other vehicles. of ensuring the availability and integrity more difficult to achieve a critical V2V Second, if fewer vehicles are equipped of safety-critical systems, we considered with V2V, there may be less incentive implementation level without a which requirements could best be for industry to develop a sufficient mandate due to the cooperative nature incorporated into an FMVSS and which security system, which will feed into of the V2V system. If it cannot reach a should be part of the V2V security concerns from consumers regarding critical deployment level within a system instead. V2V security perceived potential privacy and certain timeframe, the safety benefits of requirements are discussed in Section cybersecurity issues. Taken together, the V2V would drop dramatically, and III.E.3 and Section III.E.7, along with a delayed effectiveness of the safety manufacturers would have much less discussion of privacy and security in applications plus potentially increased incentive to develop the safety Section IV. concerns about security may lead applications (despite their relatively low The agency has put forth this manufacturers not to include V2V proposed rule on the basis that a fully- costs) because they would not have a capability in a significant amount of implemented V2V system, as currently reason to make the initial investment to vehicles at all. For these reasons, envisioned, is a compilation of many install the V2V communications NHTSA proposes to require new light elements that provide a data-rich equipment. This represents a classic vehicles to be V2V-capable. technology platform that ensures secure ‘‘collective action’’ problem, of the sort NHTSA and, we believe other and interoperable communications that government regulation is designed stakeholders, will be working to educate enabling safety warnings and advisories to address. We do not believe that consumers about V2V, and will ensure for drivers. As described in the V2V critical mass can be achieved, allowing that the V2V system is designed to Readiness Report, V2V devices send out the life-saving benefits of V2V to come minimize security risks and protect BSMs to alert other vehicles to their to fruition, in the absence of a privacy appropriately. We believe presence, and receive BSMs from other government mandate. We seek comment consumer education will alleviate fear on these tentative conclusions. of the unknown as V2V enters the capability for HVs at a later date. For buggies, these NHTSA received a number of vehicle fleet. Findings from our would not be considered motor vehicles, but we are comments to the ANPRM and the V2V consumer research between the ANPRM optimistic that V2X capability may eventually be Readiness Report suggesting that V2V and this NPRM are discussed below in available for them. communication technology could be 113 Impact of Light Vehicle Rule on Consumer/ Section IV, and NHTSA will be Aftermarket Adoption—Dedicated Short Range better encouraged through what the considering these issues carefully as we Communications Market Study, Intelligent agency refers to as an ‘‘if-equipped’’ move forward. Transportation Society of America, FHWA–JPO– standard rather than a mandate for all While we are proposing a V2V 17–487, available at http://ntl.bts.gov/lib/60000/ new light vehicles—i.e., that NHTSA communications mandate, we also seek 60500/60535/FHWA-JPO-17-487_Final_.pdf (last accessed Dec 12, 2016). should simply set a standard saying ‘‘if further comment on the costs and 114 To be clear, the related performance a new vehicle is equipped with devices benefits of an ‘‘if-equipped’’ option, requirements for V2V communication security will capable of V2V communications, then it particularly considering the substantial incorporate protections to ensure a secure vehicle should meet the following monetary and potential social costs of a communication that are distinct from other types of communications with the vehicle for other data requirements.’’ While both options are mandate. Do commenters believe an if- transfers and interconnectivity. The performance within the agency’s regulatory authority, equipped option would be a preferable requirements for V2V security communications do we continue to believe that requiring approach, and if so, why? What costs not and are not intended to provide comprehensive V2V communication technology for new and/or benefits should we consider protection for other vehicle wireless relative to an if-equipped approach, and communications or internal vehicle connectivity for light vehicles will be the quickest and operational functionality. That responsibility most effective way to achieve fleet-wide how do those costs and benefits continues to belong to manufacturers. V2V communication technology compare to our analysis of the costs and

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00027 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 3880 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules

benefits of a mandate? For instance, we than if introduced through new vehicles better performance level for V2V seek additional comment on how an if- only—thus accelerating safety benefits. communication. This is important equipped option may potentially delay As part of setting standards for because, in order to ensure safe and or lead to uncertainty in V2V aftermarket V2V devices, however, secure crash avoidance benefits, all technology development. NHTSA recognizes that some BSMs transmitted need to perform at a In addition, what benefits may accrue aftermarket products may not be able to minimum performance level such that from a more gradual, market-based populate optional BSM data elements if safety applications can identify approach to a technology that has never they do not have access to the CAN bus. imminent crash situations and issue Aftermarket devices will therefore need before been widely deployed? What warnings to the driver to avoid a crash. to use other methods to populate affect would such an approach have on Therefore, the minimum performance elements needed to calculate vehicle the ability to iterate and test potential requirements need to be the same for all V2V technology solutions, including position in order to support crash devices with provisions that issues related to costs, reliability, avoidance warnings. Some data accommodates the optional data security, and deployment? How would elements, such as turn signal indication, an if-equipped approach affect will not be able to be derived from other elements that can be used to perform consumer choice and privacy methods. As a result, the inability of better than the minimum. protections? We also seek examples and some aftermarket devices to populate The proposed requirements for any information related to the success and certain optional BSM data elements may V2V devices recognize that, as DOT failure of other network-reliant impact the fidelity (ability to balance discovered in the Safety Pilot Model technologies, including those that the level of false positive warnings) of Deployment, installation can evolved in the absence of a government safety applications that the aftermarket significantly impact how devices mandate and those that were mandated device supports. In the Safety Pilot perform. The agency believes there is and whether the example is applicable Model Deployment, there were three high probability that a certified device separate types of ‘‘aftermarket’’ or not to a safety sensitive function. installer could complete the installation devices—some that were fully for aftermarket safety devices. It is C. V2V Communication Devices That integrated into the vehicle just like Would Be Subject to FMVSS No. 150 original equipment; some that were imperative that all V2V components be connected to the vehicle for power, but properly installed to ensure that an 1. Original Equipment (OE) Devices on aftermarket device functions as New Motor Vehicles did not have access to the vehicle’s data bus; and some that also only connected intended. Whereas some vehicle owners NHTSA’s research thus far indicates for power, and could only transmit may choose to replace their own brakes that V2V communications technology is BSMs but could not receive them and or install other components on their feasible for new light vehicles. The could not deliver crash avoidance vehicles themselves, installation Safety Pilot Model Deployment warnings. Based on the information we requirements for aftermarket V2V demonstrated that interoperability is currently have before us, we think it is devices may not be conducive to a do- possible and directly informed the reasonable to assume that these three it-yourself approach. Improper requirements in this proposed FMVSS types of aftermarket devices could be installation of a GPS antenna has the and also in SAE standards such as J2735 available in the rulemaking timeframe. potential to affect the proper population and J2945. The agency is confident that For example, OEMs may choose to of BSM data elements. Faulty position V2V devices integrated into light offer their own aftermarket V2V devices data from a transmitting vehicle can vehicles consistent with these that can be retrofitted onto earlier result in false warnings, improperly requirements will provide the technical vehicle models (retrofit means the timed warnings, etc. Moreover, an foundation for national deployment of devices can interface with the vehicle improperly installed aftermarket device DSRC-based crash avoidance capability. data bus), made by that OEM, at one of may put all other V2V-equipped 2. Aftermarket Devices their retailers. For another example, V2V devices, which are not unlike vehicles it encounters at risk until the Many consumers may not be ready to today’s dedicated aftermarket navigation given vehicle stops communicating, or purchase a new vehicle, but may be systems (e.g., a Garmin or TomTom), until its messages are rejected for interested in having V2V capabilities in could potentially be developed for misbehavior. their current vehicles. NHTSA believes drivers to purchase and have installed. The agency seeks comment on the that it is likely that aftermarket products The agency also foresees the potential potential need for certification of may be developed in response to for some form of a multi-use device aftermarket V2V device installations. If consumer interest in V2V, and we containing a V2V-related application so, please provide any potential strongly support the innovation and (‘‘app’’) that could be brought into a recommendations of appropriate retail accessibility that aftermarket devices vehicle (‘‘carry-in’’) by a driver. A carry- outlets, the certification mechanisms, could foster, all potentially leading to in device could have the capacity to and authorizers (vehicle manufacturers, expanded and earlier benefits from V2V simply send a BSM without providing device manufacturers, device retailers, communication technology. As the any warnings to the driver or potentially others) that should be employed. name suggests, ‘‘aftermarket’’ refers to provide more capabilities in a potential Conversely, do commenters believe that products that the vehicle owner V2V, or V2I, system. Moreover, in the future available technology may allow purchases and adds to his or her vehicle future, there could be yet other types of after the vehicle’s manufacture. aftermarket devices that have V2V consumers to self-install V2V devices Aftermarket products are distinguished capabilities not yet envisioned by such as web-based tools, or other from ‘‘original equipment,’’ which is NHTSA. potential methods, that could verify installed on the vehicle during its NHTSA does not wish to limit the accuracy of an installation? Research manufacture, prior to initial purchase. development of different types of supporting this possibility would be Allowing aftermarket products to aftermarket devices, but we do seek to very helpful. participate in the V2V system will ensure that all devices participating in enable the technology to spread faster the system perform at a minimum or

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00028 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules 3881

D. Potential Future Actions whether to mandate safety applications ensure a uniform method for sending with or shortly after a final rule basic safety information about the 1. Potential Future Safety Application requiring DSRC. vehicle. In this way, any vehicle seeking Mandate to utilize the V2V information 2. Continued Technology Monitoring NHTSA has concluded that V2V environment to deliver safety benefits communication technology combined NHTSA’s proposal to mandate V2V would have a known and uniform with V2V-based safety applications can communications capability for new light method for doing so. provide significant safety benefits and vehicles is based upon the best In order to create this uniform potentially help drivers avoid thousands currently-available scientific data and method, an FMVSS would need to of crashes per year. We believe that by information. Consistent with its contain requirements in a few areas. leading with a mandate for V2V obligations under Executive Order (E.O.) First, it would need to establish the communication technology, NHTSA 13563, Improving Regulation and content of the information to be sent to will be able to foster industry Regulatory Review (Jan. 18, 2011), and the surrounding vehicles (by not only development and deployment of new, E.O. 13610 on the retrospective review specifying the type of information to beneficial safety applications. As of regulations, NHTSA will review send, but also the measuring unit for previously discussed in the V2V relevant new evidence and may propose each information element and the level Readiness Report and in the above revisions to a subsequent proposed or of precision needed). Second, the discussion concerning the safety need, final rule as necessary and appropriate FMVSS would need to specify there are a number of these applications to reflect the current state of the requirements for the wireless that the agency believes could be ready evidence to provide an effective transmission of the content (i.e., how to be deployed soon after a V2V regulatory program. In obtaining that far, how often, etc.). Third, we may need mandate is in effect. In particular, the new evidence, NHTSA may consider to specify a standard approach to agency has highlighted two specific collections of information that may authenticate V2V messages that are applications, IMA and LTA. trigger the Paperwork Reduction Act, received to improve confidence in The agency focused on these potential and would notify the public of these message contents. safety applications because prototypes collections through the separate Federal In addition to those three points, the of these applications were used during Register Notices required under that FMVSS would also need to specify Safety Pilot Model Deployment, because Act. NHTSA may also identify and other aspects of performance for a V2V- we have sufficient data, and because pursue additional issues for new communications system in order to they can be effectively enabled only by research or conduct further research support full-scale deployment and V2V. IMA warns drivers of vehicles with regards to existing issues enable full functionality including approaching from a lateral direction at addressed in this proposed rule. Such security. The agency recognizes that an intersection, while LTA warns modifications may be necessary in the some capabilities are not necessarily drivers of vehicles approaching from the future to accommodate new systems and needed to support operations during the opposite direction when attempting a technology designs, and the agency first few years of deployment, but would left turn at an intersection. would consider these modifications in be required as the V2V vehicle fleet As discussed in the V2V Readiness consultation with the public through the grows. Report, the agency has and will notice and comment rulemaking First, the devices regardless of the continue to investigate other potential process. We acknowledge that the communication technology used would V2V safety applications that could be research relevant for evaluating a new need a uniform method for dealing with enabled by V2V communications.115 technology would vary depending on possible occurrences of high volumes of Depending on the market penetration of the type of technology considered. messages (e.g.., potentially reducing the applications in response to this frequency or range of messages in high E. Performance Criteria for Wireless congestion situations. Second, to help proposed mandate of the foundational V2V Communication V2V capability, the agency may later identify and reduce the occurance of decide to mandate some or all of the In order to ensure that vehicles misconfigured or malicious devices potential applications discussed in the broadcast basic safety messages to transmitting BSM messages, the FMVSS Readiness Report, and perhaps future support potential safety applications, may need to specify methods for applications yet to be developed. If the agency is proposing performance identifying misbehaving devices. mandated in the future, applications requirements for DSRC-based V2V Finally, to support the above functions, would likely be incorporated into communications. As part of this, the vehicles in the V2V environment may NHTSA’s regulations as FMVSSs, and in agency is also requesting comment on need a methods for communicating with the interests of clarity, each application alternative interoperable technology security infrastructure such as a SCMS mandate would likely be contained in provisions that would allow other (e.g., in order to obtain new security its own FMVSS. technologies to satisfy the mandate, as certificates or report misbehaving At this time, though, the agency does long as they meet performance and devices, and receive information about not have sufficient information to interoperability requirements, which are misbehaving devices). In short, an FMVSS would explain: include with this NPRM proposed test based on the capabilities of today’s (1) What information needs to be sent to procedures or performance standards for DSRC-based V2V communications. The agency is proposing to require the surrounding vehicles; (2) how the LTA and IMA or any other safety that V2V devices be capable of vehicle needs to send that information; applications. To that end, we request broadcasting V2V messages in an (3) how a vehicle validates and assigns comment on any additional information interoperable manner, i.e., that devices confidence in the information; and (4) or research on IMA, LTA and any other can both transmit and receive BSMs how a vehicle makes sure the prior three applications that could inform and using V2V communications from all functions work in various operational support an agency decision regarding other vehicles equipped with a V2V conditions (i.e., broadcast under 115 Six potential applications were mentioned in communications technology. We believe congested conditions, manage particular: IMA, FCW, DNPW, EEBL, BSW/LCW, that the requirements described below misbehavior, and update security and LTA. will ensure interoperability. We aim to materials). A variety of voluntary

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00029 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 3882 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules

standards cover many of these aspects of date has included various specifications (a) Longitudinal/Lateral Range performance. Our proposal below draws for the antenna (e.g., power, Our strategy we considered regarding from these voluntary standards but also polarization, location on the vehicle, what minimum range requirement we explains why a particular threshold or etc.), we tentatively believe it more should include for transmitting the requirements from a voluntary standard appropriate to measure the ability of the basic safety message was to balance: is appropriate. Finally, we are proposing vehicle to transmit the packet to a • a test method for evaluating many of specified device at a specified distance. The information needs for potential these aspects of performance. Having a In other words this transmission range safety applications; and • clear test method helps inform the and reliability requirement employs a technical capabilities demonstrated. public as to how the agency would more performance-oriented approach In terms of information needs for the evaluate compliance with any final where our FMVSS would not specify safety applications, our research to date FMVSS. requirements for the antenna itself. used a minimum 300 m transmission Finally, we acknowledge that research By specifying the requirements in this range—while recognizing this range is ongoing in a few of the areas we fashion, we not only set requirements would diminish in urban and non discuss in this section. While research that can more closely follow real-world ‘‘open air’’ environments. The continues in these areas, we have conditions, but also leave aspects of applications tested in the Safety Pilot described for the public the potential design open to manufacturer choice Model Deployment assumed vehicles requirements that we are considering, (e.g., antenna location on the vehicle). were transmitting basic safety messages and the potential test methods for Our method here would simply seek to at the 300 m range. In particular, we evaluating compliance with those ensure that the transmission of the basic believe that DNPW requires the longest requirements. We believe that the public safety message travels the required communication range for effective comments that we will receive in distance and is readable by another operation because it addresses a crash response (coupled with the agency’s DSRC device at that range (regardless of scenario where two vehicles approach ongoing research) will produce a robust how the antenna is configured). Thus, each other head-on. Using the target record upon which the agency can make we seek comment on our proposal. We range of 300 m, two vehicles a final decision. currently believe that specifying the approaching at 60 mph would be afforded approximately 5.6 seconds for 1. Proposed Transmission Requirements following three areas would be appropriate: the DNPW application to detect the Our purpose for proposing a • crash scenario and issue a warning. standardized set of transmission The three-dimensional (latitudinal, Based on this information, our current requirements is in line with our vision longitudinal and elevation) minimum belief is that 300 m will serve the needs for V2V as an information environment range that the basic safety message of the anticipated safety applications. transmission would need to reach; that safety applications can use. By Based on the existing research, our creating a standardized method for • a test device (and its specifications, proposal is to adopt 300 m as the transmitting the basic safety message, e.g., its receive sensitivity) for testing minimum transmission range. We we are creating the information the range and the locations to measure believe that this supports the needs of environment with one clear method for reception of the basic safety message; anticipated safety applications and can accessing it. Our current belief is that and be operationally met given current anyone who wants to implement safety • the reliability of the reception of the technological capabilities; as applications should know how their basic safety message (i.e., how often is demonstrated in Safety Pilot Model system can obtain the V2V information the message dropped) based on packet Deployment. Currently, we also do not as an input for their application. error rate (PER). anticipate any safety application In order to have a standardized In addition, our current belief is that requiring more range than 300 m. Thus, method for transmitting the basic safety we tentatively do not see a reason to message we believe that a few aspects of the agency would not need to establish specifications for the transmitting increase the minimum transmission performance need requirements. We range beyond 300 m. tentatively believe that all devices device itself. In other words, we request comment on our current belief that the Finally, we have not included a should be required to transmit: maximum range limit. Maximum • With a sufficient power/range to following design-level requirements transmission range can vary by the guarantee reaching other DSRC devices, would not be necessary for an FMVSS: power of the transmission, and within a minimum radius, that would • Transmission power; environmental conditions. While our allow use of the basic safety message • antenna polarization; and current proposed requirements do not information reliably; • • on the same channel, and support antenna placement. include establishing a maximum transmission range, we request using the same data rate(s); and (1) Range • at the times required for each data comment on whether such a limit element so that people who have A basic safety message needs to travel would be appropriate in conjunction applications know when it will have far enough to support potential safety with the other requirements the agency information. applications that we anticipate would is considering. take advantage of the information We ask for comment on this proposed (a) DSRC Transmission Range and available through DSRC minimum. Is there any reason that the Reliability communications. Aside from the basic agency should require a maximum In order to ensure that surrounding ‘‘open air’’ communication scenarios, it transmission range as well as a vehicles within a certain range of each is important to also consider whether minimum? Should the agency choose a vehicle transmitting basic safety devices will be able to communicate different minimum range requirement? messages can reliability receive the with others that are on the same road What would be appropriate alternative messages, The proposal includes but, perhaps, not at the same elevation minimum and maximum transmission requirements for the transmission range or approach angles (i.e., the road range values and why? Please provide of the messages. While the research to elevation may change). data to support your position.

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00030 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules 3883

(b) Elevation Transmission Performance agency would test these requirements For testing the 2-dimensional In addition to the 2-dimension range using test devices located within a (longitudinal and lateral) range, the of the basic safety message transmission, specified area around the vehicle in a agency would specify an area within a we need to consider the potential static test to determine whether the circle around the vehicle that we may changes in elevation on roadways. Thus, vehicle’s basic safety message test. The test circle has the following transmissions can reach the required characteristics: in addition to establishing a minimum • distance that the basic safety message range. In order to conduct this test, we It is 1.5 m above the test surface. • It is parallel to the test surface. needs to travel, we also need to need to define two pieces of • It has a center point that is 1.5 m establish an elevation angle that the information: • above the vehicle reference point.116 message needs to travel. The important characteristics of the • The circumference of the circle is Safety applications may need test device for the purposes of any point at a 300 m radius from its information from vehicles at a higher evaluating this requirement; and • center point. elevation (because of changes in the the area around the vehicle where In other words, when conducting the slope of the roadway, for example). we can place this test device. compliance test, the agency test Thus, our current belief is that a (a) Test Device engineer may place the test device at proposal to regulate DSRC radio any point that is 1.5 m above the ground performance should also evaluate As further discussed in the test and within the area of a circle whose whether a vehicle transmitting the basic procedure section of this document, we center point is 1.5 m above the vehicle safety message can transmit said anticipate that our test method would reference point and whose radius is 300 message at an angle that is sufficient to specify various aspects of the test device m. cover potential roadway elevation for the purposes of evaluating a For testing the elevation range of the changes. vehicle’s DSRC radio performance. vehicle’s transmission, we tentatively Our proposal would require that However, for the purpose of evaluating believe it is preferable to use two vehicles transmit the basic safety this aspect (i.e., the transmission range) slightly different evaluation methods for message not only to 300 m around a of DSRC radio performance, we believe the upward elevation versus the vehicle (in all directions—i.e., 360 the receive sensitivity of the test device downward range. For the upward degrees) but also at an elevation angle is the characteristic that would need to elevation range, our proposal is that the of +10 degrees and ¥6 degrees. We be most clearly defined in order to test test engineer may place the test device think that the elevation angle range of the transmission range objectively. at any point along the following line: +10 to ¥6 degrees 360 degrees around Based on the currently-available • The line originates at a point that is the vehicle is an appropriate range to research, the agency would measure this 1.5 m above the vehicle reference point. ensure that the broadcast of the BSM using a test device with a sensitivity of • ¥92 dBm. We believe that ¥92 dBm is The line rises at a +10 degree angle can be received by vehicles in a 300m from the test surface 117 proceeding in radius given most roadway an appropriate sensitivity for the test 118 device receiving the basic safety any direction around the vehicle. characteristics such as changes in • The line terminates at any point roadway grade was what was used to message during the test because ¥92 dBm generally models what average that is directly above the circumference demonstrate capability in Safety Pilot of the circle used in the 2-dimentional Model Deployment. The agency is devices (e.g., cell phones) use for their antenna sensitivity. We believe that it is range test. continuing to research a larger range of On the other hand, for testing elevation angle (+/¥10 degrees) to a reasonable assumption that a vehicle seeking to obtain basic safety messages downward elevation range, the agency determine actual transmission coverage would place the test device at any point range. In particular, if the range would for its safety applications would be designed with, at minimum, this level of along the following line: be adequate to support transmission and • The line originates at a point that is sensitivity. reception of BSMs on roadway grades 1.5 m above the vehicle reference point. Further, our understanding is that up to 15 degrees, which is the current • The line falls at a ¥6 degree angle ¥92 dBm falls on the less-sensitive side design maximum for many States and from the test surface 119 proceeding in of the range of an average wireless localities (excluding San Francisco). any direction around the vehicle.120 However, currently it is not practicable device’s antenna sensitivity. We believe • ¥ The line terminates at any point to test the +/ 10 degree elevation angle that using a less sensitive device within where it intersects the test surface. range given current testing equipment. that range is appropriate in this instance Test the downward elevation at a We ask for comment on this proposed because it means we are using a more point that is likely closer to the vehicle minimum. Should the agency choose a stringent test condition that is still than the upward elevation, we believe different minimum elevation angle within the range of an average device that this method would relieve some requirement? What would be antenna’s sensitivity. test complexities while still ensuring appropriate alternative minimum (b) Location of the Test Device elevation angle range values and why? 116 Vehicle reference point is the same point that Please provide data to support your In addition to specifying the device, we defined in the basic safety message content position. we also believe it is important to specify requirements section, above. the location of the device relative to the 117 Note the line originates at a point that is 1.5 (2) Testing the Elevation Transmission vehicle being tested. We are proposing m above the test reference point, but (for simplicity) Range we are expressing the angle of the line by to define a zone around the vehicle referencing the test surface (i.e., the ground, which In order to give context to our where a test device is used to evaluate is not where the line begins). The angle of the line proposed requirement, we are also the ability of the vehicle to receive the could be expressed by referencing any plane that is describing the method the agency would basic safety message. Currently, the parallel to the test surface. 118 proposed zone is defined as 300 m 2- In other words, the line can travel in any use in assessing the elevation angle direction (360 degrees) around the point 1.5 m range performance requirement (i.e., the dimensional range with an elevation above the vehicle reference point. test procedure and type of test device). angle that can be set at +10 degree and 119 See similar note, above. As discussed later in this document, the ¥6 degrees. 120 See similar note, above.

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00031 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 3884 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules

that the transmissions will reach Safety Pilot Model Deployment work, If the antenna location is appropriate surrounding vehicles under real-world makes it appropriate to include this as enough to transmit the basic safety roadway elevation changes. Further, we part of the performance requirements for message to meet the needs of the safety believe that the locations defined above DSRC devices. Overall, the agency did applications, we tentatively see no need (longitudinal, lateral, and elevation) not observe any dropped basic safety to further restrict the location of the establish the limits of the potential test messages (i.e., message did not reach a antenna on the vehicle (as it is also an conditions in a way that would still vehicle within range) due to a high PER, important styling decision for the auto enable the agency to measure at the and we believe that the 10% PER manufacturer). However, we request extremities of the proposed range threshold will continue to be comment on this tentative conclusion. requirement. appropriate in a more full-scale Are there any reasons why the agency As noted above, testing the elevation deployment. We request comment on should establish requirements for the range would enable NHTSA to test for our tentative conclusions and also antenna location on the vehicle? What compliance at any point along those request comment on what other would these restrictions be? How can aforementioned lines. While we believe potential PER thresholds would be more they be objectively defined on the that ¥92 dBm is an appropriate appropriate (and why). vehicle? What data supports your sensitivity for our test device when it is conclusions? located 300 m away from the tested (4) Aspects of Transmission Range vehicle, we request comment on Performance Indirectly Tested (b) Antenna Polarization whether the test device should still have We currently believe that testing the We also tentatively believe that the ¥ a sensitivity of 92 dBm if NHTSA range (both 2-dimensional and agency does not need to establish tests the vehicle performance closer to elevation) and the reliability (PER) of performance requirements for the the vehicle along the aforementioned the transmission with a specified test transmitting antenna’s polarization. We elevation testing lines. What would the device (¥92 dBm) in specified locations are aware that the research to date appropriate function be to determine the is sufficient to determine whether a generally recommended a nominal sensitivity based on the test device’s vehicle would be able to deliver basic vertical polarization configuration for location along those testing lines? safety messages to vehicles around it in the DSRC antennas sending the basic We further request comment not only the real world (i.e., it would be safety message. The research on the test method but also on whether sufficient for supporting the safety recommended that configuration there are other aspects of the test that applications currently under active because vehicle sheet metal can serve as the agency would need to define in development). However, we recognize the ground plane and can degrade reception of horizontally polarized order to clearly evaluate this aspect of that there are a few aspects of waves at or near the horizon. performance. performance covered by the V2V While we agree that using a non- (3) Reliability research to date that we have not optimal antenna polarization would The agency is proposing to require included in this proposal. Our tentative lead to increased cost and complexity of that a message packet error rate (PER) is conclusion is that the proposed the system (i.e., requiring more antennas less than 10%. We believe that 10% PER requirements would cover these aspects in order to reach the same transmission is an appropriate threshold and that of performance indirectly. Further, we coverage), we tentatively do not believe vehicles will still be able to receive the believe that Proposal A would avoid it is necessary to propose limiting such basic safety messages so long as the PER unnecessarily restricting manufacturer a design. We believe that, for cost is below 10%. The agency believes the design choices while still ensuring that considerations, manufacturers are likely PER metric at the proposed rate fulfills the vehicle achieve the safety purpose of to select an antenna polarization that the need to evaluate how reliably a V2V transmitting the basic safety message. would enable them to achieve the same device can transmit a message for a These aspects of performance are: • performance with less antennas. specified distance. Antenna location on the vehicle; However, so long as the vehicle can • The Packet Error Rate (PER) is one antenna polarization; and transmit the basic safety message to the way of quantifying how reliably a • transmit power. required range under the conditions message can travel a given distance. In (a) Antenna Location on the Vehicle specified, we currently see no reason to essence, it measures how often (i.e., the preclude other antenna polarizations. percentage of) parts of the message (i.e., The agency and its research partners We also request comment on this packets) fail to make it to the utilized antenna location mounting tentative conclusion. destination. The research for V2V safety requirements on vehicles used in the applications to date assumes that Safety Pilot Model Deployment activity. (c) Transmit Power vehicles are transmitting the basic safety However, our tentative conclusion is Finally, the requirements and test message to a range of at least 300 m that it is unnecessary to specify method also do not directly test for the around the vehicle with a PER of less requirements for antenna location. The transmit power. Our current belief is than 10%. location of the antenna on a vehicle can that our test method sufficiently covers A PER of less than 10% aligns with affect the ability of the vehicle to this aspect of performance by the ASTM standard E2213–03 (2003) transmit the basic safety message to all establishing the range at which the 4.1.1.2 where ‘‘(2) DSRC devices must the necessary locations around the vehicle needs to transmit the basic be capable of transferring messages to vehicle. However, we believe that safety message and the receive and from vehicles at speeds of 85 mph testing for reception of the basic safety sensitivity of the test device. We note with a Packet Error Rate (PER) of less message at the aforementioned locations that the research to date has than 10% for PSDU lengths of 1000 around the vehicle would clearly show recommended various transmission bytes and to and from vehicles at speeds whether the location of the vehicle power levels. For example, the SAE of 120 mph with a PER of less than 10% antenna is installed at an appropriate J2945/1 standard recommended a for PSDU lengths of 64 bytes.’’ As such, location where the vehicle structure minimum radiated power of 15 dBm the agency believes this specification, would not interfere with the (under uncongested condtions). along with the agency’s successful transmission of the basic safety message. However, we believe that our

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00032 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules 3885

aforementioned requirements would important for DSRC-based V2V (a) Channel sufficiently test for this aspect of communications to utilize the same (i) Proposed Channel Usage performance. In essence, by testing channel and data rate. The channel is a whether a device with a sensitivity of band of frequencies where the The FCC currently divides the 5.9 GHz spectrum into seven, ten- ¥92 dBm can receive messages from a transmission occurs. Parties agreeing to megahertz channels consisting of one vehicle 300 m away, we are testing use the same channel to communicate whether the transmitting vehicle is Control Channel (Channel 178); six are like people that agree to call each Service Channels (Channel 172 for doing so with sufficient power to other using a particular phone line. The deliver the basic safety message to the safety-critical communications and data rate is the speed at which a sender Channels 174, 176, 180, 182, and 184 for required distance. is transmitting information through the We currently do not believe it is non-safety-critical communications); necessary to further specify the transmit channel. and one five megahertz channel, which power for vehicles covered by the The FCC has statutory authority for would be held in reserve. The FCC also proposal. Based on the manufacturer’s allocating spectrum rights and allows combining Channels 174 and 176 choices regarding antenna location on designating band plans for commercial or Channels 180 and 182 to produce two the vehicle (and potentially other factors spectrum allocations, including the 5.9 twenty-megahertz channels, (which such as the body of the vehicle, etc.), a GHz band. DOT defers to the FCC’s would be Channel 175 and 181, manufacturer may need to make authority with respect to spectrum respectively). different transmit power choices in rights and channel plans. Based on FCC As we discussed in the sections order to transmit the message to the rules and research to-date, all devices above, we believe that devices participating in the V2V information required distance. As with antenna participating in the V2V information environment need exchange messages location and polarization, we believe environment have utilized the same on the same channel in order to receive that the transmission power is channel and data rate to transmit BSMs. sufficiently addressed (albeit indirectly) each other’s broadcasts (i.e., to hear the In relation to DSRC, FCC has specified by the requirements. We believe that the messages that others send). Up until that BSM transmissions and reception requirements would establish an now, the V2V devices transmitting basic appropriate balance between affording will occur on channel 172, i.e. channel safety messages in the V2V research the manufacturers design freedom, 172 will be dedicated to all BSM have used Channel 172 (a 10 MHz while still ensuring that they achieve communications (safety-critical channel). The research used a 10 MHz the safety goal of transmitting the basic communications). Therefore, throughout channel as the FCC’s current rules for safety message far enough and reliably this document, references to BSM the V2V spectrum divide it into various enough to support the safety transmissions and reception will refer to 10 MHz channels. applications. We seek comment on channel 172 while also recognizing the Our tentative conclusion is that whether there is any reason for the ongoing DOT–FCC–NTIA spectrum broadcasting on Channel 172 via agency to establish a requirement for the sharing studies and the FCC rulemaking continuous mode (radio set to channel transmit power. What should the concerning the 5.9 GHz band as 172, a 10 MHz band) is appropriate for transmission power be and why? described in more detail below. Similar devices in the V2V information to our approach to transmission power, environment. Thus, we believe that all (5) FCC Transmission Power vehicles should transmit their basic Restrictions the agency believes that all BSM transmissions should occur on channel safety messages on the same channel The agency’s proposal is not 172. Data rate is also important because (172). Our tentative conclusion is based specifying required transmission power a receiving device needs to know the on our understanding of the existing levels for V2V devices. The FCC places speed at which the transmitting device research and in alignment with the FCC restrictions on the transmission power is sending the information in order to spectrum allocation. The agency expects levels of devices utilizing a given that all non-safety-critical process the information. Thus, in order spectrum and our expectation is that communications will occur on the to ensure interoperability of the devices DSRC devices operating in the remaining channels allocated for DSRC designated bandwidth would meet the in the V2V information environment, use by the FCC. The research suggests FCC defined operating specifications. our current belief is that it is necessary that a 10 MHz band is sufficient for However, we do not believe that our to establish requirements for both the transmitting the basic safety message to current proposal (i.e., our proposed channel and the data rate. the necessary 300 m range at a sufficient minimum transmission range and the As we discuss below, there are level of reliability PER of less than or sensitivity of the test device) would various options for both the channel and equal to 10%. require vehicles to transmit at a power the data rate—each with advantages and We seek comment on all related that exceeds FCC regulations. disadvantages. While there are different issues we should take into account FCC Part 95L specifies a max EIRP choices available, each choice should be when considering this proposal, as well limit of 33dBm for Private OBUs on able to achieve the objective of ensuring as any other potential alternatives. channels 172, 174, 176, 178, and 184. interoperability across devices if it is (ii) Potential Channel Sharing or Re- Our understanding is that devices implemented consistently by all channelization would be able to meet the these devices. Thus, we are proposing to that requirements at a power setting lower NHTSA and the U.S. DOT are all vehicles should transmit the basic than the restricted level (Safety Pilot committed to finding the best method to safety message on Channel 172, via a Model Deployment devices were set at develop, successfully test, and deploy dedicated radio at a data rate of 6 a 20 dBm power level). advanced automotive and infrastructure Mbps). We also request comment on safety systems while working to meet (b) Channel and Data Rate whether there are other choices for these existing and future spectrum demands. In addition to proposing requirements two aspects of performance that the DOT supports sharing so long as it does for the transmission range and agency should consider. not interfere with safety of life reliability, we believe it is also communications. In the summer of

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00033 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 3886 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules

2015, recognizing the emerging need to 10. Investigate mitigation possibilities exclusive to DSRC, and the remaining perform further research on DSRC once potential U–NII–4 devices spectrum would be shared between the properties in order to prepare for studies designed and programmed to share the DSRC service channels and unlicensed on sharing, DOT worked collaboratively band with DSRC are available. devices. with the FCC and NTIA to develop a This DOT testing effort is part of a We seek comment on the costs and spectrum research plan. This plan (the larger collaborative testing and benefits of each sharing proposal, and ‘‘DSRC-Unlicensed Device Test Plan’’) is modelling effort with the FCC and DOC, whether and how we should consider posted on DOT’s Web site and details a encouraged by Congress, to ensure each of these approaches relative to this comprehensive set of research appropriate interference-avoidance and proposed rule. spectrum rights allocation in the 5850– opportunities. The plan will allow FCC, (b) Data Rate NTIA, and DOT to collectively tailor 5925 MHz (5.9 GHz) band. Congress research on DSRC devices in the called upon DOT to lead, in close In setting a data rate, one is balancing presence of unlicensed devices to coordination with FCC and DOC, the between two competing interests: (1) the understand the prospective impacts development of 5.9 GHz Dedicated speed at which one wants to transmit within real-world environments.121 The Short Range Communications (DSRC) the information, and (2) how far the overall goals and objectives of this technology, vehicle safety testing, and information can travel (and how reliably research are as follows: DSRC capabilities testing. Furthermore, it can travel that distance). In other • Overall Goals as listed in the DSRC- Congress called upon NTIA to study the words, if we send more information in Unlicensed Device Test Plan possibility of allowing unlicensed a smaller amount of time, the 1. Understand the impacts of operations in the 5.9 GHz band. The information cannot reliably travel as unlicensed devices operating in the U.S. Department of Transportation great of a distance. DSRC band. (DOT), the U.S. Department of In the context of our rulemaking, our 2. Develop the capability to evaluate Commerce (DOC), and the Federal proposal for data rate considers the proposed band sharing mechanisms. Communications Commission (FCC) following technical questions: 3. Define requirements necessary for each have core, yet interdependent, • How far do we need the message to sharing mechanisms to prevent roles to play in advancing this research. travel? • interference. Recently, the FCC issued a Public What is an acceptable PER (i.e., 4. Collaborate with the NTIA and FCC Notice to refresh its record regarding its how reliably do packets need to make it to provide Congress with results on draft proposal to allow sharing of the 5.9 to a receiving device in order to ensure impacts to DSRC operations from GHz band by U–NII devices.122 As part that a safety application can function)? • proposed sharing mechanisms. of its Public Notice, the FCC has What bitrate do current systems and • Specific Objectives and Goals as solicited comments on the two proposed voluntary standards under development listed in the DSRC-Unlicensed Device sharing techniques developed by the use? If a final rule used a different set Test Plan IEEE DSRC Coexistence Tiger Team (i.e., of requirements, how significant would 1. Develop the capability to do ‘‘Detect and Avoid’’ and ‘‘Re- this change be? accurate and relevant experimental Channelization’’), as well as on other In the sections that follow, we first evaluations of band sharing and potentially viable approaches to sharing discuss the competing considerations interference between unlicensed devices in the band without causing harmful for our data rate proposal. Using the and DSRC devices. interference to V2V operations. information that we have from our 2. Characterize the existing radio The FCC described the two proposed discussion on data rate, we then discuss frequency (RF) signal environment in sharing approaches as follows: (1) our proposal for the channel. Detect and avoid, under which and near the DSRC band. (i) Proposed Requirement is 6 Mbps 3. Measure the effect of unlicensed unlicensed devices would monitor the devices on the background noise level. existing DSRC channels, and if they The agency is proposing to require 4. Measure the impact unlicensed detected any transmitted DSRC signal, devices to transmit at 6 Mbps. We device transmissions have on receiving they would avoid using the entire DSRC believe it is reasonable to expect that DSRC messages. band. After waiting a certain amount of transmitting basic safety messages at the 5. Measure DSRC suppression caused time the unlicensed device would again 6 Mbps rate can easily cover the by Clear Channel Assessment (CCA) of sense the DSRC spectrum to determine necessary range assuming 300 m at a DSRC devices in the presence of if any DSRC channels are in use or very low PER of 10%. The available unlicensed device transmissions. whether it could safely transmit; and (2) research from both CAMP and BAH 6. Measure other impacts on DSRC Re-Channelization, under which the support this initial conclusion, as channel quality of unlicensed device DSRC spectrum would be split into two described later in this section. Further, transmissions (e.g., signal to noise (S/N), contiguous blocks: one for safety-related while we are requesting comment on packet error rate (PER), etc.). communications and one for non-safety- changing the bitrate, we note that the 7. Determine the minimum received related communications, by moving the current systems and voluntary standards power levels at which DSRC and control channel and the two public under development all will be able to unlicensed devices can sense the other. safety channels to the top portion of the support multiple bitrates within the 8. Investigate how interference and band. Additionally, the remaining four ranges examined (i.e., device developers detection (determined in the previous DSRC service channels would be would not need to redesign the current objectives) varies if the bandwidth of reconfigured at the lower end of the hardware to support a new bitrate). the overlapping unlicensed device band as two 20 megahertz channels Finally, while the theoretical analysis transmission changes. rather than maintaining four 10 by BAH suggests that increasing the 9. Measure the impact of DSRC megahertz channels. The segments bitrate would help to mitigate operations on unlicensed device designated for safety-related congestion mitigation, we are unsure performance recognizing that the two communications would remain given the lack of real-world testing radios may form an interactive system. whether altering the bitrate and channel 122 https://apps.fcc.gov/edocs_public/ bandwidth is necessary given that the 121 attachmatch/FCC-16-68A1_Rcd.pdf. agency is considering other channel

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00034 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules 3887

congestion mitigation strategies. These • when the channel busy ratio ratio? What’s the cost to implement this strategies involve adjusting the number exceeds 50%, transmit the BSM at a change? of basic safety messages that devices data rate of 18 Mbps and continue to would transmit per second and the transmit the BSM at a data rate of 18 (iii) Existing Research on the Impact of power/range of those transmission when Mbps until the Channel Busy Ratio falls Different Potential Data Rates channel congestion is detected by a below 20%. There are currently two bodies of device. More detail on these strategies is While we have proposed to use a research available to the agency on the found in Section III.E.1.b)(b)(ii). The standard 6 Mbps bit rate, we request impact that different bitrates can have agency is continuing to refine comment on the recommendation from on the range and reliability of the congestion mitigation approaches BAH and specifically would seek data including device density in real-world regarding the following questions: transmission of the basic safety message, conditions, beyond those tested in the • Is it appropriate to change the CAMP and work performed by BAH specific Safety Pilot testing and Safety bitrate based on channel busy ratio if funded by the agency. In essence, the Pilot Model Deployment. the performance within the relevant CAMP research showed that there is a We request comment on our potential range is relatively similar across the small difference in PER between a 6 approaches to conclusions and our bitrates under consideration? Would it Mbps and 12 Mbps data rate at 300 m, questions above. To support the be more advantageous to use 18 Mbps the assumed minimum range for V2V commenting process, we are also at all times? communications. The BAH research presenting alternative choices for bitrate • For changing message bitrates, our shows that there was a difference in PER in the section that follows and we seek understanding is that the transmitting between 6 Mbps, 9 Mbps, 12 Mbps, and comment on those alternatives. device sends a basic safety message with 18 Mbps. However, most of these (ii) Alternatives for Data Rate a header (the first part of the message) differences occurred at a distance Requirements always transmitted at 6 Mbps. Our exceeding 500 m. understanding is that the header The BAH research suggested alternate instructs the receiving device to switch (a) Increasing Data Rate bitrate possibilities that would change to another bitrate for the remainder of CAMP conducted a test involving real based on the level of congestion on the the message. How does this process devices in an outside environment. channel. Their rationale behind this impact the speed at which devices in VSC–A Report Appendix I 125 showed approach is that, when the channel is the V2V information environment can not busy, the transmitting device should transmit and receive basic safety that, given a dedicated DSRC use a lower bitrate that can more messages? transmission channel, using a 12 Mbps reliably send the message. However, • Is there any information on how data rate somewhat degraded the ability when the channel congestion is much time one would save between of the message to reach its destination detected, the device should use a higher transmitting a basic safety message at 6 when compared with a 6 Mbps data bitrate to send the message quicker and Mbps versus 18 Mbps (and other rate. In their research, they used a vacate the channel as soon as possible. bitrates)? In other words, many more vehicle broadcasting basic safety This is a logical strategy because when messages can be transmitted within a messages and placed it in different a vehicle is in a congested environment locations around various radios that 123 given timeframe if one were to change (e.g., a traffic jam ); the vehicle does the bitrate? attempted to receive the vehicle’s basic not need to transmit the message as far • We note that 3 Mbps, 6 Mbps, and safety messages during the test. When because the relevant cars are the ones 12 Mbps are bitrates that device makers the researchers placed the vehicle close that are fairly close by. In other words, are required to support when they are in this scenario, it is important to transit to the radios, there seemed to be little building a device according to the IEEE degradation in whether the radios could the message fast (not far). 802.11 voluntary standard. The standard Based on this logic, BAH receive the messages (regardless of affords the option to support other recommended in its research that bitrate). Using the 6 Mbps data rate, 58 bitrates but does not require it. Is there devices transmit in the following receiving radios picked up the basic manner: any information on how many devices safety messages. Using 12 Mbps, 57 • When the Channel Busy Ratio 124 is support bitrates other than 3 Mbps, 6 receiving radios were still able to pick below 50%, transmit the BSM at a data Mbps, and 12 Mbps? up the basic safety messages. However, • What would the impact be on rate of 9 Mbps; when they placed a vehicle at the ‘‘far current systems and voluntary standards edge’’ of the range of the receiving 123 under development if the agency were In relation to communications congestions the radios, 55 radios received basic safety use of the term ‘‘traffic jam’’ refers to the analysis to use a different bitrate (from 6 Mbps) presented via the ANPRM that identified a major in a final FMVSS? messages at 6 Mbps versus only 45 at 12 interchange that includes overpasses as an extreme • BAH suggests that all radios now Mbps. See Figure III–1 and Figure III– scenario with the possibility of approximately 800 2, below. V2V vehicles transmitting BSMs in the range of one support 6 and 9 Mbps transmission. V2V vehicle. (Section 4.3.1 of BAH Report). Is there 125 124 Channel busy ratio describes how congested any information on whether current See Section 3 in Appendix I, http:// www.nhtsa.gov/Research/Crash-Avoidance/ the channel is. When the ratio is 50%, it means that DSRC radios can support 18 Mbps and for a 100 ms timeframe, the device sees that there Vehicle%E2%80%93to%E2%80%93Vehicle- is someone else within range that is transmitting for dynamically switch between the two Communications-for-Safety (last accessed: Dec 8, 50 ms of the 100 ms. bitrates based on channel congestion 2016).

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00035 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 3888 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules

In addition, the VSC–A research with more power, how would the 6 and (b) Differing Bitrates explored the potential impact of using 12 Mbps bit rates affect the ability of the 12 Mbps as opposed to 6 Mbps within receiving device to obtain the basic BAH also conducted research a 300 m test range. As evident in the safety message? In the CAMP research, comparing the impact of data figure below, when using 6 Mbps, radios were able to receive packets at a transmission rate to the reliability and nearly all the devices (up to the 300 m somewhat lower transmission power range of the transmission. In their test range) received the messages with a when they were being transmitted at 6 research, involving transmissions sent very low PER. However, when Mbps as opposed to 12 Mbps (i.e., on a flat and open road at a test facility, switching to 12 Mbps, we observe a packets failed to reach their destination 18 Mbps (they also tested 6 Mbps, 9 small increase in the number of devices when the power was ¥90 dBm when Mbps, and 12 Mbps) did not perform as that could not receive the messages with they were transmitted at 12 Mbps versus well (i.e., a higher PER at a shorter a low PER between the range of 100 and ¥94 dBm when they were transmitted distance) as the lower bitrates. However, 300 m. at 6 Mbps). their field test indicated that the ability The research also examined the of the transmission to successfully impact of different bit rates based on deliver the packet remained rather transmission power (i.e., if we transmit

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00036 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 EP12JA17.002 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules 3889

constant (regardless of the bitrate tested) up to 500 m.126

In BAH’s report, they surmise that the and when the BSM is actually sent. We (2) Reception wide variation of PER at distances above are proposing that the device should not In addition to the issue of transmitting 500 m for all bitrates is attributable to transmit a BSM if the data within the 127 the basic safety message, the V2V multipath fading. They conclude that BSM is over 150 milliseconds old. In the research to date also included potential an 18 Mbps bitrate seems more test procedure section in this document, requirements covering the reception of susceptible to multipath fading than we are specifying a test device for the basic safety message. The potential other, lower bitrates (i.e., the 18 Mbps receiving basic safety messages from the requirements in this area include the bitrate might be more sensitive to tested vehicle. Our rational is that the ability of the vehicle to: environmental changes). requirements and test methods requires • Receive a basic safety message (c) Other Aspects of DSRC Transmission the device to transmit a timely BSM. given a particular test device’s Performance • The system shall set the DE_DSecond transmission power and distance from the vehicle; Thea agency recognizes there other with a value corresponding to • translate the 0’s and 1’s received BSM transmission performance milliseconds within a minute of the over the wireless airwaves into the basic parameters that will be necessary for UTC time when the BSM Part I safety message (i.e., using the real-world implementation. These vehicle location data is determined by parameters are found in the applicable appropriate protocol suite to interpret the positioning source. [MPR– and unpack the wireless signal into the application specifications for DSRC BSMTX–DATAACC–008] message content and performance basic safety message content); and • _ • parameters. The agency does not see a DE DSecond shall be accurate to authenticate the signature of the reason to establish requirements for within 1 ms of the corresponding UTC basic safety message to confirm that the these parameters based on currently time. [MPR–BSMTX–DATAACC–009] information is from an authenticated available information. However, we • DE_DSecond shall have a value less source (i.e., to determine that the request comment and any supporting than 150 ms from the UTC time at message is actually from a vehicle). information from the public on whether which the BSM is transmitted (i.e., the While the research (e.g., the V2V safety pilot) included many of these there may be advantages to establishing age of the time used in DE_DSecond aspects of performance, we tentatively requirements in these areas to support shall be less than 150 ms). [MPR– believe that it is unnecessary to the safety applications and/or ensure BSMTX–DATAACC–010] interoperability within the V2V separately evaluate the vehicle’s ability information environment. Note: Other measurements present in the to receive the basic safety message as a BSM should be aligned to DE_DSecond number of indirect methods (1) Age of BSM Transmission insofar as possible in the implementation. determining if a vehicle received the The age of the BSM transmission is Since other measurements present in the information exist in the transmission monitored by the data element, BSM do not have an absolute time stamp, it requirements already, namely DE_DSecond. The DSecond data is not clear how this is done in practice. congestion detection and mitigation. element provides a time value when a Nevertheless, practical implementations to Although this may be BSM is populated with data there may date have used the most recent measurement counterintuitive, we believe that be a lag between the time the data is updates known to the transmitter at the time directly evaluating the reception of the collected and populated in the BSM— when the BSM is composed. basic safety message is best conducted

126 See BAH DSRC Phase II Report Section through a direct path, but also through reflections fade in a variety of ways. Thus, the changing 4.3.3.2. off of other objects in the environment. When the environmental conditions (in addition to some of 127 Wireless transmission of information through objects move and the direct path between the the other radio signals often travel to a receiver not only transmitter and the receiver change, the signal may

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00037 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 EP12JA17.003 3890 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules

under conditions where the vehicle is agency should include direct device need to agree upon one method using the information from the basic requirements for receiving the basic of packaging information so that the safety message for a particular purpose. safety message (independent of the transmitting device knows how to For example, when there is a safety vehicle’s capability to utilize the package the information into 1’s and 0’s application, the receiving and information for a safety application, and then the receiving devices knows processing the basic safety message congestion control, Misbehavior what to do with the received 1’s and 0’s transmissions leads to a response from detection, or other intended uses). in order to extract the information the vehicle (e.g., a warning). In these Further, we request comment on what transmitted. conditions, the vehicle’s reception of performance the agency should assess DSRC communications within the the basic safety message is indirectly and how the agency should assess such 5.85 to 5.925 MHz band are governed by (and, we believe, sufficiently) tested by performance (i.e., how does the agency FCC 47 CFR parts 0, 1, 2 and 95 for exposing the vehicles to basic safety test the reception of information when onboard equipment and Part 90 for road messages with certain information (e.g., the vehicle is not expected to do side units. In reference to the OSI information about a vehicle on a anything in response to that model, the physical and data link layers collision course with the tested vehicle) information?). Finally, the agency seeks (layers 1and 2) are addressed primarily and then measuring the vehicle’s comment on whether there is a need to by IEEE 802.11p as well as P1609.4; response (e.g., whether it issues a specify requirements for DSRC devices network, transport, and session layers warning at the appropriate time). to have message reception filtering for (3,4 and 5) are addressed primarily by As this proposal does not include interference from operation in the P1609.3; security communications are requirements for applications, the adjacent unlicensed spectrum. Please addressed by P1609.2; and additional agency would need to require vehicles provide substantive data and clarifying session and prioritization related to output a log or record of the basic reasons why or why not this is protocols are addressed by P1609.12. safety messages that they received necessary along with potential filtering Further, a variety of communication within a given amount of time in order strategies that could be employed, if the performance standards specific to the to assess whether the vehicle is able to commenter believes message reception V2V communications and BSM complete the three tasks mentioned filtering is necessary. transmission/reception are defined in above. However, we tentatively believe One potential way to establish direct SAE J2945 while data element and data it’s unnecessary at this time to include requirements and measure performance frame definitions and coding additional requirements to check a of those requirements would be to requirements are defined in SAE J2735. vehicle’s ability to receive basic safety require vehicles to: Devices adhering to these standards messages. By requiring the vehicle to • Store all basic safety messages know how to package the basic safety mitigate congestion, we believe that the received within a certain amount of message for transmissionover the DSRC vehicle must incorporate the ability to time (e.g., 5 minutes during the test); 5.9 GHz spectrum. They also know how receive the message. and to interpret and unpack transmissions Regardless of methods employed, • output the data through a specified over that spectrum in order to obtain the congestion mitigation requires the interface or collection of interfaces (e.g., basic safety message. While our vehicles to determine the local vehicle OBD–II). proposed rule does not include explicit density inside a given radius as part of To test this performance, we would requirements for vehicles transmitting the determination of the maximum time use a test device to generate basic safety basic safety messages to utilize the between messages. To do this, the messages near the tested vehicle. Access methods for packaging the basic safety vehicle not only has to have the ability the tested vehicle using the specified message in IEEE 802.11 and 1609, our to understand the base channel busy interface in the standard and download proposed performance test (in effect) ratio, but also decode the message the basic safety messages received file. would require vehicles to do so. enough to expose the various temporary Verify that the basic safety messages As further discussed in the test IDs of the received BSMs to get an received by the tested vehicle match the procedure section in this document, we accurate vehicle count. To decode the basic safety messages transmitted by the are specifying a test device for receiving message far enough to get the temporary test device. We request comment on basic safety messages from the tested IDs, the vehicle needs to be able to whether this is a viable method for vehicle. Our proposed test device would interpret the BSM and all of its sub- establishing requirements for this aspect utilize the method for unpacking the layers. of performance. basic safety message that is specified in We also believe that automakers 802.11 and 1609. Thus, in essence, implementing safety applications would (3) Message Packaging and Protocol vehicles transmitting the basic safety ensure that the vehicle would have the Suites message will need to package the capability to receive the basic safety Finally, another important part of message utilizing the same method in message (including receiving the ensuring interoperability of any network order to deliver the message to the test transmission and processing the is for all the devices participating in the device in our test. If the vehicle is transmission to obtain the message) and network to agree to the same unable to transmit a message packaged authenticate the message. Because the communications method (i.e., speak the in a way that can be unpacked by our performance of an automaker’s safety same language). For electronic devices test device (i.e., using the IEEE method), application in a vehicle would rely on communicating over a network, the the vehicle would fail our proposed the vehicle’s ability to reliably receive method of taking information and performance test. basic safety messages, we believe that packaging that information (i.e., in In this manner, we believe we are automakers implementing safety multiple steps, converting it into a specifying a protocol stack that would applications would also have a strong string of 1’s and 0’s) so that it can be ensure that devices following the incentive to implement an appropriate sent across a wireless (or wired) packaging method of the protocol stack receive capability in their vehicles. network is called a protocol stack. Each would be able to transmit and receive However, we request comment on our step in the protocol stack packages the basic safety messages on the DSRC 5.9 tentative conclusion. We seek comment information for the next step. The GHz spectrum. We request comment on on whether there is any reason that the transmitting device and the receiving our tentative conclusion. Does the

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00038 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules 3891

agency need to specify any additional (d) DSRC-Based Communication— avoidance is the communication of areas of performance in order to ensure Applicable Industry Standards safety information among vehicles. interoperability of the devices? In other (1) Standards and DSRC V2V Figure III–4 identifies the various words, what aspects of the packaging of Technology components that a DSRC-based system the data for transmitting cannot be would include; the DSRC radio, GPS tested by our proposed test method? Vehicle to Vehicle technology receiver, Memory, Safety Applications, How does that impact device incorporates many components to Vehicle internal communications interoperability and how would the facilitate crash avoidance capabilities. network, System Security, and the agency test it? The basis for Vehicle-to-Vehicle crash Driver-Vehicle interface.

To support the V2V wireless standards will help ensure • due process; communications, a set of voluntary interoperability meaning any device • an appeals process; consensus standards will need to identified as a V2V device • consensus, which is defined as continue to be developed. These communicates and interprets the general agreement, but not necessarily standards define such things as how messages in the same way. unanimity, and includes a process for devices are to communicate over an (2) Voluntary Consensus Standards attempting to resolve objections by identified frequency; how to exchange interested parties, as long as all information including instructions for Voluntary consensus standard: The comments have been fairly considered, sending and receiving messages; how to term ‘‘voluntary’’ distinguishes the each objector is advised of the structure, format, and understand standards development process from disposition of his or her objection(s) and message content; and the data elements governmental or regulatory processes. the reasons why, and the consensus making up the message content. All interested stakeholders participate, body members are given an opportunity including producers, users, consumers, We expect that V2V communication to change their votes after reviewing the and representatives of government and comments.128 will be covered by a family of integrated academia. Voluntary standards are also standards from different organizations Voluntary consensus standards follow made mandatory at times by being a rigorous, industry inclusive that deal with different aspects of incorporated into law by governmental wireless communications and message development process where each bodies. standard is developed by an established exchange. Such standards will facilitate A voluntary consensus standards V2V device developers and body is defined by the following 128 implementers successfully exchanging See ‘‘Standards Glossary’’ IEEE, https:// attributes: www.ieee.org/education_careers/education/ safety messages and security • Openness; standards/standards_glossary.html (last accessed information (e.g. interoperability). The • balance of interest; Dec 12, 2016).

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00039 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 EP12JA17.004 3892 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules

committee that consists of volunteer receive messages using the 5.9 GHz standards. The Standards cover how representative from interested frequency. IEEE 1609.x defines the data is communicated and interpreted stakeholders. Examples of such protocols for radio channel operations, from one V2V device to another device organizations include the Institute of message exchange, and message and processed to be used by crash Electrical and Electronic Engineers security. SAE has also developed two avoidance applications; analogous to (IEEE), ASTM International, SAE standards, SAEJ2735 and SAEJ2945. how your wireless router transfers data International (SAE), and the American SAEJ2735 specifies the BSM message via the internet to an application on National Standards Institute (ANSI). set, its data frames, and data elements. your computer such as a web browser. Each committee establishes membership SAEJ2945 establishes minimum The layers represent levels of protocols regarding voting criteria, performance requirements for the BSM interfaces to enable the bits that structure and format guidelines, and data elements in various messages. represent data to be properly how information is contributed. The The set of standards for DSRC detail transported and interpreted. The layers committees draft the standards and, the procedures, protocols, and message are illustrated in Figure III–5. The first once drafted, the standards are content to support the broadcast (special layer starts at the bit/hardware device presented to the organizations communication capability of DSRC) and level and indicates how the steam of membership for review, comment, and receipt of the Basic Safety Message and raw information is sent to the next layer. balloting.129 If the standard is balloted the linked communications needed to In relation to V2V this would be the and accepted, the standard is published. transfer security materials to establish a If needed, there are processes for a more secure V2V communications DSRC radio level. In addition to the raw standard to be revised or updated as environment. information, layer 2 organizes data technology evolves. We anticipate that packets into network frames that are such bodies will develop the standards (3) Computer and Wireless transported across the V2V wireless that provide the information to develop Communication Reference Model network. These first two levels are and implement interoperable V2V To facilitate the communication covered by IEEE 802.11p. The next 3 communications, but again stress that needed from devices (hardware) to the layers are covered by IEEE 1609.x. our performance requirements may applications (software) the International Layers 3, 4, and 5 handle the addressing permit technologies other than DSRC to Organization for Standards (ISO) and routing of messages, management of perform V2V communications in the established the Open System the packetization of data and delivery of future. Interconnect reference model (OSI). The packets, and the coordination of In relation to DSRC V2V OSI reference model consists of seven message transmissions and Communications, to date two voluntary layers that define the different stages authorization (security). Layer 6, session consensus standard organizations have data must go through to travel from one layer, and layer 7, application layer, are developed separate, however, device to another over a network.130 covered by SAE J2735 and SAE J2945 interrelated standards based on DSRC- Each layer has unique responsibilities and provide for the conversion of enabled V2V communications. These including passing information to the incoming data for use by the application organizations are the Institute of layers above and below it.131 The and interface protocols with the Electrical and Electronic Engineers combination of layers represents applications.132 These layers and (IEEE), and the Society of Automotive protocol stacks. This structure and associated standards represent the DSRC Engineers (SAE). IEEE has developed nomenclature of the OSI reference protocol stack that developers use to two standards, IEEE 802.11p and IEEE model is used in the V2V related design and produce interoperable 1609.x. IEEE 802.11p establishes how devices. compliant devices will transmit and 130 See ‘‘How OSI Works’’ http:// computer.howstuffworks.com/osi1.htm (last 132 See ‘‘OSI reference model (Open Systems 129 For a description of the IEEE ballot process, accessed: Dec 12, 2016). Interconnection)’’ http:// see http://standards.ieee.org/develop/balloting.html 131 See ‘‘Physical Layer’’, http://www.linfo.org/ searchnetworking.techtarget.com/definition/OSI (last accessed Dec 12, 2016). physical_layer.html (last accessed: Dec 12, 2016). (last accessed: Dec 12, 2016).

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00040 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules 3893

(4) DSRC-Based V2V Device layer, the IEEE 802.11–2012—IEEE covers operations of Wi-Fi devices. A Communication Standards Standard for Information technology- specific section of the standard, As indicated previously, SAE and and information 802.11p, covers DSRC communication IEEE have developed and established exchange systems-Local and for V2V and V2I devices that use the 5.9 standards for DSRC. The DSRC protocol metropolitan area networks-Specific GHz frequency. The standard describes stack and related standards are requirements Part 11: Wireless LAN information exchange between system illustrated in Figure III–6. Medium Access Control (MAC) and local and metropolitan networks at the Working from the bottom of Figure Physical Layer (PHY) Specifications was device radio level. III–6 and starting with the physical published 29 March 2012. The standard

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00041 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 EP12JA17.005 3894 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules

From the device (hardware) level of services for WAVE devices. This frequency. For crash avoidance safety, 802.11, the IEEE 1609.x family of standard was published 13 July 2012. the standard identifies the Basic Safety standard establishes the protocols for • 1609.4—Multi-Channel Message (BSM). The standard includes Wireless Access in Vehicular Operations—This standard crosses an extensive list of BSM data elements Environments (WAVE). These standards layers 2 through 5 to support multi- divided into two parts. Part one support the network, transport, and channel operations of the DSRC radio. includes elements that are transmitted session OSI layers. The 1609 standards Wireless radio operations that include with every message. Part two includes that are relevant to DSRC include the the use of other channels need to elements that are included in the following: provide instructions concerning the transmission when there is a change of • 1609.0—Guide for Wireless Access operation of the control channel (CCH), status. The BSM is exclusive to the in Vehicular Environments (WAVE) the service channel (SCH), interval support of crash avoidance safety Architecture—This section of the times, priority access, channel applications. Section III.E identifies the standard describes the full set of 1609 switching, and routing. The current BSM elements that are identified as standards and their relationships to design for a V2V DSRC device uses two minimum performance requirements for each other and other relevant standards radios. One radio is tuned to channel V2V devices. such as 802.11. The guide was 172 for transmission and reception of SAE J2945—DSRC Minimum published 11 December 2013. the safety-critical communication of the Performance Requirements—This • BSM. The second radio uses multi- standard resulted from research 1609.2—Security Services for channel operations to set the CCH and indicating a need for a separate standard Application and Management SCH, and use the other channels to that would describe the specific Messages—Describes the secure message support other messages transmission requirements for the data elements that formats and processing for use by such as the messages associated with would be used in the BSM. The WAVE devices, including methods to security materials. This standard was standard will also cover other DSRC secure WAVE management messages published 7 February 2011, however, a messages; however, the first part of the and methods to secure application draft corrigendum that corrects errors is standard will specify the performance messages. It also describes pending publication. requirements for the BSM data administrative functions necessary to • 1609.12—Identifier Allocations— elements. The draft of the first part of support the core security functions. The For the WAVE system this standard the standard is being developed using V2V security design is based on this describes the use of identifiers and the results of V2V research. The standard standard and incorporates an expanded values that have been associated with for BSM performance requirements is application of Public-Key infrastructure the identifiers for use by the WAVE scheduled to be completed and balloted to secure V2V communications and system. This standard was published 21 late 2015. appropriately protect privacy. This September 2012. The standards explained above standard is associated with Layer 5, • Layers 6, Presentation, and Layers represent voluntary consensus session layer, and Layer 6, presentation 7, Application, are supported by the two standards that have been developed by layer. This standard was published 26 SAE standards that define the elements standards development organization. April 2013. and the minimum performance These standards are not regulatory. • 1609.3—Networking Services—In requirements for the BSM data These standards, however, do provide a relation to Layers 3 and 4, network and elements. basis of investigation as to what is transport, this standard describes the SAE J2735—DSRC Message Set needed in relation to identifying the Internet Protocol (IP), User Datagram Dictionary specifies a message set, and minimum performance requirements Protocol (UDP), and the Transmission its data frames and data elements that if met ensure the proper and safe Protocol (TCP) elements of the internet specifically for use by application functionality of V2V DSRC device that model and management and data intended to utilize the 5.9 GHz will result in the avoidance of crashes.

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00042 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 EP12JA17.006 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules 3895

(5) Relevance to DSRC-Based systems and components that support by different component test and sub- Communications the development of design system tests. The Auto OEMs conduct The SAE and IEEE standards specifications. The higher level tests at the system level to verify design supporting DSRC discussed are not performance requirements indirectly and system operations. After performance requirements per se. verify lower level standards were used installation, OEMs conduct vehicle Performance requirements and by verifying the design performs at the integration tests to verify installation standards are interrelated and indicate, integrated system level. and system operation in relation to at different levels, how a system or Figure III–7 illustrates our design specification and regulation device must function. Performance understanding of the hierarchical identified performance requirements. requirements are developed to indicate relationship associated with Once the integration is verified, the how a device or system needs to performance requirements and how Auto OEMs verify compliance with the perform. In terms of V2V, performance standards are used at different performance requirements. This requirements are associated with an component design specification levels. hierarchy demonstrates how top level installed device and are viewed from The bulk of the V2V related standards performance requirements supported by the top of the design and development support primarily support product standards provide the information to process. Performance requirements may development specifications at the successfully design and implement V2V incorporate various standards that are Controller Spec level and the components that will be interoperable identified in Section III.D, however, Component Technical Spec level. The and meet identified system level most of the standards are related to sub- specifications are verified at each level performance requirements.

The voluntary consensus standards the work performed by NHTSA in these devices will operate to provide the provide information that support both relation to performance requirements is DSRC communications and security that performance requirements and design to identify, and define performance will support crash avoidance specifications, and are the bridge for requirements and verification tests that applications. connecting the requirements to the will indicate that V2V device have been (6) Summary of DSRC-Based BSM specifications. In relation to the NPRM, designed and implemented such that Transmission Requirements

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00043 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 EP12JA17.007 3896 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules

TABLE III–1—SUMMARY OF BSM TRANSMISSION REQUIREMENTS

Requirement Proposal Basis Relationship to standards Reason

Range (longitudinal & lateral) .. Minimum 300m; 360 degrees CAMP—application tested in SAE J2945/1 ...... The setting is based on the around vehicle. SPMD also calculation of need to provide accurate range needed for DNPW. and timely safety alerts. The setting was obtained by ex- tensively testing commer- cially available equipment and automotive sensors in a wide variety of driving envi- ronments. Range (Elevation) ...... At elevation angle of +10 de- CAMP and BAH research and SAE J2945/1 ...... Same as above. grees and ¥6 degrees. testing capabilities. Reliability ...... Packet Error Rate <10% ...... CAMP and BAH ...... SAE J2945/1 ...... Same as above. BSM Radio Channel ...... All BSM transmissions and re- FCC rules ...... SAE J2945/1 ...... Same as above. ceptions on 172 (safety-crit- ical communications). Data Rate...... 6 Mbps...... CAMP and BAH research— SAE J2945/1 (one of the Same as above—Also Current CAMP research shows PER bitrates included in 802.11). developers support a 6 degradation using 12 Mbps. Mbps data rate. More data BAH research indicates and testing is needed to problems after 500m, also change the data rate and BAH test done under ‘‘open determine if a changing rate field’’ conditions. can be used and support crash avoidance. Transmission Frequency ...... 10 times per second under CAMP—trade-off between long SAE J2945/1 ...... Accepted among experts to non-congested conditions. inter-packet delays experi- support V2V crash avoid- enced by V2V safety appli- ance. cations and heavy wireless channel utilization. Staggering Transmission Time Random transmission of BSMs Mitigate channel congestion if SAE J2945/1 ...... Due to accuracy of devices every 100 +/¥ms between 0 all devices transmitted at need to mimic the stagger and 5 ms. same time—CAMP and BAH experienced during SPMD to research. avoid message collisions to facilitate efficient channel usage.

(e) Alternative (Non-DSRC) transmission range and reliability transmission elevation transmission Technologies requirements as DSRC-based devices, performance test device requirements as This section is intended to recognize minus any specific references to DSRC. DSRC-based devices, minus any reference to DSRC. and support the continual progression (i) Range of communication technology. It Alternative technologies would need (b) Location of the Test Device proposes alternative interoperable to support the same message Alternative technologies would need technologies performance requirements transmission range requirements as to support the same message grounded in today’s DSRC technology, DSRC-based devices, minus any specific transmission elevation test device which would enable the deployment of references to DSRC. location requirements as DSRC-based potential future V2V communications devices. technologies that meet or exceed the (ii) Longitudinal/Lateral Range proposed performance requirements, Alternative technologies would need (3) Reliability including interoperability with all other to support the same message Alternative technologies would need V2V communications technologies transmission longitudinal and lateral to support the same message transmitting BSMs. range requirements as DSRC-based transmission reliability requirements as This section provides performance- devices, minus any specific references DSRC-based devices, minus any based requirements that would support to DSRC. reference to DSRC. transmitting the basic safety message via alternative interoperable technologies. (iii) Elevation Transmission (4) Aspects of Transmission Range The proposed requirements are limited Performance Performance Indirectly Tested to the transmission of the BSM only. Alternative technologies would need Alternative technologies would need Potential security and privacy to support the same message to support the same message requirements and alternatives are transmission elevation performance transmission range performance indirect discussed in those respective sections of requirements as DSRC-based devices. tests as DSRC-based devices. this proposal. Alternative technologies would need (2) Testing the Elevation Transmission (a) Transmit Power to meet the same message transmission Range Alternative technologies would need requirements as DSRC-based devices, Alternative technologies would need to identify the same transmit power as minus any DSRC-specific requirements to support he same message DSRC-based devices, where applicable such as channel or data rate transmission elevation test requirements for a specific communication medium. specifications. as DSRC-based devices. (5) Channel and Data Rate (1) Transmission Range and Reliability (a) Test Device A final rule will need to indicate the Alternative technologies would need Alternative technologies would need range at which the vehicle needs to to support the same message to support the same message transmit the basic safety message and

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00044 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules 3897

the receive sensitivity for alternative also the measuring unit for each interoperability with vehicles that may technologies. information element and the level of choose to send additional data elements, precision needed) Interoperability with we are generally proposing to permit (6) Transmission Timing DSRC-based devices would, in vehicles to transmit a data value that Alternative technologies would need particular, be necessary. We seek either conforms to the SAE standard or to meet the same transmission timing comment on what test procedures or is the SAE-specified ‘‘data unavailable’’ requirements as the DSRC-based other safeguards would be required to value. proposal minus any DSRC-specific ensure interoperability. Finally, we are also proposing to requirements, such as channel and data 2. Proposed V2V Basic Safety Message exclude certain data elements from rate. In keeping with the more general (BSM) Content being transmitted as a part of the BSM. nature of the standards for alternative We are proposing this limitation in technologies, specifying aspects such as At the core of this proposal is the order to balance the privacy concerns of channel congestion or the need for basic safety information that we believe consumers with the need to prove safety staggering or synchronizing message vehicles need to send in order to information to surrounding vehicles. support potential safety applications. In transmission is assumed not to be While we request public input on any order to realize the safety benefits needed and assumed to be handled by of the issues discussed in this section, discussed above, safety application any protocol or communication medium we especially would like input on designers need to know what consistent used for V2V communication. whether we have appropriately selected set of information will be available, (1) the data elements to include/make (a) Default Transmission Frequency what units will be used to express that optional/exclude, and (2) the tolerance information, and the level of accuracy Alternative technologies would need levels for each data element. to support the same message that each information element will have. transmission frequency as DSRC-based This uniform expression of the basic (1) Required Data Elements and Their devices, 10 times per second (10 Hz). safety information is important because Performance Metrics a safety application needs to rely on the (b) Staggering Transmission Time information in the messages and assume In the work completed by SAE thus far,134 the Alternative technologies would need that the information is accurate to separated the information transmitted in to address the same issues for staggering within a given tolerance. The the basic safety message into two parts transmission timing as DSRC-based requirements proposed in this section (Part I and Part II). As we explained in devices, minus any direct reference to are consistent across any potential the Readiness Report, Part I information DSRC. communication technology employed in V2V communications. is core information intended to be sent (7) Other Aspects of Alternative To date, the automotive industry in every basic safety message. Part II is Interoperable Technologies (through SAE) has been developing additional information intended to be Alternative technologies would need voluntary consensus standards 133 to sent as needed. In this section, we cover to address the same issues for staggering help standardize these details of the data elements from both Part I and II transmission timing as DSRC-based basic safety message. The general that our proposed requirements would devices, minus any direct reference to approach of our proposal is to include the performance metrics for DSRC. incorporate the data elements from the each. current draft SAE standards in order to (a) Message Packaging (a) Age of BSM Transmission facilitate interoperability between Alternative technologies would need devices that would comply with the Before reaching the actual elements to support the same message age proposed FMVSS and any potential that support safety applications, the monitoring requirements as DSRC-based future developments of the SAE basic safety message needs certain devices. standards. Further, we are considering preliminary elements that help a each data element and associated receiving device to know what it is (b) Reception tolerance requirements for each of those receiving. The three elements that fall Alternative technologies would need elements in the context of addressing into this category are the Message ID, to support the same message reception the safety need of avoiding crashes. the Message Count, and the Temporary requirements as DSRC-based devices, Each of the data elements we are ID. We tentatively believe that all three minus any references to message proposing to require provide values that of these elements are necessary as they congestion mitigation, misbehavior collectively contribute to the allow the receiving device to interpret detection, and DSRC-specific messaging calculations of possible vehicle the digital code it is receiving and the content. interactions and evaluating the safety information inside the message. Additionally, NHTSA does not seek imminent crash potential of these The three elements provide the comment on the need to specify interactions. Moreover, the required and information needed for the device to requirements for reception interference optional data elements would create a properly process a sequence of messages from operation in the adjacent data-rich environment that can be used that delivers vehicle position and unlicensed spectrum given this would to not only identify imminent crash motion data needed to interpret possible be spectrum dependent. situations, but also ensure the drivers crash situations. can be given advanced warning of these (i) Message ID (c) Interoperability situations so these drivers can take V2V devices using alternative appropriate evasive action to avoid The first element is the Message ID. technologies would need to be capable crashes. Based on our analysis, we are This data element explains to the of transmitting and receiving an proposing requirements for some, but receiving device that the message it is established message from other V2V not all, of the data elements in the SAE receiving is a basic safety message. SAE devices, regardless of the underlying standards. However, in order to preserve Standard J2735 specifies that this data technology (i.e. the BSM that has specified content of information, but 133 E.g., SAE Standard J2735, J2945. 134 SAE J2735 and J2945.

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00045 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 3898 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules

element is one byte from 0 to 15.135 standard, the Temporary ID is a expressing time. Further, we tentatively Each number represents a different type randomly-generated four-byte sequence believe that the UTC method for of message that could be sent over of numbers selected from 4,294,967,296 expressing time contains an appropriate DSRC. We are proposing to V2V devices combinations.137 There are many level of accuracy—including a method sending basic safety messages transmit a acceptable techniques to generate a for accounting for leap seconds.140 ‘‘2’’ as the Message ID. Based on SAE random sequence of numbers for the In addition to using the UTC Standard J2735, ‘‘2’’ indicates to the Temporary ID and it does not need to be standard, we propose to require vehicles receiving device that the content of the specified; however, the performance can to transmit the Time data element to an message is a basic safety message and be tested. Further, the randomly- accuracy of 1 ms (i.e., within +/¥ 1 ms that it should interpret the data generated ID is changed to another of the actual time). Given the proposed accordingly. randomly-generated ID every five requirements for transmitting the minutes, when the BSM security messages, we believe that requiring the (ii) Message Count certificate changes. Having the ID and time information accompanying each The second element here is the the certificate change at the same time basic safety message to be within 1 ms Message Count. In SAE Standard J2735, reduces some of the risk that a of the actual time is appropriate. As the Message Count assigns each basic relationship between the ID and further discussed below, we are safety message a number in sequence certificate could be developed to track a proposing that vehicles transmit a basic between 0 and 127.136 Once the device’s device. Given the current research safety message 10 times a second Message Count reaches 127, the idea is available, changing security certificates (unless specific conditions require that the next message it sends would at five minute intervals helps to otherwise). In the discussions that have a Message Count of 0. This count reducing the risk of tracking which follow, we are also proposing that helps the receiving device know that it helps to protect consumer privacy. vehicles broadcast the messages (in has all the messages sent by the sending Additional research is being conducted order to help avoid vehicles device and which order to put them in. to further investigate the ability or broadcasting at the same time) at a For example, if I receive messages 11, limitation of the five minute time period staggered time (a random value of 13, 14, and 15 from a particular device, to mitigate the potential for tracking and +/¥ 5 ms from every tenth of a second). I will know that they are in order but protect privacy. Given these requirements where the I will know that I am missing message (b) Time broadcast time of a message can vary by 12 from that particular device. The as little as 1 ms, we tentatively believe agency’s proposal would require that In addition to the data elements it is appropriate to require that the Time vehicles follow the requirements of the necessary for packaging the basic safety data element be accurate to within 1 ms. SAE standard and assign the Message message, the Time data element is Count for each message in sequence critical because all of the information (c) Location between 0 and 127. We believe that this within the basic safety message (e.g., the This set of data elements form the Message Count data element will enable vehicle location, speed, etc.) being used foundation of the basic safety message safety applications that receive these to enable safety applications needs to be because it is the information that messages to appropriately put the expressed in the context of time. Based enables all the safety applications being messages in order and be aware of any on time, the safety application is able to developed to utilize the V2V missing messages that could affect the determine when a surrounding vehicle information environment. The location overall information being processed by was in a given location and assess information of the surrounding vehicles the safety application software. where that vehicle may go. Thus, it is enables a safety application on a vehicle important for the Time element not only (iii) Temporary ID to know whether a crash imminent to be expressed precisely but also using situation exists or is likely to exist in the Finally, the Temporary ID is a four- a uniform system among the devices near future. For example, an application byte string array randomly-generated participating in the V2V information such as IMA would use location number that allows a receiving device to environment. information of surrounding vehicles to associate messages sent from the same In order to accomplish this purpose, determine whether another vehicle is device together. While the identity of we propose a standard system for heading into the intersection and likely the sending device is not important for vehicles to express time in the basic to cause a crash. a safety application to take appropriate safety message and a requirement for the For location, longitudinal and lateral actions during a crash-imminent accuracy of the time. DSRC-based (2D) data, and also vertical (elevation) situation, it is important for a safety devices would be required to adhere to data would be required. We application to know that it is receiving, SAE Standard J2735 138 and devices 139 acknowledge that longitudinal and for example, ten messages from one would be required to use the UTC lateral data are more commonly used in device rather than five messages from standard for time. The UTC standard is V2V safety applications (since vehicle two devices. In other words, the widely accepted. It is also the travel is mostly two dimensional). Temporary ID balances the safety need predominant standard for time for However, elevation also is important in of associating basic safety messages with internet devices and GPS devices—two a number of respects. For example, each other (to know if they originate groups of technologies that are closely safety applications such as FCW or LDW from the same device), with the privacy related with V2V devices. Thus, we can potentially take into account need to avoid tracking/identifying believe that the UTC standard is an elevation information for merging traffic particular users. appropriate standard method for in on-ramp situations. Further, In order to accomplish these goals, we applications currently under 137 propose that vehicles transmit a Id. at page 252. development such as IMA are already 138 Id. at page 62. Temporary ID as specified in SAE taking elevation into account to Standard J2735. Based on the SAE 139 Coordinated Universal Time International Telecommunications Union Recommendation (ITU–R TF.460–6), See BAH Report Section 140 See ‘‘Leap Seconds’’ http:// 135 SAE Standard J2735, page 171. 4.3.6.2pubrec/itu-r/rec/tf/R-REC-TF.460-6-200202- www.endruntechnologies.com/leap.htm (last 136 Id. at page 212. I!!PDF-E.pdf. accessed Dec 12, 2016).

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00046 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules 3899

differentiate cross traffic that is on an providing a proposed definition for a Geodetic System-84 (WGS–84) ellipsoid overpass from situations where the cross vehicle reference point—based upon (see Figure III–8). The position reference traffic is on the same plane of travel (i.e., which the agency would evaluate the is obtained from measurements taken could potentially lead to a crash). compliance of the vehicle location when the vehicle is situated on level information in the basic safety message. ground/roadway, i.e. where there is no (i) Vehicle Position Reference Point Our proposal is to define the vehicle difference in grade in any direction and In order for vehicles to accurately reference point as the theoretical point all tires contact the ground/roadway communicate their position in a basic projected on the surface of the roadway evenly. This position provides the BSM safety message to each other, all that is in the center of a rectangle position reference of the center of the vehicles need to agree to a single point oriented about the vehicle’s axis of vehicle along all axes that can be used on the vehicle as the reference point. symmetry front-to-back. This rectangle to determine the outer perimeter of the Without such a point, the reported encompasses the farthest forward and vehicle in relation to vehicle movement. position for each vehicle could vary by rearward points and side-to-side points The position reference is also used to meters depending on the size of the on the vehicle, including original configure the GPS antenna if the vehicle and the point on the vehicle that equipment such as outside side view antenna cannot be placed at the the message is reporting. Thus, we are mirrors on the surface of the World vehicle’s center point.

(ii) Longitude and Latitude equal to 1.5 within the one sigma position that may occur with GPS due absolute error. For the 2D location we to failure to receive signals from a Longitude and latitude position 142 would require that vehicles report a tentatively believe that 1.5 m is sufficient number of satellite signals. position that is within 1.5 m of their appropriate because it is half of the If the HDOP is larger than five, there is actual position at a Horizontal Dilution width of a lane of traffic. Therefore, if a high probability that the accuracy of of Precision (HDOP) 141 less than or vehicles provide position data within the position of the vehicle will not be this level of accuracy, safety accurate enough to support the 1.5m of 141 HDOP is a measure of the geometric quality of applications should be able to position. As we anticipate that most a GNSS satellite configuration in the sky. HDOP is determine whether another vehicle is vehicles, if not all vehicles, will use a factor in determining the relative accuracy of a within its lane of travel. Further, the GPS to ascertain their location, we horizontal position based on the number of visible satellites. The smaller the DOP number, the better requirement to stay within the 1.5 m of currently believe that it is appropriate to the geometry and accuracy. HDOP less than 5 is a tolerance at an HDOP smaller than five, account for this potential error in our general rule of indicating a good GNSS condition within the one sigma absolute error, proposed location requirement in the that can provide the desired level of accuracy. accounts for some of the variation in However, a lower DOP value does not automatically mean a low position error. The quality of a GPS- 142 As noted above, there are other factors that derived position estimate depends upon both the values, and range errors caused by signal strength, may lead to degradation of the GPS information— measurement geometry as represented by DOP ionospheric effects, multipath, etc. e.g., ionospheric interference, multipath, etc.

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00047 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 EP12JA17.008 3900 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules

basic safety message. Our engineering Essentially, we propose to measure the speed in incremental units of 0.02 mph) judgment is that an HDOP smaller than rate at which the sending device’s we can capture better information about five within the one sigma absolute error location is changing and also any the vehicle’s change in speed. Further, appropriately accommodates the changes to that rate at which a device’s by establishing these consistent potential variation in GPS and provides location is changing. Because a safety requirements, vehicles will be able to a monitoring function that can be application is generally concerned with better rely on the information they are measured to determine if the GPS the potential future locations of the receiving from the surrounding vehicles. within the DSRC device can calculate a device (rather than just its present As with our rationale for the tolerance position at an accuracy level that location), it is likely that safety of 1 kph in the preceding paragraph, our supports the 1.5m relative position applications will utilize this type of rationale for proposing that vehicles accuracy needed for DSRC crash information. report the speed information in avoidance. For example, through combining the increments of 0.02 mph is based on our speed and heading information with a experience in the Safety Pilot testing. In (iii) Elevation devices’s current location, a safety the Safety Pilot, vehicles reported Due to the different situations in application can calculate whether a information using these specifications which elevation is relevant, vehicles surrounding vehicle can collide with and it provided effective information for would be required to report elevation in the safety application’s vehicle. Further, the safety applications tested in that the basic safety message with an having information about the vehicle’s program. accuracy of three meters—rather than acceleration will make that prediction We request comment on these 1.5.143 In terms of elevation, our more accurate because it tells a safety tentative conclusions. Is there any data tentative belief is that the information application whether the vehicle is that suggest that the agency should does not need to be as exact as the speeding up or slowing down. Yaw rate adopt a different tolerance level for the longitude and latitude location. Our also affects the predicted location of the speed information reported in the basic proposal currently uses three meters vehicle because it measures the rate at safety message? Is there similar data for (approximately 10 feet) because it which the vehicle’s direction is the incremental values for reporting provides sufficient distance to changing (i.e., the rate at which the speed that we propose to require? distinguish between a vehicle crossing vehicle’s face is pivoting towards the (ii) Heading an overpass versus those that are on the left or the right). The tendency of the same level as the vehicle with a safety vehicle to change direction during its Heading in relation to BSM and crash application. Further, our current travel (like acceleration) also affects the avoidance is defined as the ‘‘actual’’ judgment is that reporting the elevation ability of a safety application to predict heading in relation to the vehicle with greater specificity would be its location. position reference point (explained counter-productive for certain safety above) that indicates the course of the applications. The elevation should be (i) Speed vehicle’s motion regardless of the relative to each vehicle being interacted We are proposing that vehicles report vehicle’s orientation to that motion, i.e. with within 300M. A tolerance of 3m their speed in the basic safety message where the front of the vehicle is (10ft) provides for low bridges but takes accurate to within 0.28 m/s (1 kph). We pointing. Knowing the ‘‘actual’’ vehicle into account changes in grade that tentatively believe that this is the heading is needed in order to accurately change as vehicles close on each other. appropriate accuracy for the Speed data identify conflict and imminent crash Therefore, in specifying the elevation element based on the agency’s situations. tolerance, we tentatively believe that we experience in the Safety Pilot Model For Heading, the agency would are balancing the competing safety Deployment, where systems reporting require different levels of accuracy interests. speed information accurate to within 1 based on the vehicle’s speed. We kph effectively supported the tested tentatively believe that this is (d) Movement safety applications. We are not aware of appropriate because we anticipate that In addition to knowing the vehicle’s any instances during the Model most vehicles will be determining position, a safety application should Deployment where an application vehicle heading using GPS information. also consider the characteristics of that warned at the incorrect time (i.e., false We recognize that the accuracy of GPS- vehicle’s movement. Rather than positive) or failed to warn (i.e., false determined heading varies based on extrapolating these characteristics (with negative) due to any inaccuracies in the speed. We also tentatively believe that less accuracy) based on the position Speed data element. As the available heading information might not be as information, safety applications information indicate that the 1 kph critical at lower speeds. Therefore, we currently under development already tolerance requirement is technically believe it is appropriate to provide more consider movement information about feasible and that it supports the safety flexibility at lower vehicle speeds. Thus the surrounding vehicles in determining applications, we tentatively believe that the requirements for heading need to whether a crash-imminent situation it would also be an appropriate support V2V crash avoidance would exists. For the basic safety message, we requirement for a final regulation. read as follows: tentatively believe that speed, heading, We note that the basic safety message • When the vehicle speed is greater acceleration, and yaw are the most requirements in SAE J2735 state that the than 12.5 m/s (∼28 mph), it is required relevant pieces of information about a speed is reported in increments of 0.02 to report vehicle heading accurately to vehicle’s moment. mph. We currently believe that it is within 2 degrees; and We are proposing characteristics for appropriate, in addition to the tolerance • when the vehicle speed is less than message content related to speed, of 1 kph established above, to also or equal to 12.5 m/s, it is required to heading, acceleration, and yaw rates. specify the incremental units to be used report the vehicle heading accurately to by the vehicle in reporting its speed. within 3 degrees. 143 We would measure the elevation data element While it may not be technically feasible We tentatively believe that 2 degree under the same conditions as the longitudinal/ lateral data element—i.e., the accuracy needs to be to report the speed information with a accuracy for speeds above 12.5 m/s is 3m when the HDOP is less than 5 within the 1 tolerance of only 0.02 mph, we believe appropriate because research indicates sigma absolute error. that (by requiring the vehicle to report that at approximately 12.5 m/s (28 mph)

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00048 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules 3901

sensors and vehicle dynamics can is not as crucial because the vehicle is extensively testing commercially- accurately report heading within 2 not changing its location at a significant available equipment and automotive degrees. At speeds less than 12.5 m/s pace. For reference, a NHTSA 2006 sensors in a wide variety of driving the research indicates that the sensors study measured the idling speed of the environments, and the numbers were and vehicle dynamics cannot reliably vehicles (i.e., speed when vehicle is in proven to be reasonable based on the report vehicle heading within 2 degrees, gear and no brake or throttle is being equipment and sensor capabilities, but can reliably and accurately report applied). Of the vehicles that NHTSA while also supporting safety alerts from within 3 degrees of accuracy. Given that measured in that study, the idling speed the appropriate safety application at at lower speeds vehicles travel less ranged from 4.0 mph to 7.0 mph.145 timings that would enable a driver distance and driver-initiated evasive Further, the agency is proposing to reaction sufficient to avoid the actions can be more effective at the require vehicles to unlatch their heading corresponding crash scenario. lower speeds, our tentative conclusion information (and transmit a heading (iv) Yaw Rate is also that a three degree accuracy is value that is within 3 degrees of its appropriate for speeds below 12.5 m/s. actual heading) when its speed exceeds Finally, for Yaw Rate, the agency In addition to providing different 1.39 m/s 146 (∼3.1 mph). As a vehicle’s would require vehicles to report this requirements for accuracy at different speed increases towards its idling information to an accuracy of 0.5 speeds, we tentatively believe it is speed, we propose requiring that the degrees per second. The requirement is appropriate to require that vehicles vehicle calculate its heading and report based on the need to provide accurate ‘‘latch’’ 144 the GPS information at very that information in the basic safety and timely safety alerts for the crash low vehicle speeds. In other words, message. scenarios and corresponding potential when the vehicle speed is very low (and safety applications identified in Table a GPS cannot accurately determine the (iii) Acceleration III–2. The requirement was obtained by heading) we are proposing to require For Acceleration, the agency would extensively testing commercially- that the basic safety message transmit require vehicles to report horizontal available equipment and automotive the last heading information prior to the (longitudinal and lateral) acceleration sensors in a wide variety of driving vehicle dropping below a given speed. with an accuracy of 0.3 m/s2 and environments, and the numbers were In this case, the agency is proposing vertical acceleration to 1 m/s2. The proven to be reasonable based on the to require the system to latch the requirement is based on the need to equipment and sensor capabilities, heading when the vehicle drops below provide accurate and timely safety alerts while also supporting safety alerts from 1.11 m/s (∼2.5 mph). We tentatively for the crash scenarios and the appropriate safety application at believe that 1.11 m/s is an appropriately corresponding potential safety timings that would enable a driver low threshold where, at speeds lower applications identified in Table III–2. reaction sufficient to avoid the than 1.11 m/s, the heading information The requirement was obtained by corresponding crash scenario.

TABLE III–2 POTENTIAL SAFETY APPLICATIONS RELIANT ON ACCELERATION AND YAW RATE INFORMATION

BSW/ EEBL FCW LCW IMA LTA CLW

Lead Vehicle Stopped ...... ✓ ...... Control Loss without Prior Vehicle Action ...... ✓ Vehicle(s) Turning at Non-Signalized Junctions ...... ✓ ✓ ...... Straight Crossing Paths at Non-Signalized Junctions ...... ✓ ...... Lead Vehicle Decelerating ...... ✓ ✓ ...... Vehicle(s) Changing Lanes—Same Direction ...... ✓ ...... Left Turn Across Path—Opposite Direction ...... ✓ ...... Lead Vehicle Stopped ...... ✓ ...... Control Loss without Prior Vehicle Action ...... ✓ Vehicle(s) Turning at Non-Signalized Junctions ...... ✓ ✓ ...... Straight Crossing Paths at Non-Signalized Junctions ...... ✓ ...... Lead Vehicle Decelerating ...... ✓ ✓ ...... Vehicle(s) Changing Lanes—Same Direction ...... ✓ ...... Left Turn Across Path—Opposite Direction ...... ✓ ......

(e) Additional Event Based Information lights status to also be transmitted as other, similar data where access to the part of the Vehicle Safety Extension vehicle databus may be necessary, the In addition to the information (Part II) for V2V safety communications. agency assumes all integrated devices discussed thus far, the agency would The data element, Event Flags, shall also will have access this information. require additional data conveying the be transmitted as long as a defined event Aftermarket, standalone devices may or transmitting vehicle’s path history, is active. For exterior lights status and future predicted path, and exterior

144 ‘‘Latch’’ in this context refers to a software 146 The speed threshold for unlatching the vehicle latch the speed once when the vehicle is operation that holds a value in memory and heading is different from the speed threshold for decelerating and unlatch once when the vehicle is attached to a specific variable as long as a specified latching. The reason for the latching speed to be accelerating without having to repeat the action condition is reached and maintained. lower than the unlatching speed is because a system multiple times if there are vehicle speed 145 See Mazzae, E.N., Garrott, W.R., (2006) should not need to latching and unlatch the vehicle fluctuations during the vehicle’s general Experimental Evaluation of the Performance of heading repeatedly when the vehicle speed is acceleration or deceleration trend. Available Backover Prevention Technologies. hovering around a given threshold speed (e.g., 1.11 National Highway Traffic Safety Administration, m/s). By having different (but similar) speeds for DOT HS 810 634. latching and unlatching, the system will be able to

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00049 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 3902 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules

may not be able to access this because the operational range for DSRC driver wandering, however, it is also information. is approximately 300 m, and the necessary to use low-pass filtering maximum required signal range for techniques (time constant greater than 2 (i) Path History safety applications currently under ms typically) in instances where the Path history, which provides an development is 300 m. However, if the radius is derived from instantaneous adaptable, concise representation of a number of PH points needed to meet vehicle information, such as from rate vehicle’s recent movement over some both the error and distance sensors and velocity. period of time and/or distance, consists requirements stated above exceeds the Confidence in the predicted path of a sequence of positions selected to maximum allowable number of points based on the rate of change of the represent the vehicle’s position within (23), the Path History data frame shall vehicle dynamics can also be computed an allowable error. The path history can be populated with only the 23 most in order to infer non-steady-state be used not only by safety applications recent points from the computed set of conditions, such as those stemming on the transmitting vehicle, but also by points. Effectively, the distance from lane changes, curve entry and exit other vehicles, which can use this requirement shall be relaxed in order to points, curve transitions, and obstacle information to predict the roadway reduce over-the-air bandwidth. avoidance, where large changes in geometry and for target vehicle Lastly, to ensure the most accurate vehicle yaw rate occur over a short classification with reference to the representation of the vehicle’s current period of time. In such situations, path roadway. trajectory, the Path History data frame estimations may be largely inaccurate For the Path History (PH) data frame, shall be populated with time-ordered and, as such, confidence levels would the agency would require that the PH points, with the first PH point being be low. Conversely, a high confidence vehicle use a history of its past GNSS the closest in time to the current UTC value would be reported during steady- locations (as dictated by GNSS data time, and older points following in the state conditions (straight roadways or elements including UTC time, latitude, order in which they were determined. curves with a constant radius of longitude, heading, elevation, etc.), And, so as to permit safety applications curvature). sampled at a periodic time interval to operate properly, the Path History When a deviceis in steady state (typically, 100 ms) and interpolated in- data frame shall not include any conditions over a range from 100 m to between by circular arcs, to represent additional data elements/frames in the 2,500 m in magnitude, the agency is the vehicle’s recent movement over a BSMs intended for vehicle safety proposing to require that the subsystem limited period of time or distance. communications. populate the PP data frame with a Path history points should be calculated radius that has less than 2% (ii) Path Prediction incorporated into the Path History data error from the actual radius. The agency frame such that the perpendicular Not only is it important to determine believes that this range and error rate is distance between any point on the where a vehicle has been, it is also appropriate to ensure the effectiveness vehicle path and the line connecting useful for safety applications to know of safety applications that rely on such two consecutive PH points shall be less where a vehicle is headed, or its future information. For the purposes of this than 1 m. In this way, the points present path. This future trajectory estimation performance requirement, steady state in the path history will concisely can significantly enhance in-lane and conditions are defined as those which represent the actual path history of the out-of-lane threat classification. occur when the vehicle is driving on a vehicle based on the allowable position Trajectories in the Path Prediction curve with a constant radius and where error tolerance (1 m) between the actual (PP) data frame are represented, at a first the average of the absolute value of the vehicle path and its concise order of curvature approximation, as a change of yaw rate over time is smaller representation. Objective testing of circle with a radius, R, and an origin than 0.5 deg/s2. applications as part of the VSC–A located at (0,R), where the x-axis is After a transition from the original Project showed that a PH error tolerance aligned with the transmitting vehicle’s constant radius (R1) to the target of 1 m satisfies the needed accuracy for perspective and normal to the vehicle’s constant radius (R2), the subsystem target vehicle classification and meets vertical axis. The vehicle’s (x,y,z) shall repopulate the PP data frame the performance requirements of the coordinate frame follows the SAE within four seconds under the safety applications that were developed convention. The radius, R, will be maximum allowable error bound and demonstrated. positive for curvatures to the right when defined above. For the subset of the available vehicle observed from the transmitting vehicle’s Lastly, when the transmitting vehicle path position data elements, a minimum perspective, and radii exceeding a is stationary, we propose requiring that number of PH points necessary to satisfy maximum value of 32,767 are to be a device report a ‘‘straight path’’ radius the required error tolerance between the interpreted as a ‘‘straight path’’ of value 32,767 and confidence value of vehicle path and its PH representation prediction by receiving vehicles. 100%, which corresponds to a value of (1 m) should be selected to populate the The radius, R, can be derived using 200 for the data element. Path History data frame. Populating the various means, including map Path History data frame with the databases, vision systems, global (iii) Exterior Lights minimum number of PH points possible positioning, etc. Alternatively, simple For the Exterior Lights data element, offers significant savings in over-the-air physics equations can be used to the agency is proposing to require that wireless bandwidth when transmitting compute a curvature based on the subsystem shall set the individual the PH information to other vehicles instantaneous dynamics information light indications in the data element to wirelessly. Additionally, vehicles (vehicle speed and rate of change of be consistent with the vehicle status should report the minimum number of heading, or yaw rate) provided by the data that is available. If meaningful PH points so that the represented PH vehicle. This curvature can then be values are unavailable, or no light distance (i.e., the distance between the extrapolated forward (as a continuous indications will be set, the data element first and last PH point) is at least 300 m radius of curvature) to provide an should not be transmitted. and no more than 310 m, unless initially estimate of the vehicle’s likely intended The data element, Exterior Lights, there is less than 300 m of PH. We future trajectory, or path. To minimize provides the status of all exterior lights believe that this range is appropriate the effect of sensor noise and in-lane on the vehicle, including parking lights,

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00050 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules 3903

headlights (including low and high • Wipers Changed: The status of the vehicle could be skidding in a different beam, and automatic light control), fog front or rear wipers on the vehicle has direction.). lights, daytime running lights, turn changed recently. (i) Transmission State signal (right and left), and hazard • Emergency Response: The vehicle is signals. This information can be used a properly authorized public safety This data element would require that not only to enhance the operation of vehicle, is engaged in a service call, and vehicles report whether they are in a safety applications running on the is currently moving. Lights and/or gear in the forward or reverse (or transmitting vehicle, but it can similarly sirens may not be evident. neutral) direction. We tentatively • be used by other vehicles within range Hazardous Materials: The vehicle is believe that the relevant information for of receiving messages sent by the known to be carrying hazardous a safety application is whether the transmitting vehicle. materials and is labeled as such. vehicle is in gear to begin moving; and If a stated criterion is met, the sender if so, whether it will do so in the (iv) Event Flags shall set the Event Flag to 1. If, and only forward or reverse direction. Thus, our The data element, Event Flags, if, one or more of the defined Event proposal currently does not include any conveys the sender’s status with respect Flags are set to 1, the subsystem shall requirement for reporting the gear ratios to safety-related events such as antilock transmit a BSM with the corresponding of the vehicle. Event Flags within 250 ms of the initial brake system (ABS) activation, stability (ii) Steering Wheel Angle control activation, hard braking, and detection of the event at the sender. The This data element would require that deployment, among others. Event Flags data element shall be included in the Vehicle Safety vehicles report the direction of the Similar to that mentioned for the steering wheel angle to within 5 degrees Exterior Lights data element, the Extension data frame for as long as an event is active. Messages containing of the actual steering wheel angle. Here, additional information conveyed in the we are seeking to use another element Event Flags data element can serve to Event Flags may also include related optional data. When one or more criteria to confirm actual heading of the vehicle. augment the other BSM information associated with an event are no longer Thus, the Steering Wheel Angle data used by applications when determining satisfied, the sender shall set the flag to element describes the movement of the whether to issue or suppress warnings. zero in any Event Flag data element that steering wheel itself (i.e., it does not Furthermore, because the inclusion of it sends. consider how such movement would the Event Flag data element suggests The agency is requesting comment on affect the direction of the tires). Taking that an unusual, safety-related event has the appropriateness of each of the Event into account steering wheel angle occurred, vehicles receiving a message Flags and corresponding criteria provides a check of the position and containing an Event Flag element may described above. motion calculations based on the actual choose to process it differently than a state of the vehicle. We tentatively message that does not. (f) Vehicle Based Motion Indicators believe that expressing the steering The Event Flags and respective In addition to describing the location wheel angle to an accuracy of 5 degrees criteria the agency proposing to require and the motion of vehicles, the device is sufficient because we believe that a 6 in the BSM are defined in SAE J2735 as can use other pieces of information to degree change in steering wheel follows: verify state and motion, if the device has direction provides an indication of • ABS Activation: The system is access. The agency assumes all vehicle direction.147 In other words, activated for a period of time exceeding integrated devices will have access this steering wheel angle changes of less 100 ms in length and is currently active. information. Aftermarket, standalone than 6 degrees can be small adjustments • Stability Control Activation: The devices may or may not be able to in steering used to maintain current system is activated for a period of time access this information. This type of heading. However, steering wheel angle exceeding 100 ms in length and is information in the basic safety message changes greater than 6 degrees result in currently active. can collectively identify operational a measurable change in actual heading • Hard Braking: The vehicle has status and motion that can be used to of the vehicle. Thus, we tentatively decelerated or is decelerating at a rate of confirm calculated position and future conclude that an accuracy of 5 degrees greater than 0.4 g. position of surrounding vehicles. Thus, would be sufficient to confirm (check • Air Bag Deployment: At least one it helps safety applications determine plausibility) actual heading of the air bag has been deployed. whether a potential crash imminent vehicle; i.e. if the actual heading is left are the wheels also turned to the left. • Hazard Lights: The hazard lights are situation could exist. Two pieces of information help fulfill currently active. (g) Vehicle Size • this objective. They are the Stop Line Violation: The vehicle Transmission State and Steering Wheel This data element is also an element anticipates that it will pass the line Angle data elements. The Transmission that is fundamental for a safety without coming to a full stop before State provides an indication concerning application’s determination of whether reaching it. the operational direction of the vehicle a crash scenario might occur. In • Traction Control System Activation: in relation to its reference point. This addition to knowing where a vehicle is, The system is activated for a period of information puts the speed, heading, the characteristics of its motion (to time exceeding 100 ms in length and is location, etc. information into context. predict where the vehicle will be in the currently active. The steering wheel angle (which is not near future), and some aspects of the • Flat Tire: The vehicle has the same as the vehicle heading because determined that at least one tire has run this indicates the direction of the 147 NHTSA’s past research used 6 degree changes flat. in steering input to indicate a situation in the steering wheel control itself and not the research project where the test driver intended to • Disabled Vehicle: The vehicle vehicle) is a data element that indicates conduct a maneuver. See NHTSA Light Vehicle considers itself to be disabled. which way the wheels are turned, Antilock Brake System Research Program Task 5.2/ • providing another possible indication of 5.3: Examination of Drivers’ Collision Lights Changed: The status of the Avoidance Behavior Using Conventional and external lights on the vehicle has direction (in some cases the vehicle’s Antilock Brakes, DOT HS 809 561, March 2003, changed recently. wheels can be turned, however, the page 32.

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00051 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 3904 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules

driver’s intent, a safety application data elements are elements that may be consumers, our proposal excludes needs to know how large the vehicle is useful in safety applications that may be certain data elements from transmission in order to know whether a crash might used by various suppliers to enhance as part of the BSM. Specifically, V2V occur. However, we also acknowledge the operation of an application to issue transmissions via DSRC or any future that this data element has more a warning or suppress a warning. While interoperable V2V communications potential privacy impacts than other these data elements will add more technology may not include data data elements. As further discussed in information on a status of the vehicle directly identifying a specific private this document, the V2V information (especially with regard to whether a vehicle or individual regularly environment uses multiple strategies to vehicle is under control), we do not associated with it, or data reasonably omit as much potentially identifying currently have enough information to linkable or linkable, as a practical information as possible in the basic determine how such information might matter, to an individual.148 NHTSA safety message, security credentials, etc. be applied to an application and thus intends for the terms ‘‘reasonably However, we acknowledge that if the tailor such information to that linkable’’ and ‘‘as a practical matter vehicle size information is too specific, application (or applications). Thus, we linkable’’ to have the same meaning, it could potentially facilitate an effort to tentatively believe it is premature to specifically: Capable of being used to identify basic safety messages to a propose requirements for these data identify a specific individual on a particular vehicle over time. The agency elements but are preserving the persistent basis without unreasonable believes the performance metric for this possibility for these data elements to cost or effort, in real time or data element balances not only the potentially be employed to ensure retrospectively, given available data safety need for accurate information future interoperability as technology sources. about the vehicle size, but also the evolves. The agency is proposing to NHTSA seeks comment on these privacy needs of the driver. require that devices either adhere to tentative conclusions. Specifically, we Thus, we tentatively believe that SAE J2735 for these data elements, or request comment on our proposed having a 0.2 m tolerance is an transmit the ‘‘unavailable’’ data value exclusion from the BSM of data appropriate balancing of those for each of these elements (in elements that directly identify, or are competing interests. This level of accordance with SAE J2735) These data reasonably linkable or linkable as a specificity meets the need to identify elements are: practical matter, to a private individual. the physical extent of the vehicle for • Brake applied status Do commenters have thoughts on crash avoidance given that vehicle size • Traction control state whether, as a practical matter, any data is to be rounded up which will still • Stability control status element (or combination of data provide for the appropriate calculation • Auxiliary brake status elements) currently proposed as part of of a warning such that the driver can • Antilock brake status the BSM is reasonably linkable to an take appropriate action to avoid a crash. • Brake boost applied individual on a persistent basis? We The additional size for some vehicles • Location Accuracy seek comment on whether this aspect of will only present an insignificant (i) Excluded Data Elements NHTSA’s proposal appropriately amount of additional warning time balances consumer privacy with (0.0022 seconds at 25 mph to 0.007 When identifying the data elements to safety—or whether, by declining to seconds at 65 mph using a 3 second include in the BSM, the agency identify definitively those data elements time to collision baseline) that will be considered those that would be needed that are, or may be, ‘‘reasonably transparent to all drivers. to support possible future applications linkable’’ to an individual (and therefore In addition to considering different and the suppression of warnings to must be excluded from the BSM under tolerances for the vehicle length and reduce the number of false positive NHTSA’s proposal), NHTSA will width data elements, another option is warnings. The use of some applications undermine the NPRM’s overarching goal to use vehicle size categories or only may be limited only to authorized of establishing a standardized data set express the vehicle length and width in vehicles—for example, only law for the BSM and providing adequate increments of a given value. For enforcement and emergency vehicles data for safety applications. example, requiring that the vehicle might have access to an application length be expressed in only increments providing traffic signal priority or pre- (2) Proposed BSM Data Initialization of 0.2 m would mean that a vehicle with emption for emergency or enforcement Requirements a 10.12 m length and a vehicle with a purposes. To support identification of In addition to the content of the basic 10.01 m length would have the same authorized vehicles, the agency safety message, we are aware that value of 10.2 for the vehicle length in considered including in the BSM participants in the V2V Safety Pilot the basic safety message. This type of optional elements such as the Vehicle have included data persistency requirement could have the advantage Identification Data Field, which performance in their on-board V2V of aggregating many different vehicles includes: VIN string, Owner code, systems in order to minimize the time into particular size categories and Temporary ID, and Vehicle type. These needed for vehicles to begin potentially help discourage identifying a data elements could identify and verify transmitting basic safety messages after basic safety message to a particular an emergency or law enforcement the vehicle starts up. vehicle. We request comment on these vehicle to a traffic control device for The advantage of doing so is that potential options (i.e., not only the signal preemption purposes. However, when the vehicle starts up, it already potential tolerances for these data our privacy experts identified VIN and has information about its last known elements but also the potential to use other data elements directly linked to location, heading, etc. that was accurate size categories). specific private vehicles and their when it shut down. The premise is that owners as potential sources of privacy upon device startup, the device could (h) Optional Data Elements risk to individuals. begin transmitting sooner rather than SAE J2735 also contains a variety of To help reduce the privacy risk that waiting for new information, such as additional data elements that the agency could stem from the transmission of receiving a new heading or calculating is not proposing requirements for in this information that could be used to notice. We tentatively believe that these associate V2V messages with individual 148 See FN 3 above.

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00052 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules 3905

path history, both of which would based on the final performance specify that the vehicle is under open require the device to acquire GPS data requirement associated with FMVSS No. sky conditions as in our test procedure and start moving. In many instances, 111 for rear visibility systems. While a for evaluating the content of the basic this would reduce the time to initialize V2V system and rear visibility system safety message. Then the procedure the first (after startup) transmission of are not identical, the agency believes the would specify that the test technician: the BSM. As the vehicle most likely did research and decisions leading to • Drives the vehicle in any heading at not travel while it was shut down, the finalizing the two second system startup any speed for five minutes; information it saved during shut down requirements are fungible to V2V and • stops the vehicle and deactivates should still be accurate upon startup. the overarching safety goal. the vehicle for any amount of time However, there could be scenarios when In NHTSA’s rear visibility between 30 minutes to an hour; the last known heading and path history rulemaking, our naturalistic driving data • checks to ensure that the V2V will be inaccurate, such as when indicated that 90% of drivers do not system components are in a powered off parking ‘‘head’’ or ‘‘tail’’ in (higher select reverse and begin the backing state; frequency) or if the vehicle has been maneuver less than 4.25 seconds after • opens the driver’s door to any towed (hopefully, very low frequency). opening the vehicle door.149 While in width, NHTSA recognizes that the practice of this case, the safety technology • closes the driver’s door; saving vehicle data over vehicle on-off- proposed for the vehicle is not one that • activates the starting system using on events is typically used to enhance would only be used when the vehicle is the key; and • feature performance, improving traveling in reverse, we believe that the selects any gear (forward or reverse) consumer acceptance. However, NHTSA data is a reasonable proxy for when at any time not less than 4.0 seconds does not believe at this time that a drivers would put the vehicle in gear and not more than 6.0 seconds after the minimum requirement for data (forward or reverse) and begin driving. driver’s door is opened. The driver door persistency is needed, nor that we need Since our safety goal in this situation is is open when the edge of the driver’s to identify specific data elements that to ensure that the vehicle is transmitting door opposite of the door’s hinge is no should be stored upon shutdown and the basic safety message before the longer flush with the exterior body retrieved at startup. vehicle begins to move, we believe that panel. Based on the available information, using a performance requirement based We acknowledge that this procedure we currently agree with the research to on the rear visibility rule’s image may not be representative of a small date that minimizing the time it takes response time requirement (and test number of real-world scenarios. For for a vehicle to begin transmitting the procedure) would be appropriate. example, if a vehicle is in a parking basic safety message is desirable as it While based on FMVSS No. 111, this structure like a garage, it might not have helps ensure that vehicles will be proposed requirement for V2V access to open skies. However, for these providing information into the V2V initialization time would need to adjust instances we do not think that there is environment as soon as possible after the test procedure in a few ways to any practicable way for the vehicle to they begin moving. We also agree with account for the characteristics of a ascertain its position quickly using GPS. the research to date that including data vehicle’s V2V system. First, we note that Thus, we cannot determine a way to persistency performance in vehicle V2V vehicle’s V2V system needs to be active ensure that a test specifying those systems is a good way to accomplish whether the vehicle is moving in reverse conditions would be a practicable test. this task. or moving forward. Thus, the test We also note that the proposed Instead, the agency’s proposal would procedure and requirements should not procedure does not include moving the require that vehicles begin transmitting be based solely on reverse gear. Second, vehicle between shut down and startup. basic safety messages within a specified while the temperature condition of the While vehicles might be moved when amount of time after startup without test would affect the rear visibility shut off, we think those are special specifying the method that a system display’s response time, the circumstances (e.g., when the vehicle is manufacturer would choose to meet that temperature condition is not as relevant towed). Those conditions are a small requirement. While a manufacturer may for a vehicle’s V2V system. Instead, the portion of real-world scenarios and they use data persistency techniques to meet test should specify environmental are situations where the driver is likely the performance requirement, we conditions that approximate the level of to spend more time with the car active believe that this method for achieving access to characteristics of its before encountering other vehicles (e.g., the safety goal appropriately gives the surrounding environment that a vehicle when starting up in a towed vehicle lot, manufacturer more design flexibility. would normally have to populate the the vehicle may not interact with other While the basic safety message information in the basic safety message moving vehicles until it reaches the transmitted from one vehicle can be (e.g., open sky access to GPS signals, roadway). useful to other vehicles when the potential saved location/heading We request comment on our proposal vehicle is stationary, we currently information from the basic safety for helping to ensure that vehicles begin believe that (at a minimum) the vehicle messages prior to vehicle shutdown, etc. broadcasting basic safety messages should begin transmitting basic safety Thus, the preconditioning test applied before a vehicle begins to move. More messages at a time when we might to the vehicle would need to be specifically, NHTSA requests comments reasonably expect people to begin modified in these ways. in relation to whether a data persistency driving their vehicle after getting into it. In summary, NHTSA is proposing to requirement is needed, and specifically In other words, our current thinking is require that, after a conditioning in relation to: that the vehicle should begin procedure, vehicles begin transmitting • Supporting the interoperability of transmitting before the vast majority of basic safety messages with the required V2V devices; drivers begin driving the vehicle. content and at the required frequency • The performance of BSM The proposed requirements are that a within 2.0 seconds after the driver puts transmission and how data persistency vehicle shall begin transmitting the the vehicle into the forward or reverse can be used to properly reduce the time basic safety message within 2 seconds gear. The conditioning procedure would of the initial transmission; and after a vehicle key on event has • The possible impacts to crash occurred. This proposed requirement is 149 See 79 FR 19220. avoidance functionality.

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00053 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 3906 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules

Please provide any supporting (3) Summary Table of BSM Content evidence that the agency can used to Requirements make an informed decision.

TABLE III–3—SUMMARY OF BSM CONTENT REQUIREMENTS 150

Applicable Requirement Proposal Basis standards Reason

Message Packaging ...... Message ID—(2) for BSM Preliminary elements need SAE J2735 ...... Allows device to interpret Message Count—se- to ID, process, and se- message and obtain quence No. quence BSMs. safety information. Temp ID—random No. from specific device. Time ...... Use UTC standard to set UTC is accepted standard SAE J2735, J2945/1 ...... Need time standard to re- time. for setting universal sys- lated messages to time tem time. critical conflict situations. Position (Longitude & Lati- Longitude and Latitude Per CAMP research to de- SAE J2735, J2945/1 ...... Provides for accurate rel- tude). within 1.5m of actual po- velop relationship be- ative vehicle position sition at HDOP <5 and 1 tween measurable abso- need to support crash sigma absolute error. lute position and relative avoidance—(CAMP). position. Position (Elevation) ...... 3m (10 feet) (more difficult Accurate elevation reduces SAE 2735, J2945/1 ...... 3m provides for low to calculate than lat/ false positives—SPMD. bridges and changes in long). grade for crash avoid- ance. Movement (Speed) ...... Accurate within 0.28 m/s Same as EDR rule—tight- SAE J2735, J2945/1 ...... The setting is based on (1 kph). er accuracy then identi- the need to provide ac- fied by CAMP. Changed curate and timely safety to be consistent with ex- alerts. The setting was isting standard. obtained by extensively testing commercially available equipment and automotive sensors in a wide variety of driving environments. Movement (Heading) ...... Speed >12.5 m/s accuracy Research indicates that SAE J2735, J2945/1 ...... Same as above. within 2 degree—Speed above 12.5 m/s sensors >12.5 m/s within 3 de- and vehicle dynamics grees. can support 2 degrees— under 12.5 m/s can sup- port 3 degrees. Movement (Acceleration) .. Longitudinal & Lateral ac- CAMP research and test- SAE J2735, J2945/1 ...... Same as above. curacy 0.3 m/s2— ing. Vertical accuracy 1 m/s. Movement (Yaw rate) ...... Accuracy within 0.5 de- CAMP ...... SAE J2735, J2945/1 ...... The setting is based on grees per second. the need to provide ac- curate and timely safety alerts. The setting was obtained by extensively testing commercially available equipment and automotive sensors in a wide variety of driving environments. Vehicle Motion Indicator Report if vehicle is in for- CAMP ...... SAE J2735, J2945/1 ...... Same as above. (Transmission). ward or reverse gear, or neutral. Vehicle Motion Indicator Report the direction of CAMP ...... SAE J2735, J2945/1 ...... Same as above. (Steering Wheel Angle). steering wheel angle within 5 degrees of ac- tual. Vehicle Size ...... Vehicle length and width CAMP and MITRE privacy SAE J2735, J2945/1 ...... Balance the need to know within 0.2m tolerance. research. the physical extent of the vehicle for crash avoidance and still pro- tect privacy.

150 NHTSA intends for the BSM Content Requirements identified in Table III–3 to be in accordance with the proposal’s overarching requirement that BSMs may not contain data elements linked or reasonably linkable to an individual.

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00054 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules 3907

TABLE III–3—SUMMARY OF BSM CONTENT REQUIREMENTS 150—Continued

Applicable Requirement Proposal Basis standards Reason

Excluded Data Elements: Mandate that these op- MITRE privacy research ... SAE J2735, J2945/1 ...... To protect consumer pri- No data elements di- tional data element can- vacy by reducing privacy rectly or, as a practical not be populated for de- risk. matter, linkable to a spe- vice in privately owned cific individual or vehicle light vehicles. (including but not limited to VIN string, Owner code, Temporary ID, Ve- hicle Type). Path History ...... Provides concise rep- CAMP research to support SAE J2735, J2945/1 ...... Use in calculations to iden- resentation of vehicles crash avoidance. tify vehicle conflict situa- recent movements with tions. accuracy of min 23 points and required to be transmitted with BSM. Path Prediction ...... Perpendicular Distance— CAMP research ...... SAE J2735, J2945/1 ...... The setting is based on 1M; Radius error—2%; the need to provide ac- Transmission Time 4s. curate and timely safety alerts. The setting was obtained by extensively testing commercially available equipment and automotive sensors in a wide variety of driving environments.

3. Message Signing and Authentication Public Key Infrastructure (PKI) • A Public key corresponding to a approach to message authentication. private key (a) Purpose and Safety Need for In addition two alternatives are Confidence in the BSM • Digital signature from a certificate presented for comment. This first authority As discussed previously, V2V safety alternative for message authentication applications can utilize the data in the set out for comment is less prescriptive When a nearby device receives a basic safety message (such as position, and defines a performance-based properly formed BSM, it can use the heading, and speed) about other approach rather than a specific certificate included in the BSM to verify vehicles around it to determine whether architecture or technical requirement. that the digital signature in the BSM is it and another vehicle are in danger of The second alternative set out for valid. Furthermore, the receiving device crashing. In other words, a safety comment stays silent on message can also verify that the security application would determine whether it authentication and does not specify a certificate included in the BSM is valid is necessary to take action (e.g., issue a message authentication requirement, as well. The receiving vehicle can verify warning) based on the information leaving authentication at the discretion that digital signature on the certificate coming from another, nearby vehicle. of V2V device implementers. included in the BSM is digitally signed Even in a warning system, it is (b) Public Key Infrastructure Proposal by the certificate authority that issued it important for safety applications to have The agency is proposing to mandate to the sending device. The receiving accurate information available to make requirements that would establish a device should already have a copy of their decisions. Incorrect warnings can message authentication approach based the authorizing certificate for the (at worst) directly increase safety risks on a Security Credential Management authority stored on-board. In the event and (at minimum) affect the driver’s System (SCMS) that uses Public Key that it does not, the receiving device acceptance of the warning system. If the Infrastructure (PKI) digital signatures to would need to request the authorizing driver of a V2V-equipped vehicle sign and verify basic safety messages. certificate from the sending device. receives a large number of warnings This would include requiring devices to Once the authorizing certificate is when there is no crash imminent sign each message, send a valid obtained, the receiving device can verify situation (i.e., false warnings), then the certificate with each message, and that the certificate authority is valid and driver may lose confidence and not periodically obtain up-to-date security the certificate used to sign the BSM is respond appropriately when there is a materials. also valid. This process can be repeated true crash-imminent situation. for any number of certificate authorities (1) How does the Public Key Thus it is important that the safety that are in the PKI hierarchy, up to the Infrastructure validate messages? application can place as much root certificate authority, which confidence as possible in the data When transmitting a BSM, the sender authorizes the entire system. This contained within BSM messages and uses a security certificate issued by a process allows receiving devices to detect when messages are modified or certificate authority to digitally sign verify a sender’s credentials. For changed while in transit. To help each BSM. The security certificate is detailed information on the proposed improve the level of confidence in BSM composed of the following elements: Security Credential Management messages the agency’s primary message • A date range describing the validity System, see Hehn, T., et al., ‘‘Technical authentication proposal describes a period for the certificate Design of the Security Credential

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00055 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 3908 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules

Management System’’, 2014, Docket No. (a) Signing the Basic Safety Message for characteristics of these equations) can NHTSA–2015–0060–0004. Transmission verify the signature of the sender.152 The SCMS organization certifies that The agency employed this signing a device is indeed authorized to The process for signing the basic process in V2V devices used throughout participate in the V2V environment and safety message involves the use of two then issues credentials to the device. ‘‘keys,’’ one public and one private. 151 its research activities and was proven Thus, a receiving device can have more The signature process uses the private through the Safety Pilot Model confidence in the information contained key and an original string of numbers as Deployment activity. Devices in these in a BSM message because it knows that inputs to generate an encoded string of activities have been signing the basic the SCMS previously confirmed the numbers (an otherwise meaningless set safety message and constructing the sender is an approved device and issued of numbers). The public key associated security credentials of the message by these credentials. with that private key is then used by the combining the message content with the In addition to the SCMS device signature verification process to reverse certificate, the signature, and the time certification, a device also needs to the signature process (i.e., take the stamp of the information. properly sign the basic safety message. encoded string of meaningless numbers Table III–4 shows how the public key, The following sections discuss how the and reverse it to generate the original private key, and signature fit together device utilizes the certificates from the string of numbers). Therefore, the with the other parts of the basic safety SCMS and how the agency can confirm receiving device takes the information message. that devices are doing so. from the sending device and (using the

TABLE III–4—BASIC SAFETY MESSAGE KEY COMPONENTS

Certificate Message content Signature Timestamp

Pseudonym Certificate • Public Key ...... (i.e., the speed, heading, location, Produced from the following (i.e., when the information is • Signature of the Pseudonym etc. information that supports steps: transmitted.]). Certificate Authority. the safety applications). • Compute hash of the Message Validity Period ...... Content and Timestamp. • Says when certificate effective • Use your private key to create and when expires. an encoded string of numbers. • The encoded string of numbers is your signature.

When the transmitting device sends a The vehicle constructs the signature sequence of steps in order to verify the basic safety message it assembles each by using the message content and the signature: of the parts of the message in Table III– time stamp portions of the message as (a) Generate the hash of the basic 4 above. The vehicle uses a combination inputs into the following process: safety message content and timestamp of the message content, timestamp, and (a) Create a hash 153 of the message using the same NIST defined formula a private key to generate the signature. content and timestamp (i.e., a shortened used for generating the signature. The device also attaches the certificate version of the message content/time (b) Input the message hash, public to the message. The certificate includes stamp that is fixed length—e.g., 32 key, and digital signature into the characters). A standard NIST formula the public key, corresponding to the signature verification function (ECDSA) (SHA–2) 154 governs the creation of the private key used to sign the message, the to verify the BSM digital signature is hash. valid. validity period of the certificate, and the (b) Input the hashed contents through signature from the Pseudonym an Elliptical Curve Digital Signature (c) Verify the pseudonym certificate Certificate Authority. The pseudonym Algorithm 155 (the equation that creates (from the sending device) is within the certificate contains the signature of the the encoded string of numbers). The validity period. PCA from the SCMS allowing message resulting number is the ‘‘digital (d) Verify the digital signature of the receivers to verify the pseudonym signature.’’ pseudonym certificate back to the root certificate. The validity period is used to certificate authority ensuring the SCMS determine if the certificate is valid or if (b) Verifying the Signature Upon issued the credentials. Receipt the receiving device should reject the (e) Verify the pseudonym certificate is credentials if they are expired. A device receiving the basic safety not listed on the Certificate Revocation message performs the following List.

151 The V2V device generates the private key & design/safety-and-security/4427811/Using-the- 154 See ‘‘Secure Hashing’’ http://csrc.nist.gov/ public keys. The public key is sent to the SCMS to Elliptic-Curve-Digital-Signature-Algorithm- groups/ST/toolkit/secure_hashing.html (last incorporate into a certificate that is signed by the effectively, Feb. 2, 2014 (last accessed Dec 7, 2016). accessed Dec 7, 2016). PCA. The private key is always kept secret with the 153 A hash function is any function that can be 155 See FIPS publication 186–4 at ‘‘FIPS V2V device. The private key is vital to the signing used to map data of arbitrary size to data of fixed Publications’’ http://csrc.nist.gov/publications/ process and must be kept secured at all times. size. The values returned by a hash function are 152 See ‘‘Using the Elliptic Curve Digital Signature called hash values, hash codes, hash sums, or PubsFIPS.html (last accessed Dec 7, 2016). Algorithm effectively’’ http://www.embedded.com/ simply hashes.

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00056 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules 3909

As discussed in the next section, the credentials test’’). The test would be certificate authority all the way up to agency is considering a potential test conducted using a vehicle resident V2V the root certificate authority). method that would mimic many of the device and an agency developed test • Use the public key to verify the functions of the receiving device in device positioned in close proximity to signature section of the basic safety order to assess whether devices are each other. message (i.e., execute the ECDSA properly signing their messages with In effort to replicate real-world verification algorithm). valid credentials when they are conditions, the agency’s current strategy In terms of specific procedures, we transmitting basic safety messages. is to define a test device that can tentatively believe that using many of perform the following functions as the test conditions from our static test (2) Potential Requirements and Testing 156 for Message Signing and Authentication described in SAE J2945/1 v1.0 evaluating the transmission range and (which itself references specific clauses content of the basic safety message The agency is currently considering and sections of relevant IEEE P1609 and would be appropriate. In essence, we evaluating a device’s ability to properly 802.11 standards). believe that the same test could be used sign the basic safety message by • If the full pseudonym certificate is to also evaluate whether the vehicle is utilizing a test device to receive basic included in the BSM, then the device appropriately signing its basic safety safety messages during a static test. The will need to extract the public key from messages. Tentatively, we believe that test device would perform the key the pseudonym certificate of the test including the following additional step functions described above to verify the vehicle. in the static test would be sufficient to authenticity of the sender and of the • If the certificate digest (hash of the evaluate this area of performance. message. Following is discussion of the full certificate) is included in the BSM, • Collect basic safety messages from a general testing framework and the then the device will need to perform a transmitting device for at least 100 potential performance requirements that look-up in cached memory of the full minutes and repeat the test at least the agency is considering within the certificate and then extract the public seven days later.157 context of such a test. key from the pseudonym certificate of • Using the messages collected in this (a) Potential Message Authentication the device under test. test, the agency’s test device should be Test Method • Confirm that the public key and the able to verify the device under test is credentials in general are indeed from properly signing the basic safety The agency currently envisions the SCMS (i.e., verify the pseudonym message. testing message authentication for compliance as executing a message 156 See ‘‘On-Board System Requirements for V2V 157 As discussed later in this section, the security and signage protocols test in a Safety Communication’’ at http://standards.sae.org/ timeframes for this test accommodate our current static test environment (i.e., a ‘‘security j2945/1_201603/ (last accessed Dec 7, 2016). proposal for changing certificates.

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00057 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 EP12JA17.009 3910 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules

• The data collected should also safety message. Further, we anticipate question whether the standard would be reveal that the device under test is that the test device would also identify able to ensure that vehicles transmitted sending the required certificate (from the root certificate authority and their pseudonym certificate at a the pseudonym certificate authority) or validate up to the root certificate sufficient frequency to support the the certificate digest. authority. safety applications that other vehicles • The agency’s test device should also may use. However, we request comment (c) Certificates and Certificate Digests be able to determine whether the device on whether a minimum requirement for under test is using credentials issued by The agency is considering including transmitting the full certificate is the appropriate authority (i.e., is the root requirements to reduce the size of the necessary. If so, what the minimum time certificate ultimately one that is basic safety message by requiring that should be and whether a maximum time authorized by the SCMS?). vehicles not transmit parts of the basic (or a specified interval such as 1 time • Finally, the test duration safety message when they are not per second) would be appropriate for timeframes of this additional step necessary. In theory, this could this aspect of performance. should enable our test device to potentially conserve bandwidth in Thus, for this aspect of performance, determine whether the vehicle is higher volume scenarios. The our final performance requirements changing its certificates at the required pseudonym certificate included in the could specify minimum (and potentially interval. basic safety message is an area under maximum) times for transmitting the We request comment on this test evaluation where message size could be full certificate and requirements for method and commenter’s input on a reduced. what types of information need to be in potential test device that could be used A receiving V2V device requires the certificate digest. Thus, in addition to execute this proposed test schema. pseudonym certificates to decode the to the testing method that we described Would a test device that performs all of signature and confirm the identity of the above, our test device for that test the functions outlined above sufficiently sender. However, the agency does not method would also need to ensure that: mimic real world conditions and also anticipate that every message will need • The vehicle is transmitting the full define those conditions sufficiently to to carry the full certificate as the certificate at the required interval; achieve a repeatable test method? What pseudonym certificate does not change • the vehicle is transmitting the other details should the agency explore for every message. This allows a period certificate digest (which identifies the and define? Are there other test methods of time where the same certificate and full certificate and when the full that the agency should consider that can potentially allowing for messages to certificate was transmitted with all other confirm that the transmitting vehicle only part of the entire pseudonym messages that do not have the full signs the basic safety message properly certificate. Therefore, the agency certificate; and • with a less complex test? believes it would be appropriate, under the certificate or digest transmitted The agency is also proposing to adopt certain circumstances, for devices to along with a basic safety message is a static test to evaluate the transmission transmit a certificate digest which valid (i.e., it is a valid certificate issued range and other requirements (see would be a hash of the full certificate. by the SCMS/has the appropriate Section III.E.1.a)). As testing A potential challenge to this approach credentials from the root certificate experienced is gained, it may prove is requiring a receiving device to authority). support capture and storage of full more efficient to combine the security (d) Changing Certificates and Privacy credential, RF transmission, and certificates and certificate digests, as possible other tests. The agency invites transmitting only a digest necessitates As part of the process of signing a comment on the potential to combine relating the digest to a full certificate. In V2V message using the proposed SCMS and streamline test where possible. addition to the capture and storage of approach, a vehicle could use a single certificates, the agency is also evaluating certificate that is valid for a long period (b) Signing the Message a potential requirement for the interval of time (e.g., years) to sign all basic Using the potential test method between the transmission of a full safety messages that it transmits. This described in the previous section, we certificate and certificate digests. would help ensure that safety believe the agency would be able to Current research suggests that the applications would be able to verify that V2V devices are properly vehicle should transmit the full differentiate between authenticated signing their basic safety messages, certificate twice per second and the sources of information and other less authenticating themselves as accurate digest the remaining times. However, if reliable sources of information when sources of information. In essence, by there is an event flag (e.g. hard braking making judgements about their using a test device that would be able event) in the BSM, the agency believes surroundings. to verify the digital signature using the the full certificate should be transmitted However, this approach could create ECDSA algorithm, the proposed test at the next immediate opportunity. At additional privacy risk for consumers, schema confirms that: this time our current proposed as use of a single certificate could • The sending device produced the requirements do not cover this aspect of enable an observer collecting V2V correct hash of the message content/ the device and but the agency requests transmissions to associate the basic timestamp; comment concerning the need to safety messages coming from a single • the sending device appropriately employ certificate digests in place of the V2V device with a single sender. While sent its pseudonym certificate; and entire certificate. associating a group of messages with a • the public key could decode the We tentatively believe that a final rule specific driver would need additional signature created by the sender’s private on V2V would need to establish at least information outside of the V2V system, key. a minimum interval for transmitting the additional information would not be By comparing the hash created by our full certificate so that surrounding needed to know that all messages using test device to the hash decoded from the vehicles will know the maximum the same certificate come from the same basic safety message we received from amount of time that they will need to vehicle. To help mitigate this risk, we the device under test, our test procedure wait in order to be able to confirm the propose that vehicles frequently change should be able to confirm the device identity of a transmitting vehicle. or rotate certificates so that it will be under test is correctly signing the basic Without such a requirement, we more difficult to associate a large

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00058 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules 3911

number of basic safety messages with one set of credentials for every message. we believe that it is appropriate to test the same V2V device or vehicle. Also, However, as we described above, that the device for 100 minutes twice, we are proposing that certificates not be would create significant privacy risk by separated by 7 days. valid for long periods of time to reduce associating all basic safety messages Testing the device for a 100 minute the risk that they be collected and used sent from a single source with each duration would sufficiently assess to identify a specific vehicle at a future other. whether the device is rotating date and time. In order to balance these competing certificates every five minutes and using interests, our tentative conclusion is a different certificate every five minutes (i) Current Research on Changing that the current method for changing for the duration of 100 minutes (i.e., 20 Certificates certificates used in the research would certificates × 5 minutes per certificate). Recent research evaluated several be a reasonable compromise that Finally, conducting this test twice models for changing certificates. In the protects privacy in a technically feasible (separated by 7 days) would allow the Safety Pilot Model Deployment, way. By rotating among 20 certificates test to confirm whether the device is certificates had a validity period of 5 every five minutes, we are ensuring that using 20 new certificates that are minutes and were completely discarded no group of basic safety messages will different from the certificates the device after use. Changing certificates on a be linked to more than 5 minutes of used in the first test. more frequent basis helps to minimize other safety messages at a time. In other (e) Preventing Message Transmission potential privacy risk for individuals, it words, a person obtaining basic safety Without Valid Certificates From a SCMS requires a large volume of certificates messages from a device may not be able for a vehicle to manage, approximately to associate those messages with each The agency is also considering 100,000 certificates for one year of other because their certificate is only whether to require that devices stop operation. Model Deployment used for 5 minutes out of every 100 transmitting basic safety messages if researchers determined that this minutes. Further, a device shutting off they lack valid security credentials, i.e. approach would be inefficient as the at one particular location would device transmission problems or being majority of the time a vehicle is not in unlikely use the same certificate upon identified as a misbehaving device. The operation but certificates were still startup. Finally, in order to ensure that purpose would be for devices to avoid expiring even when the vehicle was not a person could not obtain all 20 sending basic safety messages due to in operation. Based on the experiences certificates for a particular device, we incorrect credentials. However, at this learned from this project, the are proposing for devices to completely time, the agency does not have researchers developed a more efficient discard their certificates each week and performance requirements or a test design where a vehicle will have 20 replace them with 20 new certificates. method for assessing this aspect of valid certificates per week and changes We request comment from the public performance. In order to test this aspect certificates at least once every 5 on our proposed method for changing of performance, the agency would need minutes. Under this design, only 1,050 certificates and privacy concerns. Have a method for exhausting the certificate certificates would be needed per year. we appropriately balanced the privacy supply of a vehicle and observing This is believed to strike a balance interest with the interest in maintaining whether the vehicle would continue to between privacy and efficiency by using the technical feasibility of producing transmit basic safety messages. We certificates that rotate every five and storing certificates in vehicles? Is request comment on whether there is a minutes and are valid only for one periodically rotating certificates the practicable and repeatable way for week. This alternative certificate usage right approach to limiting the privacy producing these conditions in a vehicle model is currently under development impact of having signed messages? Have under test. We also request comment as and will be tested in the field as a part we established the appropriate to whether this aspect of performance of the SCMS Proof-of-Concept projects. thresholds for the method for changing should be included in the final rule. certificates (i.e., have we selected the (ii) Potential Performance Metric (3) Potential Regulatory Text for SCMS correct duration for when devices need Based Message Authentication We recognize that methods of to rotate certificates and change the changing certificate credentials exist on certificates to new ones altogether?). The agency has included no a spectrum between the competing Further, should the agency establish regulatory text for SCMS-based message interests of maximizing privacy requirements for rotating the 20 authentication and instead has a protections and technological certificates (i.e., should the device bracked placeholder for where it would practicability. For example, it would rotating among 20 certificates every five be if this were to be part of a final rule. afford the most privacy protection for minutes use the same order for rotating The agency expects that regulatory text consumers to use a different set of through the certificates or should the in any final rule would include: • credentials with every basic safety device use a different order the next Additional definitions in S.4 message (i.e., change certificates 10 time it cycles through the 20 Definitions for ’’ SCMS-based message times per second). However, this would certificates? What method should the authentication, which would be be impracticable because it is agency choose for changing the cycling consistent the discussion in this unreasonable to expect the SCMS to order of the 20 certificates?). proposed rule and any public produce enough certificates to service comments. all V2V devices when they use ten new (iii) Test Method • A provision on signing the BSM, certificates every second.158 On the As we discussed in Section which would require that the device other hand, using the most technically III.E.3.b)(2)(a), our static test method for must generate a signature for each BSM. simplistic method for authenticating the assessing whether a device is • A provision on rotating certificates. sender of the message would be to use appropriately signing their basic safety (c) Alternative Approach—Performance- messages can also assess whether a Based Message Authentication 158 A certificate is expected to be 117 bytes. The device is changing its security number of unique certs/year * size of one (1) Overview certificate. (103680 * 117 = 12.13MB for one vehicle credentials as required if our test lasts for one year). *300 million vehicles = for an appropriate amount of time. The agency is also bringing forth 3,639,168,000,000,000. Or 3.6 exabytes. Based on our proposed requirements, potential alternatives to the SCMS-based

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00059 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 3912 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules

proposal for V2V message conditions sufficiently to achieve a as ‘‘evidence’’ of the event. The authentication. This first alternative repeatable test method that ensure reporting device would then transmit its takes a far less prescriptive approach to verified communications between V2V misbehavior report to the SCMS authentication and defines a devices, using varied communication misbehavior authority (MBA) using a performance-basedbased approach but mediums? What other details should the secondary communications channel. not a specific architecture or technical agency explore and define? Are there The intent of the MBA is to gather requirement for message authentication. other test methods that the agency misbehavior reports by all devices The basis of this alternative is to let V2V should consider that can confirm that a participating in the network. These device implementers define their own transmitting V2V device signs the basic reports would be analyzed in approach for improving the integrity safety message properly? accordance with established and and authenticity of V2V messages. (d) Alternative Approach—No Message governed policies for global misbehavior The fundamental approach to this Authentication detection determine if and when a first alternative only requires that the particular vehicle should be placed onto receiver of a basic safety message be This second potential alternative set a Certificate Revocation List (CRL). able to validate the contents of a out for comment does not specify any More accurately, is and when message such that it can reasonably message authentication requirements for information related to a particular confirm that the message originated devices participating in a V2V device’s certificates should be placed from a single valid V2V device, and the communications. Under this second onto the CRL such that other vehicles message was not altered during potential alternative, BSM messages can use the information to identify the transmission. This alternative would would still need to be validated with a misbehaving device, assume it cannot broadly require that implementations checksum or other integrity check and be a trusted device, and ignore its utilize government-audited and employ some form of through a messages. The CRL would be updated approved cryptographic algorithms, misbehavior detection system to attempt periodically by the MBA and distributed parameters, and approaches. to filter malicious or misconfigured to participating V2V devices. messages. However, there would be no (2) Illustrative Example The agency views misbehavior specific message authentication detection as a key feature of the For illustrative purposes, consider the requirement. Implementers would be proposed security architecture: That following example technical free to include such a feature as an misbehaving devices are able to be implementation. The sender of a BSM optional function. The agency would efficiently detected, and their identity could use a security certificate issued by not establish any performance made available to other devices a certificate authority to digitally sign requirements or test procedures under participating in the network. At the each BSM. The security certificate could this potential alternative. The agency highest level, confidence in the V2V be composed of the following elements: seeks comment on this no message messaging could be eroded if • A date range describing the validity authentication approach. misbehaving devices are not detected period for the certificate 4. Misbehavior Reporting and reported to a centralized authority. • A Public key corresponding to a As indicated in Table II–5, additional private key (a) Proposal—Misbehavior Reporting to research is being conducted to better • Digital signature from a certificate a SCMS understand the data, processing, and authority NHTSA is proposing to establish algorithm development necessary to (3) Potential Requirements Under This practices and procedures for devices implement misbehavior detection at Alternative participating in V2V communications to both the local (device) level and global recognize device misbehavior, both (SCMS) level. For misbehavior to be (a) Test Method and Test Device internally and by other devices. The effective, techniques must be identified, This alternative’s less prescriptive fundamental purpose of misbehavior developed, and implemented in both approach for message authentication detection is to provide a means for V2V devices and at a central authority for the results in a general testing requirement devices to identify and block messages system to secure V2V messages. The that would similar in context as the from other misbehaving or proposed requirements concerning proposed PKI based authentication but malfunctioning V2V devices. V2V detection and reporting support leaves the extent of the proposed devices would be required to report misbehavior detection functionality, but requirement undefined, or yet to be device misbehavior to a central do not include at this time the actual defined, static test procedures. This authority, namely the Security techniques to detect and identify approach is inherently aligned with Credential Management System, once misbehavior. Research is being recognizing that potential future misbehavior is confirmed via a series of conducted; however, the actual nature communication and their potential self-diagnosis or plausibility checks on of misbehavior in the V2V ecosystem message authentication needs would be incoming messages. This includes has yet to be defined given the lack of varied and, therefore, requires varied identifying methods for device self- misbehavior data to support actual test methods for message signing and diagnosis of both hardware and software development of techniques and authentication. to ensure that the device has not been algorithms. Initial data will be available NHTSA seeks comment on potential altered or tampered with from intended once the SCMS Proof-of-Concept test methods and the test devices that behavior. (Section V.B.6.e) is operational and could accommodate other, future, or If an anomaly is detected and supporting the security of the yet-to-be-developed message signing confirmed by a series of secondary Connected Vehicle Pilot activities. The and authentication schemas that could plausibility checks, a ‘‘misbehavior agency seeks comment regarding the be applied to V2V communications. The event’’ would be identified, and a requirements to support misbehavior agency is interested in details on how a sample of BSM information such as - detection, the investigation of detection test device could fulfill the general location, time-stamp, and a digitally and identification techniques, and requirement to sufficiently reflect real- signed (encrypted) certificate from the possible implementation issues world conditions and also define those misbehaving device would be recorded including the need to evolve detection

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00060 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules 3913

and identification algorithm capabilities • List of vehicles (device/certificate IDs) device requirements ensure that the over time. within communication range when device perpetrating the misbehavior can misbehavior is detected be rendered innocuous by revoking the (1) Reporting • Abstracted (non-V2V related) sensor device’s security certificates effectively The agency has worked extensively information if such sensor making them an untrusted source to with its research partners to develop a information is available to the device properly functioning devices. The comprehensive set of proposed • Averaged speed of vehicles within agency is therefore proposing the reporting requirements for misbehavior communication range of the reporting following the requirement is applied to detection. The reporting requirements vehicle a central authority, namely the SCMS, attempt to strike a balance between (b) Misbehavior Report Generation and responsible for global misbehavior and frequency, the amount of data reported, Transmission management: and the need to effectively and • The agency requires that a central efficiently identify misbehavior to A misbehavior report shall be authority employ protocols that mitigate any potential effects. As generated as follows: establish a disposition based on described previously, the purpose of the • A misbehavior report shall be created reporting from various sources to misbehavior reports is to: at the time a misbehavior is detected mitigate the potential for misbehavior • Indicate potential misbehavior and • Misbehavior reports shall be signed detection to become a gateway for an misbehaving devices, and and transmitted with the same easy cybersecurity threat for denial of • indicate suspicious activities credentials as those of BSMs service. around the reporting device. • A misbehavior report shall be signed by the reporting device at the time of (4) Request for Comment (a) Report Content the report creation The agency believes the proposed The agency is proposing that a • The misbehavior reports shall be misbehavior reporting requirements misbehavior report is a message signed encrypted with the public key of the could help reduce the number of by the reporting device and shall misbehavior authority and misbehaving devices whose messages include at a minimum the following transmitted to the central authority would be accepted by the V2V network data: through a secured communication and thus help reduce the chance of false • The reporter’s certificate. channel safety warnings. The agency seeks • comment on the misbehavior reporting GNSS coordinates (latitude, (c) Misbehavior Report Storage longitude and elevation) at the location approaches describe in this section where the misbehavior was initially Misbehavior reports shall be stored as along with potential other approaches identified. follows: the agency should consider. • • The GNSS coordinates where the The V2V device shall allocate More specifically, the agency misbehavior appears to have ended. sufficient persistent memory storage appreciates thorough explanation of any This field is optional as it may not apply for 1600 KB of misbehavior event suggested alternative approaches to to all misbehavior. This could be useful reports misbehavior reporting, as well as • for indicating where a DoS attack begins Misbehavior reports shall be stored sufficient description of why you and where it ends. persistently in non-volatile memory to believe that the proposed approach is, • BSMs from both host device and avoid report erasure during vehicle or is not appropriate. Additionally, the shut-down and start-up cycles agency would appreciate suggestions on remote threat device. • • Warnings present at time of A misbehavior report shall be stored how to properly and reasonably test for misbehavior detection, if any. in persistent memory for at least 20 misbehavior in a V2V system. • weeks List of neighboring devices. • (5) Potential Regulatory Text for SCMS- • The Coordinated Universal Time If the allocated misbehavior report memory capacity is to be exceeded Based Misbehavior Detection and (UTC) at which the misbehavior was Reporting detected. due to a new incoming misbehavior The agency has included no • Information identifying the report, the oldest report or reports regulatory text for SCMS-based detection method that triggered the shall be overwritten to allow the misbehavior detection and reporting report. storage of the newest report • If misbehavior reports are to be stored and instead has a bracked placeholder The agency seeks comment on the in unencrypted storage medium, the for where it would be if this were to be proposed inclusion of the above data in content shall be encrypted part of a final rule. The agency expects a misbehavior report. Specifically, we that regulatory text in any final rule would appreciate commenters providing (2) CRL Processing would include: any potential additional data that • If the credentials of a locally detected • A provision on detecting should be included. The agency also misbehaving device are already on the misbehavior related to both asks commenters to provide feedback on locally stored CRL it shall not be re- malfunctioning sensors and physical the potential for inclusion of any reported to the central authority tampering. personally identifiable information (PII) • A provision addressing a BSM related to misbehavior and the potential (3) SCMS Security failing any plausibility check, which positives and negatives of such an The agency recognizes the would require the device to generate a inclusion. misbehavior mechanism identifies misbehavior report that meets certain Additionally, the agency is also anomalies that could indicate minimum requirements. seeking comment on the potential malfunctions or malicious activities that • A provision concerning creating inclusion of the following items in the could adversely impact proper and sending misbehavior reports. This misbehavior report: operation of individual devices or the provision would set requirements about • The average Channel Busy Percentage system; possibly causing unsafe or what data would need to be included in observed if a Denial of Service is unreliable operation if trusted. a misbehavior report (which would detected Misbehavior operations and subsequent include the information listed above).

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00061 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 3914 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules

Further, it would include provisions on is not operating normally and some potential causes, and if needed, the how a misbehavior report must be form of repair is necessary. The need to have the device serviced generated and transmitted, which would requirements proposed in this section • The malfunction indication shall include that it would need to be created are consistent across any potential remain present until the V2V device within 2 seconds after the misbehavior technology employed in V2V is returned to normal operating state is detected, and thensigned,encrypted communications. The agency is not • The malfunction indicator shall and transmitted to SCMS. specifying a format for the notification illuminate the malfunction indicator • A provision detaling how mechanism, as elaborated below—it can as part of power up initial system misbehavior reports would need to be be an illuminated telltale, a message in diagnostics to confirm the indicator is stored the message center, or something else— operating properly • A provision concerning the but it must be presented in the vehicle The agency seeks comments on these credentials of a locally-detected itself for OBE or on the device itself for proposed requirements. More misbehaving device already on the non-integrated aftermarket products. specifically, the agency would like locally-stored CRL. This proposed requirement aligns with commenters to give their views on • A provision concerning the proposed misbehavior requirements malfunction indication, the best ways to communicating with the SCMS.In and cost estimates, in that misbehavior convey device malfunction to users, and addition, the agency would need to detection requires devices to perform why they believe this to be the case. include additional regulatory text on self-diagnostics and report to users a 6. Software and Security Certificate test procedures including the ability to failure condition. Likewise, the cost Updates detect misbehavior and receive estimates for the proposal include costs certificates from the SCMS. for some type of malfunction indicator The agency anticipates that, over and reflect what we would consider to time, V2V devices and the system (b) Alternative Approach—No be a ‘‘minimalist’’ approach. overall will require periodic updates to Misbehavior Reporting The agency has a long history of address functionality, potential security, In contrast to the primary misbehavior requiring both diagnostics and or potential privacy issues as they arise detection proposal, the agency is malfunction indicators. FMVSSs for after a vehicle owner or operator takes seeking comment on an alternative electronic stability control (No. 126), possession of a vehicle. The agency is approach to misbehavior detection tire pressure monitoring systems (No. proposing that V2V devices allow for where there are no requirements to 138), and air bags (No. 208), among over-the-air (OTA) software and report misbehavior or implement others, include requirements for certificate updates and those device distribution of information to facilitate indicating when the system is in a users be notified of any consent 159 blocking based on misbehavior reports failure condition. In these cases, the required for periodic device updates. to an authority. Implementers would be agency believed, and therefore required, The agency believes that over-the-air free to include such features as that proper maintenance to ensure devices updates will be viable and reporting the detection of any system operation is vitally important to commonplace by the time a final rule to 160 161 misbehavior or a malfunction as driver and passenger safety. The agency this proposal is finalized. optional functions. Independent of this has no reason to believe any differently We anticipate this highest potential alternative approach, the agency is for V2V devices, other than potentially for periodic updates will come in two proposing to require that implementers strengthening those beliefs based on the primary forms: Device software updates identify methods that would check the cooperative nature of V2V and how the and security credential updates. In functionality, including hardware and benefits are a ‘‘networked good,’’ where either case, the agency believes user software, of a V2V device ensuring that one device has the potential to notification and consent would be the device has not been altered or benefitting many others. required to execute the update. The tampered with from intended behavior. approach of this proposal is provide the (b) Malfunction Indication basic platform to enable V2V The agency appreciates commenter’s Requirements views on this potential alternative communications where the hardware • approach including reasons why or why Any device participating in the V2V needed is the most technologically basic not this potential would be appropriate system shall clearly indicate to their enabler, essentially a radio transmitter for identifying misbehaving or users a malfunction condition occurring and receiver. The device complexity, malicious devices participating in V2V in the device, its supporting equipment intellectual property and overall V2V communications. We also encourage or the inputs used to form, transmit, and operation is primarily rooted in the commenters to provide any suggested receive a basic safety message. firmware and software loaded into a alternative approaches to misbehavior Malfunction indication shall be V2V device’s hardware. The agency reporting, as well as sufficient provided in instances such as: Æ Device components not operating 159 See below for the agency’s discussion of its description of why you believe that the legal authority. This proposed requirement is proposed approach is, or is not properly Æ similar to many other existing requirements to warn appropriate. Additionally, the agency Input sensor data not within drivers via telltales or messages about potential would appreciate suggestions on how to appropriate tolerances issues with required safety technologies, for Æ example, the ESC or TPMS malfunction telltales. properly and reasonably test for On Board memory failures Æ GPS receiver failures The difference in this case is simply that the agency misbehavior in a V2V system. Æ expects a need to illuminate the telltale with some Unable to transmit or receive basic regularity, given that certificates will periodically 5. Proposed Malfunction Indication safety messages run out and need to be replenished. Requirements Æ Any other failure that could prevent 160 ‘‘OTA updating brings benefits, challenges’’ SAE Automotive Engineering, August 16, 2016, (a) Overview normal operation • Malfunction indication shall be http://articles.sae.org/14946/ (last accessed: Dec 7, The agency is proposing to require 2016). clearly presented to device users in 161 that all V2V devices be equipped with the form of a lamp or message ‘‘International Truck offers over-the-air • programming for 2017 Cummins engines’’ SAE a mechanism for notifying users that the Owner’s information shall clearly Automotive Engineering, May 19, 2016, http:// device and/or its supporting equipment describe the malfunction indication, articles.sae.org/14834/ (last accessed: Dec 7, 2016).

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00062 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules 3915

anticipates any updates to the device increasingly computerized vehicle (b) Agency’s Cybersecurity Approach To hardware would be manifested by a systems, to the safety technology they Hardening Vehicle Architectures in malfunction, device failure that would govern, and to the realization of the General be subject a recall and/or warranty safety-enhancement potential they offer. Related to hardening the vehicle provisions if the device warranty is still Cybersecurity, within the context of architectures to be cyber-resilient valid. road vehicles, is the protection of agnostic of the type of communications Over the air updating will provide automotive electronic systems, interface, NHTSA is pursuing a best- significant flexibility for updates, not communication networks and nodes practices approach, which is based on only to V2V devices but many vehicle- that interface with vehicles, control the National Institute for Standards resident components, to fundamental algorithms, software, users, and Technology’s (NIST) proven device operation but also, following suit underlying data from malicious attacks, cybersecurity framework that includes of devices, enable ‘‘pushing damage, unauthorized access, or five principal functions: Identify, out’’ new applications to automotive manipulation. The agency has been Protect, Detect, Respond, and Recover. devices. The agency believes this taking a holistic approach to vehicle This approach suggests that all approach can and will best exploit the cybersecurity, considering that all interfaces between the vehicle electrical V2V communications ‘‘platform’’ access points into the vehicle could architecture and the external world contained in this proposal. potentially be compromised, and is (personal or aftermarket devices, cars, As discussed throughout the proposal focused on solutions to harden the infrastructure, cloud, etc.) need to be and more specifically, the legal vehicle’s electronic architecture against carefully considered for risks and authority section, the agency believes potential attacks and to ensure vehicle appropriate mitigation strategies be V2V device users will need to consent systems take appropriate and safe implemented. These include not only to both software and security certificate actions, even when an attack may be protection methods, but also intrusion updates. Therefore, the agency is successful.162 A layered approach to detection techniques, rapid remediation proposing to require that devices vehicle cybersecurity within a risk- strategies and fast adoption of new participating in the system provide based framework reduces the lessons learned, because we assume that users with indication, in the form of a probability of an attack’s success and all entry points into the vehicle, such as descriptive telltale or text message mitigates the ramifications of a potential Wi-Fi, infotainment, the OBD–II port, displayed in a vehicle message center unauthorized access. V2V, and other points of potential that is in clear view of the driver, that NHTSA’s vehicle cybersecurity access to vehicle electronics, could be device software or security certificate approach is built upon the following potentially be or become vulnerable updates are available and that users principles: over time. We suggest that the industry need to consent before the update can • should make cybersecurity a priority by occur. The indication and consent Based on the risk-based prioritized identification and protection of safety- using a systematic and ongoing process mechanism must reside in the vehicle or to evaluate risks. And, this process device. critical vehicle control systems and personally identifiable information; should give explicit considerations to The agency seeks comment on this privacy and cybersecurity risks through • Provides for timely detection and proposed requirement for software and the entire life-cycle of the vehicle. rapid response to vehicle cybersecurity certificate update. Do commenters agree Further, safety of vehicle occupants and incidents in the field; with the proposed approach, why or other road users should be an overriding • why not? Do commenters have Designs-in methods and measures consideration when assessing risks. alternative suggestions for how V2V to facilitate rapid recovery from We continually monitor the industry device users can seamlessly consent, incidents when they occur, and; as they move towards a more cyber- without burden, to software and/or • Institutionalizes methods for aware and cyber-resilient posture and certificate updates? More specifically, accelerated adoption of lessons learned will take necessary actions to ensure how do commenters perceive potential across the industry through effective that there are no unreasonable safety- mechanisms for receiving notification information sharing, such as through risks. and consenting, or not, to any potential participation in the Auto ISAC. updates. What potential implications (c) V2V-Specific Cybersecurity may result from the anticipated need for Our vehicle cybersecurity research Considerations updates and consent? What real-world program considers all access points into the vehicle, more broadly than, but also NHTSA does not overlook the experience do commenters have potential risks of interfacing the V2V performing over the air updates for including V2V. This approach makes a distinction between vector with vehicle systems; however, devices? Please provide any supporting we believe that the holistic approach we (1) how vehicle architectures should information that may help the agency are taking in the broader sense as be designed that interface with the outer explore and finalize an approach. outlined above apply to the common world such that risks to safety-critical characteristics of various different 7. Cybersecurity system functionality could be effectively communications interfaces in the same mitigated; and (a) Cybersecurity Overview manner. Today’s electronics, sensors, and (2) how each unique access point In this section, we will primarily computing power enable the could be protected such that an focus on the unique attributes of the deployment of vehicle safety appropriate relationship could be V2V communications interface and technologies, such as forward-collision established for the messages exchanged present key steps that are being taken to warning, automatic-emergency braking, over that medium. mitigate the potential incremental risks and vehicle-to-vehicle technologies, they could pose. which can keep drivers from crashing in 162 See ‘‘NHTSA and Vehicle Cybersecurity’’, Key attributes of V2V http://www.nhtsa.gov/staticfiles/administration/ communications interface, as they relate the first place. NHTSA strongly believes pdf/presentations_speeches/2015/NHTSA- in the need for cybersecurity, which is VehicleCybersecurity_07212015.pdf (last accessed to cybersecurity risks include the essential to the public acceptance of Dec 12, 2016). following:

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00063 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 3916 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules

(1) Security and privacy by design general ecosystem of devices because the following information shall be through a message authentication, these messages are using actual stored in FIPS–140 Level 3 storage: (2) Broadcast-listen protocol, credentials given to a trusted device. D All individual pseudonym certificates (3) Well-defined and fairly limited • Attempts to retrieve valid security D RA, Intermediate CA, and PCA message structure, materials could involve targeting certificates (4) Communications range is limited physical OBEs. In addition to having D the RA address to about 1000ft, access to OBEs on personal vehicles, D system configuration files NHTSA’s primary proposed message OBEs on vehicles that are at their End- D security policies authentication alternative for V2V of-Life (EOL) decommissioning phases D Root CA certificate communications employs a PKI-based (such as those that can be taken from D Device Enrollment certificate security. Each broadcast message is vehicles in junkyards) could also create D All system private keys signed with cryptographic keys to a pathway. In the event that a vehicle D The System CRL facilitate a method for the receiving with a device has met with the end of D All unsent misbehavior reports units to validate the authenticity and its useful life, it is foreseen that the • The level of security requirements integrity of the transmitted message device could have up to three years’ defined by FIPS–140 Level 3 is from its source. worth of valid security certificates, somewhat different than the historical Both the primary and performance- assuming that it has regular based alternatives for message regulatory authority approach exercised communication with the SCMS. by NHTSA. NHTSA issues performance authentication seek to ensure the • One method that could mitigate the integrity of messages between based requirements which can be found risk associated with retrieval of security in the many safety standards issued and communicating units to help assert that information through physical access to the message has not been altered during managed by the agency, although we the OBE would involve hardware can be specific in equipment transmission or been sent from a security against tampering such as the malicious sender. It is important to note requirements if it is necessary to meet use of FIPS 163 Level 3 hardware that this approach does not necessarily a safety goal. Evaluating security security module. This specification validate the accuracy of the message protection ability does not necessarily level is consistent with requiring the content received. conform to a performance requirement zeroisation of cryptographic information We consider the cybersecurity risks and compliance test paradigm followed in the event that the device is tampered associated with by the agency. As such, NHTSA with. While this would protect against anticipates device compliance to be (1) the PKI authentication method, malicious attempts, it would likely conducted by the agency through third and the infrastructure supporting it, result in managing the legitimate (2) the contents of the messages party testing laboratories with expertise serviceability needs of the units, likely received, and in confirming the appropriateness of incurring additional costs for (3) the V2V communication interface device’s hardware security. maintenance. • as a potential channel to inject malware NHTSA seeks comments on this • The agency believes that the current approach (FIPS–140 Level 3 (1) PKI–SCMS Cybersecurity environment regarding cybersecurity requirement) and on what constitutes Requirements and protecting the public warrants a tampering, applicable triggers for In Section V, the primary message level of hardware security that goes zeroisation, and how the triggers could authentication proposal describes the beyond evidence of tampering to be implemented such that routine SCMS. The system described is focused actually protecting cryptographic vehicle maintenance activities can be on the security functions and information in the event of a device accomplished without undue burden on requirements necessary to help secure breach with malicious intent. Therefore, the V2V device. The agency seeks the V2V communications environment. the agency is proposing to require that comment on the proposed FIPS–140 Implementations of the performance- V2V devices have a minimum of FIPS– Level 3 device security requirements. In based alternative for message 140 Level 3 security protection. The specific, the agency seeks comment on authentications may also need similar agency also believes that at, a minimum, the FIPS and CCP security approaches compensating approaches depending on briefly described in this section and the the approach taken. While the proposed 163 The FIPS families of standards contain a set pros/cons of each, potential compliance primary message authentication of standards that pertain specifically to approaches including verification cryptographic storage models, FIPS–140 which the architecture provides well-recognized industry uses to store sensitive cryptographic schema for information that should be security protections, we further consider information. The device long and short term contained in a functioning, secure the potential cybersecurity certificates along with the devices public/private device, and views on the whether the vulnerabilities and discuss how they are key pairs are generally regarded as cryptographic proposed level of protection is sufficient information. The FIPS–140 set of standards define expected to be mitigated. for anticipate cybersecurity needs. various levels of security for cryptographic • information storage ranging from 1 through 4, with Another approach that could (a) On-Vehicle Security Materials increasing security measures as the levels get address the more specific EOL OBE (Cryptographic Information) higher. Of particular interest to the OBE are levels security exposure could be for the • 2 and levels 3. Amongst other differences, the The OBE will contain security agency is interested in the tamper capabilities of SCMS to establish a process and materials that are critical to the these levels. Level 2 is considered tamper evident procedure by which responsible entities operation of the V2V device, and the storage. This can be achieved by placing seals on could notify the SCMS of end-of-life system as a whole. This includes long enclosures (like stickers on over the counter devices (entities that deal with old, medication that say ‘‘do not use if seal is broken’’), term enrollment certificates, short term by using tamper evident screws and mounting junked, crashed or otherwise unusable pseudonym certificates, public/private hardware, and other such methodologies. Level 3 vehicles that contain OBEs.) This would keys, SCMS security policies, and adds to this by requiring devices to be tamper require the entity that determines the misbehavior reports. All of this data, if resistant. There are many ways to achieve tamper device is at its EOL be able to report to resistance; however, one common method for retrieved by unauthorized parties, could protecting data is to have the device zero out the security certificate information the allow potential ‘‘bad actors’’ to transmit cryptographic storage in the event that a device is SCMS would need to remove the device messages that may appear valid to the tampered with. from the system by including the

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00064 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules 3917

device’s security credentials on the requiring that a V2V device connected In the case of the primary misbehavior system ‘‘blacklist,’’ rendering the to a vehicle data bus would need to detection proposal, the misbehaving security information useless. This incorporate isolation measures sender would also hopefully be detected approach could pose challenges in (firewalls) to prevent the V2V module and the sender added to the CRL. practical application where the vehicle from being a conduit allowing malicious However, it is important to examine or device may not be operating properly. outside actors to gain access to the what could happen if the message is not Secondly, enabling a method to obtain vehicle data bus and other vehicle detected as misbehavior and the time security information from a device modules connected to the data bus. period before the sending vehicle is could open up a potential security added to CRL. OEMs treat V2V as a new (d) SCMS Cybersecurity Considerations vulnerability that could be used by sensor for the vehicle and applications others to obtain security materials For the primary message designed using this message would We request comments on whether a authentication proposal, the SCMS assess the safety-risks associated with process approach can succeed and provides key services and security. Key this sensing mechanism being wrong. whether there may be other means to functions of the SCMS include: Generally, warning systems imply less secure the on-unit security information. • Communications with DSRC severity than active control. OEMs indicate that they would take safety- (2) Potential Regulatory Text for devices to transfer of security conscious approach, which would be Physical Security for SCMS-Based certificates, • different for different applications. They Message Authentication Proposal CRL maintenance and communications to the vehicles. further indicate that for active control, The agency has included no proposed Section III.E.3.b) explained how they tend not to rely on any single regulatory text to support the security certificates are obtained, when sensor even in modern systems and cybersecurity requirements discussed in and why certificates are changed, and expect that to be the same when V2V the primary proposal for message how additional certificates would be becomes available to get in the mix of authentication based on the SCMS. requested and obtained. SCMS provides their sensor suite. The impact of such However, the agency expects that this service and uses encryption malicious act would be limited vehicles regulatory text in any final would within the communications range of the methods to facilitate secure ∼ include a provision requiring that V2V communications to protect security unit ( 1,000 ft). devices have a minimum security information in transit. The broader impact on GPS or timing protection of FIPS–140 Level 3, as spoofing/jamming may have similar CRLs are distributed to appropriate described above. impacts, or result in limited denial of end-points in the same manner. The NHTSA seeks comments regarding the service. Misbehavior detection is credentials and message encryption cybersecurity needs and requirements projected to help in such cases and protect the communication between and how regulatory language could be could also help identifying and devices and the SCMS. crafted to appropriately express the enforcing rules against jammers. requirements in terms that industry can The security system of the SCMS is Given there has been more reports of implement and in terms by which complex and intricate; due in part to GPS jammers being used,164 we seek performance can be objectively privacy protection, therefore the agency information and comment regarding evaluated. requests comments regarding the how industry is addressing the GPS cybersecurity viability of V2V security jamming issue. Are there techniques to (3) Performance-Based Physical Security and invites comments concerning the identify when GPS jamming is Alternative relationship of V2V security to the occurring? If the GPS signal is being The agency has included no proposed larger vehicle security universe. jammed or spoofed, does industry have regulatory text to support the (e) Cybersecurity and V2V Message plans to notify the driver, and what will cybersecurity requirements discussed Content be the context of the notification? for a performance-based message During GPS jamming, will industry authentication alternative. However, the While the security overlay of the V2V suspend operation of systems that rely agency expects that regulatory text in communications establishes confidence on GPS information? any final rule would include a provision between authentic entities, the message In addition, we solicit comment on requiring that V2V devices have a content indicating the vehicle’s whether our assessment of cybersecurity minimum security protection of FIPS– behavior is obtained from sensors (such risks due to spoofed and potentially 140 Level 3 for storage of cryptographic as GPS) and vehicle data buses. It would malicious BSM message data is certificate, key, and other sensitive data. be possible to manipulate the sources of reasonable. We also solicit input from In addition, a V2V device connected to data to the OBE, which could send a OEMs and Suppliers on how they a vehicle data bus would need to BSM message with inaccurate message expect to handle potential single point incorporate isolation measures content to its surrounding. In cases, the failures associated with BSM signal (firewalls) to prevent the V2V module message could be constructed contents. What risk-based criteria and from being a conduit allowing malicious intelligently that could make the process would be appropriate for V2V outside actors to gain access to the messages sent from that vehicle not safety applications to help ensure the vehicle data bus and other vehicle correspond to the sending vehicle’s validity of the BSM message data modules connected to the data bus. physical behavior. received from other vehicles relative to Such manipulation could result in vehicle-local sensor readings? If data (4) No Physical Security Alternative surrounding vehicles responding with from a vehicle’s onboard sensors suggest The agency has included no proposed warnings to the driver early on. The a different outcome as compared to data regulatory text to support the misbehavior detection mechanisms set from an incoming BSM message, how cybersecurity requirements discussed out in this proposal are designed to for a no message authentication detect the anomaly, however it is 164 See ‘‘GPS Under Attack as Crooks, Rogue alternative. However, the agency possible that specifically crafted Workers Wage Electronic War’’ at http:// www.nbcnews.com/news/us-news/gps-under- expects that regulatory text in any final messages could be delivered and attack-crooks-rogue-workers-wage-electronic-war- rule would include a provision accepted by safety applications. n618761 (last accessed Dec 7, 2016).

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00065 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 3918 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules

might V2V safety applications balance vulnerabilities do not exist in could take various forms but should the trust on conflicting data? How implemented V2V units. consider both the issue containment and should V2V safety applications handle a • NHTSA also anticipates pursuing practical remediation needs. situation where incoming BSM message fuzz-testing of production-level Generally, first important step is data is the only source of information implementations of V2V hardware with having a method to identify available to make a safety decision? and without the use of a formally cybersecurity issues and share them How does the nature of the systems’ verified parser. We also intend to with the broader . We and planned reaction (warning vs nature of develop a framework of test protocols the industry believe that the Automotive control) impact such a decision? What and message sets that manufacturers Information Sharing and Analysis new vehicle sensors may be possible in could use to test their implementations. Center (Auto ISAC) established in 2015 • We reemphasize the importance of the next 15–20 years that may will have a major role in this respect. securing the V2V communication significantly improve such sensor fusion We anticipate that V2V related channel. If the V2V interface is not and decision processes? intelligence sharing through Auto-ISAC properly secured (whether by design or will accelerate the identification of (f) Cybersecurity and Potential Malware in implementation), we need to consider issues and remediation actions. As part the possibility of a ‘‘worm’’ 165 type One of the cybersecurity risks that of this process, it should be foreseen malware where the malware could needs considered is whether V2V that various aspects of the V2V design potentially self-replicate and propagate communications could be used to insert may need updates over the life of in an epidemic manner to other systems malware to the OBE, unexpectedly systems in the field, such as: change configuration, or result in with the similar vulnerability (e.g. unwanted behavior. Since the V2V systems from the same manufacturer) • Security certificates and protocols, channel will be mandated on all new that come into communications range. • Misbehavior detection algorithms cars, this medium would likely become The potential imminent-safety impact of and policies such malware would depend on many one of the dominant wireless access • CRL contents and policies points on the vehicle fleet in the field factors and most certainly depend of • over time. how the vehicle databus interfaces are Device firmware Further, it should be considered that, designed. Even if the impact may not be In the case of primary message since the V2V protocol is based on safety-critical, this risk could potentially authentication approach, the SCMS can broadcast and listen methodology, and lead to large scale denial of service for update certificate and security protocols does not establish networks between the mandated V2V technology. The that are inputs to each device, but the participating units the way a traditional manufacturers should plan for detection actual software that performs the network protocol does. Instead, and rapid remediation methods to security management for different communications takes place through a address such issues. This need is similar devices can and will be implemented well-defined BSM message structure. for other wireless channels. For differently by different manufacturers. • It is well established that many example, in the 2014 hacking of a Fiat- Each device supplier will need to 166 software and hardware vulnerabilities Chrysler vehicle, which led to manage handling of potentially required 167 occur at the communications interfaces eventual recall of approximately 1.5 security updates. It is likely that there of systems. Security of the interfaces million vehicles, the researchers will need to be coordination among the must be the highest priority when documented that they could have SCMS and various devices suppliers to developing a system. Therefore, we designed a vehicle worm for the cellular facilitate such updates. It may be the believe that implemented systems communication based vulnerability in SCMS through the Misbehavior should provide adequate controls to that particular case. Authority that identifies the need for an We solicit input on whether the prevent malformed, incomplete or update and communicates this to overall need for rapid remediation erroneous messages that do not fit the suppliers so that updates can be methodologies would imply different specifications to pass to the OBE. prepared. requirements for the V2V • The DARPA HACMS program has communication interfaces as opposed to There are many methods by which shown that formal verification can be others (such as cellular, , Wi- updates can be implemented. As seen used to mathematically prove the Fi). Further, we solicit comment that with the different kind of devices that correctness of systems or interfaces. exploitation of a potential vulnerability exist today, like tablets/iPads, there are Formal verification uses mathematical in the V2V OBE does not immediately various options and issues. Automated techniques to formalize software as a imply safety-critical system updates to computer systems can be mathematical proposition to be proved. compromise. implemented wired or wirelessly. Some While testing provides incomplete The cybersecurity environment of the updates; however, require evidence of correctness, a proof changes continually and at times consent; that screen that asks if you guarantees correctness of the system. In rapidly. Capabilities designed into agree to the terms related to the update an active project, we are pursuing the systems should take the whole lifecycle that may go on for pages. Some methods development of a formally verified of the vehicle into account and provide (personally updating device firmware) reference parser for the V2V for rapid response methods to potential require technology savvy that many communication interfaces that could incidents in the field. These methods consumers do not possess. Others provide the industry guidance on one require owners bringing their cars to way to ensure that only expected range 165 Worm refers to a standalone malware that dealers, which are not often followed of BSM Part 1 and Part 2 would be replicates itself in order to spread to other systems. well.168 The growing trend is towards accepted by the OBE. While we do not 166 ‘‘Remote Exploitation of an Unaltered building in capabilities for remote anticipate requiring the use of a Passenger Vehicle’’, Charlie Miller and Chris software updates. formally verified parser, we expect that Valasek. Page 48. Available at http://illmatics.com/ Remote%20Car%20Hacking.pdf (last accessed Dec. industry will pay attention and utilize 7, 2016). 168 According to online Web site Autotrader, the such tools or other means to ensure that 167 NHTSA Recall Campaign Number: recall completion rate in 2015 was approximately common communication interface 15V461000. 48 percent, down from 56 percent in 2014.

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00066 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules 3919

According to a study released by IHS unpatched vehicles should be measured and data tables. Each funded test in September of 2015,169 OEMs are to determine patch adoption, and how laboratory is required to utilize the going to begin implementing software to manage the situation when vehicles OVSC test procedure to establish even updates over-the-air (OTA); similar to do not receive patches or user refuse to more detailed test procedures with step- how smart phones are updated accept or agree to the update. by-step approaches documented currently. In fact the study estimated (g) Enforcement Mechanisms including check-off lists and data tables. that software-related repair might soon In most cases, when OVSC and a be able to be wirelessly installed on the The National Highway Traffic Safety contracted test laboratory perform vehicle without the owner ever leaving Administration (NHTSA), under the FMVSS tests, the test vehicle appears to home. U.S. Department of Transportation, is meet the requirements of the applicable Japanese OEMs pioneered navigation the U.S. government agency that was standard; however, in some instances, map updates in Japan via their established to carry out safety programs test failures are identified. When an systems. BMW, VW, and under the National Traffic and Motor apparent test failure is identified, the Tesla have announced OTA procedures Vehicle Safety Act of 1966, re-codified following steps will be followed by for updating navigation maps. In fact, as Title 49 U.S.C. Chapter 301, Motor OVSC to resolve the possible both Tesla and BMW have already Vehicle Safety (the Vehicle Safety Act). noncompliance. documented utilizing OTA updates to Under that authority, NHTSA issues and • The contracted test laboratory fix security issues onboard their enforces Federal motor vehicle safety notifies OVSC of any potential test vehicles. standards (FMVSS) that apply to motor failure. With new vehicles having more vehicles and to certain items of motor • The test laboratory verifies that the connectivity with the Internet and other vehicle equipment. Associated test procedure was executed exactly as wireless media, IIHS is predicting that regulations are found in Title 49 of the required and that all laboratory test upwards of 160 million cars will partake Code of Federal Regulations (CFR), Parts equipment utilized has up-to-date of OTA updates globally by 2022. In fact 500–599. calibration information attached. many of these may already be available The Vehicle Safety Act requires that • The test laboratory provides to cars now. XM radios can potentially motor vehicles and regulated items of detailed test results to OVSC for be utilized to download OTA updates to motor vehicle equipment as originally evaluation. vehicles and in fact are pre-installed on manufactured for sale in the United • The laboratory may be directed to upwards of 70 percent of all new light States be certified to comply with all recalibrate any critical test equipment to vehicles. services, as well as onboard applicable FMVSS. NHTSA does not ensure proper operation. Wi-Fi units are penetrating further into play any part of the certification • The vehicle manufacturer is the vehicle fleet as well. process. NHTSA does not approve any notified of the test failure and the test Given that V2V operational and motor vehicles or motor vehicle data is shared. security software may need to be equipment as complying with • OVSC requests the manufacturer updated securely and widely while applicable FMVSS. Instead, under 49 provide documentation and its basis for systems are in service, it may be U.S.C. 30115, each vehicle manufacturer certification. unreasonable to expect that non-OTA and equipment manufacturer is • The vehicle manufacturer may software updates may have the desired ultimately responsible for certifying that choose to conduct additional internal impact and effectiveness (based on its vehicles and equipment comply with testing to gather additional data for experiences in non-OTA domains for all applicable FMVSS. evaluation. recalls). As such, NHTSA is soliciting When establishing the FMVSS, • Meetings will be held as required feedback on whether it should consider NHTSA must ensure requirements are with test laboratory and vehicle requiring that V2V enabled vehicles practicable, meet the need for motor manufacturer personnel to identify test have built-in OTA capability to have vehicle safety, and are stated in execution related problem or possible critical software updates, and seeks objective terms. Each FMVSS specifies vehicle noncompliance. comment on the practicability of the minimum performance requirements • Additional verification tests on requiring this in future vehicles. and the objective test procedures same vehicle or identical vehicle may be NHTSA also solicits feedback on needed by the agency to determine executed to validate test results. whether vehicle owners should be given product compliance with those • If noncompliance is identified and the option to decline critical security requirements. confirmed by vehicle manufacturer, the updates. The Office of Vehicle Safety manufacturer is required to submit a 49 In addition, there will be situations Compliance (OVSC) is the office within CFR part 573 report of noncompliance when a security vulnerability may be NHTSA’s Enforcement Division that is report within five working days after a known to NHTSA and manufacturers responsible for compliance verification noncompliance has been determined. but not all V2V-equiped vehicles will testing. OVSC funds independent test • The manufacturer will work with have installed the patches or updates to laboratories throughout the United NHTSA to ensure a fix has been mitigate the flaw. During this period, States to execute the verification tests. developed to correct the identified vehicles in the fleet may be vulnerable The verification tests are not noncompliance. until the patch or update is installed. certification tests since the vehicle • Follow-up tests may be executed to NHTSA is seeking comment on how this manufacturers are ultimately verify the fix does in fact correct the period of vulnerability should be responsible for vehicle certification, but problem. managed, the time period over which are used to verify that tested motor • The vehicle manufacturer will work updates or patches should be installed, vehicles appear to meet the with NHTSA to ensure no new how the number of patched and requirements of the FMVSS. OVSC noncomplying vehicles are sold and that utilizes the test procedures specified in the vehicles on the road are recalled to 169 ‘‘Over-the-air Software Updates to Create Boon each FMVSS as the basis for developing fix the confirmed noncompliance. for Automotive Market, IHS Says’’ at http:// a more detailed test procedure that The above steps are not necessarily in press.ihs.com/press-release/automotive/over-air- software-updates-create-boon-automotive-market- includes test conditions, set-ups, test the exact order they may occur based ihs-says (last accessed: Dec. 7, 2016). equipment, step-by-step test execution, upon the type of test failure and because

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00067 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 3920 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules

many of the steps are occurring the agency has required for new to the fact that the safety applications simultaneously. Furthermore, the actual vehicles, the courts have found that the under evaluation were still prototypes. steps required to resolve any potential standard may neither be practicable nor Part of the goal of the SPMD was to test failure will be predicated on the meet the need for safety in the absence provide vehicle manufacturers with the technical attributes of the failure and of public acceptance. If vehicle opportunity to gain real-world the difficulties associated with the manufacturers literally cannot sell V2V- experience with V2V safety ultimate resolution of the problem. equipped vehicles because consumers applications; providing the opportunity en masse refuse to buy them, then it is to improve their ‘‘tuning’’ to maximize (h) Compliance Test Procedures possible that a court would conclude safety while minimizing false positives. To ensure that light vehicles equipped that the standard was not consistent Driver complaints, particularly with a V2V communications system, On with the Safety Act. regarding IMA warnings triggered by Board Equipment (OBE), is NHTSA must therefore consider the cloverleaf highway on-ramps and interoperable and compliant with the potential elements of a V2V requirement elevated roads that crossed over other minimum performance requirements, that may affect public acceptance, and roadways, led manufacturers to adjust the regulatory text of this proposal do what we can to address them, both the safety applications to accommodate includes static, dynamic, and simulated through carefully considering how we the these originally-unexpected performance tests. These tests have the develop the mandate, and through ‘‘warning’’ conditions. The SPMD potential for evaluating the performance consumer education to improve experience proved that these of the V2V Radios and verifying the understanding of what the technology adjustments significantly reduced false accuracy of the Basic Safety Message does and does not do. Additionally, we positive warnings for this application. (BSM) safety message, Part I. expect, simultaneously, that vehicle At this time, NHTSA cannot account Overall, we anticipate devices being manufacturers subject to the eventual preemptively for the possibility of tested will be instrumented with mandate will likewise work to improve future false positive warnings. Given independent measurement sensors, public understanding of the benefits of that we are only proposing today to devices, and a data acquisition system V2V, boosting consumer acceptance mandate V2V transmission capability (DAS) in order to collect V2V system overall. We also seek comment on the and are not yet requiring specific safety data. The independent measurement extent to which an if-equipped applications, we are not developing equipment will collect Differential approach potentially may alleviate some requirements for how safety Global Positioning System (DGPS) consumer acceptance concerns. applications must perform, and we information, vehicle speed, vehicle 3- recognize that doing so would be a axis accelerations, vehicle yaw rate, B. Elements That Can Affect Public significant undertaking. We do expect, vehicle systems status information, and Acceptance in the V2V Context however, that manufacturers will radio performance data. Based on our review of the research voluntarily develop and install safety conducted so far and the responses to applications once V2V communications IV. Public Acceptance, Privacy and the ANPRM and Readiness Report, capability is required available. As with Security NHTSA believes that the several existing advanced crash avoidance A. Importance of Public Acceptance To elements of the V2V system discussed systems and as in the SPMD, we expect Establishing the V2V System below may affect public acceptance. manufacturers to address false positive issues that arise in use in order to In the Readiness Report, NHTSA 1. False Positives improve customer satisfaction. Because extensively discussed the importance of A ‘‘false positive’’ occurs when a false positive issues with V2V-based consumer acceptance to the success of warning is issued to a driver and the safety applications are typically a V2V, given that as a cooperative system warning is unnecessary (or when the software issue rather than a hardware that benefits from network effects, V2V driver believes the warning is issue Manufacturers may even be able to depends on drivers’ willingness to unnecessary), because there is no solve by deploying solutions to such participate. V2V needs vehicles to be immediate safety risk that the driver has problems through over-the-air software equipped in order to broadcast messages not already accounted for. False updates, rather than requiring vehicles that other vehicles can ‘‘hear,’’ but in positives can startle and, if there are too to be brought in for adjustment. Data order for equipped vehicles to join the many, annoy a driver, causing drivers to from the SPMD suggests that it is roads, consumers must be willing to possibly lose confidence in the system’s possible to reduce false positives in recognize the benefits of a V2V system ability to warn them properly of danger production safety applications and thus and support its adoption by the U.S. and desire to have the warning disabled; we believe it should not pose a vehicle fleet via the purchase of the reducing overall system benefits. If the significant public acceptance issue for new, equipped vehicles, or by adding driver does not notice immediately that V2V. Additionally, if NHTSA V2V capability to their existing vehicles a false positive is in fact false, the driver determines in the future that false through aftermarket devices. Thus, might carry out an unnecessary evasive positives in the field create an consumers must want V2V in order for maneuver, potentially increasing the unreasonable risk to safety, NHTSA V2V to reach its full potential. If risk of an accident. could pursue remedies for them through consumers avoid the technology for In the SPMD, we initially saw fairly its enforcement authority. some reason, it will take longer to high numbers of false positive warnings 2. Privacy achieve the network effect, and safety for some V2V applications.170 Further benefits will be slower to accrue. analysis indicated this was due largely If consumers fear that V2V Additionally, the courts have communications will allow their determined that public acceptance of a 170 See, e.g., Nodine et al., ‘‘Independent movements to be ‘‘tracked,’’ either for mandated technology is necessary to Evaluation of Light-Vehicle Safety Applications government or private purposes, and ensure that the mandate fulfills the Based on Vehicle-to-Vehicle Communications Used that such information could be used to in the 2012–2013 Safety Pilot Model Deployment,’’ requirements of the Safety Act. As USDOT Volpe Center, DOT HS 812 222, December their detriment, they may avoid buying discussed further in Section V.C below, 2015, Section 5.1. Available at Docket NHTSA– new cars with V2V systems installed, or if the public rejects a technology that 2016–0126. attempt to disable the V2V systems in

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00068 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules 3921

their own vehicles. Concerns about significant majority of motor vehicle in’’ to V2V technology—or whether, if privacy directly implicate consumer manufacturers.172 We also seek mandated, consumers should be acceptance. For this reason, in addition comment from the public on how these provided an ‘‘opt out’’ option for to NHTSA’s obligation under federal principles would apply to V2V privacy reasons. privacy law to identify the privacy communications, as detailed in this 3. Hacking (Cybersecurity) impacts stemming from its regulatory NPRM, and the extent to which activities,171 the Agency also must application of these voluntary minimum If consumers fear that V2V will allow consider consumer privacy carefully in principles in the V2V context would wrongdoers to break into their vehicle’s our development of V2V requirements. provide adequate notice and computerized systems and take control For example, as discussed above, SAE transparency to consumers. of vehicle operation, then, as with J2735 BSM specification contains a To date, vehicle technologies that privacy concerns, they may avoid series of optional data elements, such as have raised privacy concerns for purchasing new vehicles equipped with vehicle identification number (VIN), consumers have been ‘‘opt-in,’’ meaning V2V or attempt to remove already- intended to be broadcast as part of the that either consumers expressly agree to installed V2V in their own vehicles. V2V transmission that enables safety the use of these technologies in their This fear is really a two-part concern: (1) applications. Because the Agency has vehicles (and thereby provide explicit That V2V equipment can be ‘‘hacked,’’ determined that transmission of VIN consent) or consumer purchase vehicles and (2) that if V2V equipment can be and other information that directly containing technologies not mandated hacked, the consumer’s safety may be at identifies a specific vehicle or its driver by NHTSA (and thereby, arguably, risk. or owner could create significant provide implicit consent). V2V presents Regarding the concern that V2V privacy risks for private consumers, this a somewhat different situation, as we equipment can be hacked, as discussed in much more detail in Section III.E.7 proposal contains performance are proposing that at least 50 percent of above, counter measures have been requirements that exclude from the BSM new vehicles will be required to have identified using a risk-based approach such explicitly identifying data. The V2V devices starting in model year to determine the types of threats and Agency also is concerned that other data 2021. Since this would be a mandated risks to the equipment that may occur. elements in the BSM potentially could technology, consumer choice will be We are proposing to require additional be used to identify specific individuals limited to the decision of whether or not hardening of the on-board V2V when combined over time and with data to purchase a new car (all of which equipment beyond normal automotive- sources outside of the V2V system. For eventually would contain V2V grade specifications to help reduce the this reason, we have proposed a more technology, if mandated). From a chance of physical compromise of V2V. general exclusion of ‘‘reasonably privacy perspective, such implicit linkable’’ data elements from the BSM In addition we have included consent is not an optimal alternatives for message authentication to minimize consumer privacy risk that implementation of the FIPPs principle could result from associating BSMs with and misbehavior reporting to solicit of consumer choice. However, as comment regarding to further reduction specific individuals. We discuss our discussed below in Section VI.C., the privacy risk analysis in more in detail of cybersecurity risk in V2V message agency has determined that there are no exchange. We seek comment on what in Sections IV.C and IV.D, and in the viable alternatives to a mandate of V2V draft PIA published concurrent with additional requirements, if any, we technology. In the agency’s view, the might consider adding to the standard to this NPRM. absence of consumer choice is required NHTSA expects manufacturers to mitigate infiltration risk yet further. If to achieve safety in the V2V context, pursue a privacy positive approach to commenters believe additional steps are increasing the significance of ensuring implementing the proposed V2V needed, we ask that they describe the that industry deploys V2V technology in requirements. In furtherance of the Fair protection mechanism and/or approach a privacy positive, transparent manner Information Practice Principles (FIPPs), as fully as possible, and also provide and provides consumers with effective, especially those of transparency and cost information to accomplish them— multi-layered privacy notice. notice, we have developed a draft or whether, if mandated, consumers Consumers who are privacy-sensitive privacy statement that we will require should be provided an option to disable tend to feel more strongly when the manufacturers to provide to consumers, V2V for cybersecurity reasons. government is mandating something included in the regulatory text below. In Regarding the concern that V2V that creates potential privacy risks to order to ensure effective notice, we equipment, if hacked, can create a safety individuals, as compared to when they intend for manufacturers to provide this risk, NHTSA expects manufacturers to voluntarily choose whether to purchase statement to consumers in ensure that vehicle systems take and use such technology. NHTSA and understandable, accessible formats and appropriate safe steps to the maximum vehicle manufacturers will continue to at multiple easily identifiable locations extent possible, even when an attack work to ensure that V2V does not create 173 and times, including but not limited to may be successful. These can include the type of privacy impacts frequently the time of sale. We seek comment from protective/preventive measures and raised in comments, and will need to the public on the most effective time techniques like isolation of safety- educate consumers about the potential and means of providing such multi- critical control systems networks or privacy impacts and privacy-enhancing layered notice to individuals purchasing encryption and other hardware and controls designed into the V2V system. new and used vehicles with V2V software solutions that lower the That said, NHTSA seeks comment on systems. We note that the industry has likelihood of a successful hack and the extent to which an if-equipped developed a set of voluntary privacy diminish the potential impact of a approach potentially may provide principles for vehicle technologies and successful hack; real-time intrusion consumers with more of a choice to ‘‘opt services, which have been accepted by members of both the Alliance and 173 Additional information about NHTSA’s 172 ‘‘PRIVACY PRINCIPLES FOR VEHICLE approach to automotive cybersecurity is available at Global Automakers, covering the TECHNOLOGIES AND SERVICES’’ available at http://www.nhtsa.gov/About+NHTSA/ http://www.autoalliance.org/?objectid=865F3AC0- Speeches,+Press+Events+&+Testimonies/ 171 Section 522 of the Consolidated 68FD-11E4-866D000C296BA163 (last accessed dec NHTSA+and+Vehicle+Cybersecurity (last accessed Appropriations Act, 2005, Public Law 108–447. 7, 2016). Sept. 23, 2015).

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00069 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 3922 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules

detection measures that continually • Fuzz testing shall be used to concern that the technology would not monitor signatures of potential demonstrate that implementations are be effective if it were not universally intrusions in the electronic system resilient to malicious inputs. adopted, and that over-reliance on or architecture; real-time response • A standardized crypto solution distraction by V2V warnings could methods that mitigate the potential such as AES–GCM shall be used to cause drivers to become less attentive adverse effects of a successful hack, ensure confidentiality, integrity, and the and increase risk. Although most focus preserving to the extent possible the impossibility of reply attacks. group participants believed that V2V driver’s ability to control the vehicle; DARPA staff, in discussing V2V would allow drivers to be tracked, few and information sharing and analysis of cybersecurity issues with DOT were concerned with the privacy successful hacks by affected parties, researchers, recommended these implications of tracking.176 development of a fix, and dissemination techniques be included in any V2V Following the conclusion of the focus of the fix to all relevant stakeholders. In requirements going. NHTSA seeks groups and analysis of their findings, a July 2015, in response to NHTSA’s comment on whether these specific survey was developed for online challenge, the auto industry created an techniques should be incorporated into quantitative testing to examine these Information Sharing and Analysis the proposed FMVSS requirements, and issues further. The survey was Center (‘‘ISAC’’) to help the industry if so, how; alternatively, NHTSA seeks conducted by Ipsos, under contract to proactively and uniformly address comment on whether these techniques BAH. The survey sought to evaluate cybersecurity threats, and we would should be incorporated prior to vehicle several objectives: expect that such a body could be a manufacturer certification with the • What is the degree of public useful forum for addressing V2V-related FMVSS, and if so, how, and how acceptance of V2V? security risks, if any. A number of auto NHTSA would verify their • What proportion of people are manufacturers are also rapidly ramping incorporation. concerned about each barrier? How up internal teams to identity and 4. Health much importance is attached to that concern? address cybersecurity risks associated As discussed in more detail below in 174 • What proportion of people agree with new technologies. Section IV.E, a number of individual with the potential benefits of V2V? How In March 2014, researchers from citizens commented to the ANPRM and much importance is attached to that Galois, Inc. issued a white paper with Readiness Report that they were benefit? specific recommendations for reducing concerned about what they believed to • How does the population differ on security risk associated with V2V be potentially negative health effects the above viewpoints (age, gender, communications, which they stated that could result from a DSRC mandate. urbanicity, etc.)? would ‘‘automatically rule out a whole As discussed in Section IV.E below, • What are predictors of acceptance class of security vulnerabilities’’ at low NHTSA has considered this issue 175 of V2V technology (age, gender, cost with known technologies. The carefully, and whether there are ways to urbanicity, etc.)? recommendations were as follows: mitigate these concerns without • Over 1,500 people responded to the All legal inputs shall be specified obviating the very real safety benefits survey, and the sample was matched to precisely using a grammar. Inputs shall that a V2V mandate will enable. We the target population on age, gender, only represent data, not computation, believe that consumer education, ethnicity, income, and region. and all data types shall be unambiguous undertaken both by the Federal Respondents viewed a brief (i.e., not machine-dependent). government and by vehicle informational video about V2V, and Maximum sizes shall be specified to manufacturers, may help to alleviate then answered 35 questions. help reduce denial-of-service and some of these concerns. overflow attacks. Approximately half of respondents were • Every input shall be checked to 5. Research Conducted on Consumer interested in having V2V in their next confirm that it conforms to the input Acceptance Issues car, with ‘‘accepters’’ tending to be specification. Interface messages shall Working with Booz Allen Hamilton, male, older, urban, and more educated. be traceable to mission-critical All responses had a margin of error of NHTSA has conducted additional ± functionality. Non-required messages research on consumer acceptance issues 2.5 percent should be rejected. since the ANPRM and Readiness Report. In terms of barriers or concerns, 69 • Parsers and serializers shall be The objective of the research was to percent of respondents believed that generated, not hand-written, to ensure conduct both qualitative and V2V would encourage other drivers to they do not themselves introduce any quantitative research to broaden our be too reliant and less attentive to the security vulnerabilities. Evidence understanding of consumers’ acceptance driving task, and over 50 percent should be provided that of V2V technology and to inform future expressed concern about cybersecurity Æ parse(serialize(m)) = m, for all outreach and communication efforts to and the need for enough vehicles to be messages m, and the public. The qualitative phase equipped for the benefits to accrue. Æ parse(i) = REJECT, for all non-valid included focus groups held in Spring of Between 30 and 40 percent expressed inputs i. 2015. Focus group participants were concern about tracking by the shown a brief video on what V2V government or law enforcement and about the risk that they themselves 174 See, e.g., King, Rachel, ‘‘GM Grapples with Big communications are, how they work, Data, Cybersecurity in Vehicle Broadband and how they contribute to vehicle could become too reliant and inattentive Connections,’’ Wall Street Journal, Feb. 10, 2015. safety, and then asked to discuss a series to driving. Only 20 percent expressed Available at http://blogs.wsj.com/cio/2015/02/10/ of questions about the technology, their concern about health risk from gm-grapples-with-big-data-cybersecurity-in-vehicle- electromagnetic activity. Of those broadband-connections/ (last accessed Dec 7, 2016). understanding of it and interest in it, 175 See Launchbury, John, Dylan McNamee, and and benefits and drawbacks. Overall, on concerns, however, some were deemed Lee Pike, Galois Inc., ‘‘A Technique for Secure a scale of 1 to 10, the majority of focus Vehicle-to-Vehicle Communication,’’ Mar. 9, 2014. 176 ‘‘Vehicle to Vehicle Crash Avoidance Safety Available at http://galois.com/wp-content/uploads/ group participants rated their interest in Technology: Public Acceptance Final Report’’ 2014/07/whitepaper_SecureInterfaces.pdf (last V2V as a 5 or higher for the next car. December, 2015. Available at Docket No. NHTSA– accessed Dec 7, 2016). However, participants also expressed 2016–0126

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00070 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules 3923

more important than others (that is, drivers to disable it. Health issues raised the ESC Off control because we were simply because respondents identified a in comments are covered below in aware that in certain driving situations, risk, did not necessarily mean that they Section IV.E, but the question of ESC activation could actually make considered it an important risk). whether the agency should require or driving less safe rather than more safe— Respondents viewed law enforcement permit an ‘‘off switch’’ for V2V if a driver is stuck in deep snow or sand and government tracking as less communications arose when and is trying to free their vehicle, important, but cybersecurity, other commenters suggested it as a way to quickly spinning wheels could cause drivers’ inattentiveness, and health risks mitigate concerns over health effects. A ESC to activate when it should not. as more important, when they were handful of other individual commenters Additionally, the agency was concerned concerned about them. stated that the agency should allow that drivers who did not have the option In terms of benefits of V2V, 55 percent drivers to turn off DSRC for privacy or of disabling ESC when absolutely of respondents believed that V2V would security reasons, out of concern that necessary might find their own, reduce the number and severity of DSRC transmissions could allow their permanent way to disable ESC vehicle crashes, 53 percent believed that movements to be tracked, or that the completely. Having an off switch that it would make driving more convenient device could be hacked by malicious reverted to full functionality at the next and efficient, and 50 percent believed third parties to obtain personal ignition cycle at least allowed ESC to that V2V could lower insurance rates. information about the driver. A number continue providing safety benefits the As for barriers, respondents tended to of individual commenters raising these rest of the time. NHTSA concluded that believe that benefits for others would be concerns about health or tracking allowing temporary disablement was somewhat greater than the benefits that suggested that they would attempt to better than risking the permanent loss of they themselves would experience. disable V2V in their vehicles, or only safety benefits.180 Importance did not vary as much for purchase older vehicles without V2V. benefits as it did for barriers. While NHTSA had asked in the As another example, FMVSS No. 208 In terms of how opinions about ANPRM whether commenters had for occupant crash protection allowed benefits and barriers correspond to thoughts regarding whether V2V-based manufacturers to include a device up whether a respondent wanted V2V in warnings should be permitted to be until September 1, 2012, that their next car, the survey results found modified or disabled,177 in the interest deactivated the right front passenger that, on balance, all respondents were of maximizing safety benefits, NHTSA seat air bag, but only in vehicles without concerned about barriers, but had not considered allowing a second row of seating, or in vehicles ‘‘accepters’’ of V2V rated the benefits manufacturers to provide consumers where the second row of seating is more highly. When asked how much with a mechanism to disable V2V itself, smaller than a specified size.181 Like the they would be willing to pay for V2V, whether temporarily or permanently. ESC Off function, the ‘‘passenger air bag 78 percent of respondents were willing Generally, if NHTSA concludes that a off’’ function also requires a telltale to to pay less than $200. vehicle system or technology provides illuminate to warn the driver that the air Based on the research conducted thus sufficient safety benefits that it should bag is disabled; unlike the ESC Off far and assuming that the survey be required as an FMVSS, NHTSA has function, the passenger air bag off respondents are, as intended, reasonably not permitted it to be disabled. In fact, function, if present, remains deactivated representative of the nation as a whole, Congress expressly prohibits until it is reactivated by means of the it appears that while there may be work manufacturers, distributors, dealers, and deactivation device (i.e., the driver yet for the agency and manufacturers to motor vehicle repair businesses from presses the button again, rather than the do in order to reassure consumers of knowingly making inoperative any part air bag simply reactivating at the start of V2V’s benefits, there may not be a of a device or element of design the next ignition cycle).182 In sufficient public acceptance problem installed on or in a motor vehicle in establishing this option, the agency that an FMVSS requiring V2V compliance with an applicable motor noted public acceptance issues with communications in new vehicles would vehicle safety standard prescribed by advanced air bags, and stated that face clear legal risk on that issue. NHTSA.178 In some cases, however, allowing on-off switches for some NHTSA intends to continue researching NHTSA has established FMVSSs that period after all vehicles were equipped approaches to consumer outreach on permit system disablement or alteration with advanced air bags would help V2V and will work with industry and when there is a clearly-defined safety parents feel more confident about the other relevant stakeholders in doing so. need for doing so. system’s reliability based on real-world We seek comment on what the agency For example, FMVSS No. 126 for experience.183 should consider in developing those electronic stability control (ESC) allows approaches to best ensure the success of manufacturers to include an ‘‘ESC Off’’ not require ESC to return to full functionality if the a future V2V system. control that puts the system in a state vehicle is in a mode for ‘‘low-speed, off-road where ESC does not meet the FMVSS driving,’’ or if the front and rear axles are locked 6. User Flexibilities for Participation in because the vehicle is in some sort of 4WD mode. performance requirements, as long as System 180 72 FR at 17279–80 (Apr. 6, 2007). the system defaults to full ESC 181 In the ANPRM, we sought comment See 49 CFR part 208, S4.5.4. capability at the start of the next 182 Id. on whether there were any issues ignition cycle and illuminates a telltale 183 Deactivation of the ‘‘advanced’’ right front relating to consumer acceptance that the in the meantime to warn the driver that passenger air bag was primarily intended to address agency had not yet considered, and ESC is not available.179 NHTSA allowed the possibility that, in vehicles with no (or very asked how the agency should consider small) back seats, a child seat might have to be placed in the front passenger seat rather than in the them for the NPRM. In response, a 177 See 79 FR 49270, at 49272 (Aug. 20, 2014) back. The primary mechanism to mitigate the risk number of individual commenters (Question 13 in the ANPRM asks whether of the front passenger air bag deploying when a expressed concern that they experience commenters believe that V2V-based warnings child seat is present is a suppression system, but extreme sensitivity to electromagnetic should be permitted to be modified or disabled). the agency allowed vehicle manufacturers to 178 See 49 U.S.C. 30122(b). include an off switch for several years to improve radiation, and that therefore DSRC 179 See 49 CFR part 126, S5.4. We note that parents’ confidence that the suppression systems should not be mandated, or that if it was despite the overarching requirement to return to full were working successfully in the field. See 65 FR mandated, that the agency should allow functionality at the new ignition cycle, S5.4 does at 30723 (May 12, 2000).

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00071 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 3924 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules

Thus, in prior instances when NHTSA reduce these risks while setting of being used to identify a specific has allowed drivers the option of requirements that would provide life- person on a persistent basis without changing or disabling the functionality saving benefits. That said, we unreasonable cost or effort, either in real of a required safety system, it has been acknowledge that there may be time or retrospectively, given available in the interest of providing more safety. circumstances when there could be a data sources. Our research to date Similarly, were V2V to impose need to deactivate the V2V device on a suggests that using V2V transmissions to substantial new safety risks, there could vehicle. These may include individuals track the path and activities of be a safety reason to disable or groups with specific privacy needs, identified drivers or owners, while transmission and reception of messages. the emergence of unanticipated possible, could be a complex To the extent that consumers may wish cybersecurity threats, or other reasons. undertaking and may require significant that the agency allow a way for them to To address these cases, NHTSA is resources and effort.184 The Agency has disable V2V because of concerns about requesting comment on possible concluded that excluding ‘‘reasonably privacy or cybersecurity, we reiterate approaches to deactivating V2V related linkable’’ data elements from the BSM our position as discussed in Sections hardware and software as and when will help protect consumer privacy IV.B and IV.C on privacy and Section V appropriate, as well as the costs and appropriately and meaningfully while on security we have worked to design benefits of such approaches. These still providing V2V systems in vehicles requirements that reduce the possibility could include deactivations initiated by with sufficient information to enable of such threats. To the extent that drivers, manufacturers, or the crash-avoidance safety applications. consumers wish a mechanism to disable government; with different scopes, such We request comment on the proposed V2V devices out of concern over as vehicle-specific or broader mandate that the BSM exclude data potential health effects, we note simply deactivations; with different lengths, elements ‘‘reasonably linkable’’ to an that disabling your own V2V unit would such as for a single key start or more individual (as that term is defined not help you avoid V2V transmissions, long-lasting; and with different levels of above) and whether this appropriately because other light vehicles will also be ease, such as an accessible consumer- balances consumer privacy with safety. equipped with the technology, and if friendly method or one that would Additionally, will exclusion from the you have your own vehicle it is require mechanical expertise. BSM of ‘‘reasonably linkable’’ data presumably for the purpose of traveling elements undermine the need for a C. Consumer Privacy to places where other vehicles also go. standard BSM data set in furtherance of Turning V2V off for this reason would NHTSA takes consumer privacy very interoperability or exclude data required forfeit the safety benefit of being ‘‘seen’’ seriously. Although collection of data by for safety applications? by other vehicles’’ and ‘‘seeing’’ other on-board systems such as Event Data NHTSA, with the support of the DOT vehicles, without providing any other Recorders and On-Board Diagnostic Privacy Officer and NHTSA’s Office of benefit. systems is nothing new, the the Chief Information Officer, Moreover, unlike for most of the prior connectivity proposed by the Agency conducted an interim privacy risk technologies in which NHTSA allowed will expand the data transmitted and assessment of the V2V system prior to drivers the option of changing or received by cars. V2V systems will issuance of the Readiness Report and disabling the functionality of a required create and transmit data about driver ANPRM. The interim assessment was safety system, allowing V2V behavior and the surrounding intended to provide the structure and communications to be disabled would environment not currently available serve as a starting point for NHTSA’s affect the safety of more drivers than from most on-board systems. For this planned PIA, which is a more in-depth just the driver who turned off their own reason, V2V and future vehicle to assessment of potential privacy impacts V2V device. A cooperative system like infrastructure and pedestrian (V2X) to consumer privacy that might stem V2V protects you by making you more technologies raise important privacy from a V2V regulatory action, and of the ‘‘visible’’ to other drivers and by letting questions. system controls that mitigate those risks. you know when they pose imminent The agency is committed to regulating On the basis of then available risks to you. A driver who disables V2V V2V communications in a manner that information and stated assumptions, on their vehicle makes their vehicle less both protects individuals and promotes NHTSA’s interim privacy assessment visible to other drivers, potentially this important safety technology. identified the system’s business needs, affecting their own relative safety risk NHTSA has worked closely with experts relevant system functions, areas of and the safety risk to those around and our industry research partners potential risks, and existing/other risk- them. The safety benefits from a (CAMP and the VIIC) to design and mitigating technical and policy controls. cooperative system could be deploy a V2V system that helps protect NHTSA received a significant number undermined by allowing drivers to opt consumer privacy. As conceived, the of comments on the issue of privacy in out. If there is no safety benefit from system will contain multiple technical, response to the ANPRM and Readiness opting out, and doing so would physical, and organizational controls to Report. Generally, the privacy undermine safety benefits both for the reduce privacy risks—including those comments related to consumer driver who opts out and for drivers related to vehicle tracking by acceptance and reflected consumer and around them, opting out may not be individuals and government or industry concerns that the V2V system justified. commercial entities. As proposed, V2V would be used by government and However, V2V is a novel technology messages will not contain information concept in the transportation context, directly identifying a vehicle (as 184 See Reports: FHWA–JPO–15–237—‘‘Final which differs in some ways from other through VIN, license plate or Design Analysis Report’’ September 18, 2015, FHWA–JPO–15–236—‘‘Privacy Issues for technologies covered by the FMVSS. registration information) or its driver or Consideration by USDOT Based on Review of NHTSA recognizes that, as discussed owner (as through name, address or Preliminary Technical Framework (Final-Rev A)’’ elsewhere in this notice, any technology driver’s license number), or data February 24, 2016, FHWA–JPO–15–235—‘‘Final that is required to transmit and receive ‘‘linkable, as practical matter,’’ or Requirements Report’’ September 11, 2015, and ‘‘Technical Memorandum: Modeling and information on a persistent basis creates ‘‘reasonably linkable’’ to an individual. simulation of Areas of Potential V2V Privacy Risk’’ potential privacy and cybersecurity NHTSA intends for these terms to have March 8, 2016 located in Docket No. NHTSA–2016– risks. NHTSA is making every effort to the same meaning, specifically: Capable 0126.

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00072 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules 3925

commercial entities to track the route or transportation communications network context of a still evolving V2V activities of individuals, or would be including all potential internal and ecosystem, our PIA intentionally is perceived by individuals to have that external abuses, and other challenges scoped to take into account potential capability. A vast majority of the not solely those concerned with safety, internal and external threat actors and privacy comments addressed one or mobility and the environment.’’ The potential abuses of the V2V system—not more of the following areas: Automotive Safety Council solely those directly related to safety, 1. NHTSA’s privacy impact recommended that an independent third mobility or environmental applications. assessment; party review the PIA. Finally, the As discussed in the PIA Summary 2. ‘‘privacy by design’’ and data Electronic Frontier Foundation (EFF) section below, NHTSA’s PIA focusses privacy protections; and Privacy Rights Clearinghouse not on specific V2V system components 3. data access and privacy; requested that NHTSA release all initial or applications. Rather, it focuses on 4. consumer education; and risk assessments and research on which data transactions system-wide that 5. Congressional or other government its initial risk assessment and PIA are could have privacy impacts, and the action related to V2V data. based, including those related to controls that mitigate those potential Since receiving these comments, location tracking and identification impacts. To the extent that specific V2V NHTSA has worked closely with capabilities. Additionally, the Alliance data transactions might be vulnerable to privacy experts to identify and prioritize took the position that PIA should privacy impacts, our risk-analysis for further analysis specific areas of analyze the privacy concerns relating to broadly considers potential threats potential privacy impact in the V2V the broader V2X communications posed by a wide range of internal and system. Additional privacy research, infrastructure, which includes external actors, including foreign such as dynamic modeling related to commercial venture, law enforcement, governments, commercial non- location tracking and analysis of PKI and taxation issues. The FTC requested government entities, other non- best practices, is underway that will that NHTSA take into account the Fair governmental entities (such as research/ refine NHTSA’s approach to mitigating Information Practice Principles (FIPPs) academic actors and malicious potential privacy impacts stemming framework in regulating the V2V individuals or groups). Additionally, from the V2V system. On the basis of system. our analysis takes into account potential the PIA, comments received on the NHTSA agrees with commenters privacy impacts posed by internal V2V NPRM and PIA, and ongoing privacy emphasizing the critical importance of system actors. research, agency decision-makers will issuing a PIA detailing the agency’s be in an informed position to determine analysis of the potential privacy impacts 2. Privacy by Design and Data Privacy whether any residual risk (i.e., risk in of the V2V system as proposed in the Protections the system that cannot reasonably be NPRM. Not only is NHTSA required by Many commenters requested that mitigated) is acceptable—and, in the law 185 to do so, but the FIPPs-based NHTSA deploy the V2V system in a way alternative, whether functionality privacy-risk analysis documented in the that ensures drivers’ privacy and the should be sacrificed in order to achieve PIA has informed NHTSA’s proposal security of the system. Some sought an acceptable level of residual risk, and significantly, and helped to refine the specific privacy protections, such as if so, what functionality. privacy controls that NHTSA and its ‘‘total anonymity’’ if drivers cannot opt out of the V2V system, the protection of 1. NHTSA’s PIA research partners designed into the V2V system to mitigate potential privacy any PII associated with the system, and Over a dozen organizations requested impacts, including that related to avoidance of using any PII at all. that NHTSA conduct a privacy impact vehicle tracking. NHTSA intends to Commenters also sought end-to-end assessment (PIA) of the V2V system as work closely with the FTC, which is the encryption of any PII, no local or remote proposed in the NPRM. Many of these primary federal agency with authority V2V data storage, and limitations on commenters noted additionally that a over consumer privacy and data V2V data collection, as well as technical PIA will be critical to consumer security, on consumer privacy issues and administrative safeguards on any acceptance of V2V. Several related to the V2V system. Such intra- V2V data collected. organizations requested that NHTSA governmental collaboration is likely to Mercedes-Benz commented that the take steps (in addition to conducting a include coordination on the PIA and security entity envisioned to secure the PIA) to help enhance and speed ongoing privacy research. It may also V2V system, called the Security consumer acceptance of V2V include conducting joint public Credential Management Server (SCMS), technologies. Comments relating to the meetings or workshops with must have security and privacy controls scope of NHTSA’s PIA included a stakeholders following issuance of the to protect against external threats and request that NHTSA broaden the scope NPRM and PIA, which has undergone internal abuses. Fiat Chrysler of its privacy analysis to include privacy intra-governmental review. For a variety Automobiles (FCA) expressed concern impacts associated with vehicle to of reasons, NHTSA did not (and could about the potential privacy impacts of infrastructure (V2I) and vehicle to not) have it reviewed by non- the security system’s design, called the ‘‘other’’ (such as pedestrians) (V2X) governmental third parties prior to certificate revocation list (CRL). The applications, and also that NHTSA publication. However, NHTSA looks National Motorists Association release privacy research underlying its forward to receiving comments on the emphasized safeguarding V2V messages PIA. privacy issues discussed in the NPRM sent via mandated V2V devices. The Alliance of Automobile and PIA from a broad range of Infineon Technologies pointed out that Manufacturers (Alliance) suggested that stakeholders and other interested the unique cellular subscriber number NHTSA hold public workshops with the entities. would defeat the privacy and tracking Federal Trade Commission (FTC) to With regard to the scope of NHTSA’s requirement in the system, as proposed, thoroughly investigate privacy issues PIA, the agency wishes to emphasize to the extent that cellular is used as a related to the V2V system. It also that, to the extent possible in the V2V communications media. American recommended that NHTSA expand the Trucking Association requested that scope of the PIA so that it ‘‘considers all 185 Section 522 of the Consolidated NHTSA protect the confidentiality of possible uses of the envisioned Appropriations Act, 2005, Public Law 108–447. proprietary information, such as lane

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00073 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 3926 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules

density, vehicle specifications, and trip of NHTSA’s proposal. DOT is Associates requested a specific origin and destination. The Association continuing to work with privacy experts regulation vesting ownership in vehicle of Global Automakers (Global) and GM to identify additional controls that owners, not manufacturers. Another stated that V2V, as envisioned, does not might further mitigate any privacy risks commenter expressed concern about pose significant risks to the privacy of (including that of tracking) in the V2V ownership of data inherent in the individuals. By contrast, EFF stated the system, no matter how remote. The context of car sharing and rentals exact opposite, noting its concern that planned implementation by DOT of a arrangements. the V2V system as discussed in the proof of concept (PoC) security entity The inherently related concept of ANPRM and Readiness Report does not (discussed in Section V.B.6.e)) and consumer consent also appeared in protect the privacy of drivers related policy research will provide an many privacy comments. Civil liberties adequately. operational environment in which to organizations suggested that NHTSA Based on our exploration of privacy continue to explore the viability of mandate that consumers provide ‘‘active impacts and analysis of the V2V system additional privacy controls applicable to consent’’ in the form of express written design to date, we respectfully disagree the V2V system, as currently envisioned consent before manufacturers may with the position espoused by EFF that and designed. collect data containing personally the V2V system fails to protect driver That said, as we noted in the identifiable information (PII). privacy. The system contains multiple Readiness Report, it is important to Manufacturers requested that NHTSA technical and organizational controls to emphasize that residual risk stemming ensure transparency by requiring that help mitigate unreasonable privacy risks from the V2V system will never be zero consumers authorize collection of PII posed by external actors including those due in part to the inherent complexity through either consent or contract, and posed by SCMS insiders. V2V of the V2V system design and the that manufacturers inform vehicle transmissions would exclude data diversity/large number of interacting owners of what information will be directly identifying a private motor components/entities, both technological collected and how this information will vehicle or its driver or owner and and human. Additionally, technology be used. This approach to transparency reasonably linkable to an individual via changes at a rapid pace and may is consistent with industry privacy data sources outside of the V2V system adversely impact system controls principles adopted in 2014 by members or over time. V2V devices would designed to help protect privacy in of the Alliance and the Association of transmit safety information in only a unforeseen ways. For these reasons, as Global Automakers, entitled ‘‘Consumer limited geographical range. Neither the is standard practice in both the public Privacy Protection Principles for V2V system, nor its components and private sectors, NHTSA has Vehicle Technologies and Services’’ (including OBEs) would collect or store performed a PIA to identify potential (OEM Privacy Principles or Principles), the contents of messages sent or areas of residual risk and resulting discussed in prior sections. Several received, except for a limited time to privacy consequences/harms that might manufacturers and civil liberties maintain awareness of nearby vehicles result from its proposal. The current organizations, including EPIC and EFF, for safety purposes or case of device status of NHTSA’s PIA is summarized suggested that these voluntary industry malfunction. Additionally, the system below. The technical framework for the principles should serve as a baseline for described in our proposal would be V2V system has gone through many data privacy protections in the V2V protected by a complex PKI security iterations and adjustments during the context. EPIC also suggested that infrastructure designed specifically to conduct of the V2V research program, as NHTSA follow the White House’s help mitigate privacy impacts and create the system has evolved to meet revised Consumer Privacy Bill of Rights. a secure V2V environment in which or additional needs and to incorporate NHTSA feels strongly that in the motorists who do not know one another the results of research. For this reason, context a V2V system based on can participate in the system without while the current technical framework broadcast messages, the critical personally identifying themselves or is sufficient for purposes of NHTSA’s consumer privacy issue is not that of their vehicles. rulemaking proposal, DOT’s assessment data ownership, but that of data access As discussed in the PIA and of the potential privacy impacts that and use—ensuring that the consumer demonstrated by the data flows detailed could result from the V2V proposal has clear, understandable and in that document, the CRL discussed in necessarily will be an ongoing process transparent notice of the makeup of the the misbehavior reporting section of our that takes into account future V2V message broadcast by mandated primary proposal also would be adjustments to the technology and V2V equipment, who may access V2V designed to mitigate privacy impacts to security system required to support the messages emanating from a consumer’s individuals. It would contain specific technology, as well as ongoing privacy motor vehicle, and how the data in V2V information sufficient to permit V2V research. After reviewing comments on messages may be collected and used. devices to use certificate information to the NPRM and PIA and working closely For this reason, NHTSA proposes that recognize safety messages that should be with the FTC and stakeholders to motor vehicle manufacturers, at a ignored, if received. However, the CRL address privacy concerns, NHTSA will minimum, include the following would not contain identifying issue an updated PIA concurrent with standard V2V Privacy Statement (set information about specific vehicles or its issuance of a V2V final rule. forth below) in all owner’s manuals specific certificate numbers—nor would (regardless of media) and on a publicly- the information on the CRL permit third 3. Data Access, Data Use and Privacy accessible web location that current and parties or SCMS insiders to identify The issue of data ownership arose in future owners may search by make/ specific vehicles or their owners or the comments of Ford, Auto Care model/year to obtain the data access and drivers. Association, and others. All of these privacy policies applicable to their The Agency understands that concern commenters requested clarification of motor vehicle, including those about whether the V2V system can or who owns the data generated by the specifically addressing V2V data and will be used by government and V2V system. Many commenters asserted functions. We also seek the public’s commercial entities to track the route or that vehicle owners should own V2V assistance in identifying additional activities of individuals is critical to and other data generated by motor formats and methods for providing this consumer acceptance and the viability vehicles, generally. Systems Research privacy statement to consumers that

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00074 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules 3927

with the goal of achieving the timely information to your vehicle’s V2V system to enhance public and effective notice desired—notice that manufacturer. acceptance through a coordinated and has increased significance in the context NHTSA does not regulate the wide-spread information campaign of a V2V mandate that effectively (and collection or use of V2V utilizing traditional print and television by design to achieve safety ends) limits communications or data beyond the outlets and the web, including the AAA, consumer choice and consent. specific use by motor vehicles and Global, Arizona Department of motor vehicle equipment for safety- Transportation, Cohda Wireless, GM, 4. V2V Privacy Statement related applications. That means that Infineon Technologies, National (a) V2V Messages other individuals and entities may use Motorists Association, Pennsylvania specialized equipment to collect and Department of Transportation, Toyota, The National Highway Traffic Safety aggregate (group together) V2V TRW Automotive, Automotive Safety Administration (NHTSA) requires that transmissions and use them for any Council, and Delphi Automotive. your vehicle be equipped with a purpose including applications such as Comments from the Automotive Vehicle-to-Vehicle (V2V) safety system. motor vehicle and highway safety, Safety Council, TRW Automotive, and The V2V system is designed to give your mobility, environmental, governmental Delphi Automotive suggested that such vehicle a 360 degree awareness of the and commercial purposes. For example, education should focus on the V2V driving environment and warn you in States and localities may deploy safety message, what it contains, and the event of a pending crash, allowing roadside equipment that enables how any information in the BSM will be you to take actions to avoid or mitigate connectivity between your vehicle, used. The National Motorists the crash, if the manufacturer of your roadways and non-vehicle roadway Association recommended that NHTSA vehicle has installed V2V safety users (such as cyclists or pedestrians). educate motorists on the system’s applications. These technologies may provide direct privacy protection assurances. AAA Your V2V system periodically benefits such as use of V2V data to recommended educating the public on broadcasts and receives from all nearby further increase your vehicle’s how the V2V system will benefit them, vehicles a V2V message that contains awareness of its surroundings, work and on the privacy and security important safety information, including zones, first responders, accidents, protections built into the system. Toyota vehicle position, speed, and direction. cyclists and pedestrians. State and local suggested that NHTSA educate the V2V messages are broadcast ten times entities (such as traffic control centers public about the fact that the V2V per second in only the limited or transportation authorities) may use system will not transmit or store PII. geographical range (approximately 300 aggregate V2V safety messages for traffic The Privacy Rights Clearinghouse meters) necessary to enable V2V safety monitoring, road maintenance, suggested that NHTSA educate the application to warn drivers of pending transportation research, transportation public on how the V2V system works. crash events. planning, truck inspection, emergency Honda focused more on educating the and first responder, ride-sharing, and public on the security designed into the To help protect driver privacy, V2V transit maintenance purposes. V2V system. messages do not directly identify you or Commercial entities also may use NHTSA agrees with commenters that your vehicle (as through vehicle aggregate V2V messages to provide educating the public about this identification number or State motor valuable services to customers, such as important new safety technology, and vehicle registration), or contain data that traffic flow management and location- the security and privacy protections is reasonably or, as a practical matter, based analytics, and for other purposes designed into the V2V system, will be linkable to you. For purposes of this (some of which might impact consumer critical to consumer acceptance. For this statement, V2V data is ‘‘reasonably’’ or privacy in unanticipated ways). NHTSA reason, as suggested by many ‘‘as a practical matter’’ linkable to you does not regulate the collection or use commenters, the agency plans to work if it can be used to trace V2V messages of V2V data by commercial entities or closely with the FTC, motor vehicle back to you personally for more than a other third parties. manufacturers, privacy advocates and temporary period of time (in other While V2V messages do not directly other stakeholders to design a words, on a persistent basis) without identify vehicles or their drivers, or comprehensive public education unreasonable expense or effort, in real contain data reasonably linkable to you strategy on the topic of privacy in the time or after the fact, given available on a persistent basis, the collection, V2V system for consumers. Any claims data sources. Excluding reasonably storage and use of V2V data may have regarding security or privacy made as linkable data from V2V messages helps residual privacy impacts on private part of NHTSA’s public outreach will protect consumer privacy, while still motor vehicle owners or drivers. necessarily be justified by evidence providing your V2V system with Consumers who want additional based on the best scientific knowledge sufficient information to enable crash- information about privacy in the V2V regarding security and privacy. avoidance safety applications. system may review NHTSA’s V2V Development of a consumer education (b) Collection, Storage and Use of V2V Privacy Impact Assessment, published strategy will likely be among the Information by The U.S. Department of privacy-specific topics addressed in Transportation at http:// public meetings and/or workshops held Your V2V system does not collect or www.transportation.gov/privacy. by the agency after issuance of the store V2V messages except for a limited If you have concerns or questions NPRM and PIA. time needed to maintain awareness of about the privacy practices of vehicle 6. Congressional/Other Government nearby vehicles for safety purposes or in manufacturers or third party service Action case of equipment malfunction. In the providers or applications, please contact event of malfunction, the V2V system the Federal Trade Commission. https:// NHTSA received comments from civil collects only those messages required, www.ftc.gov. liberties groups and manufacturers that and keeps that information only for long included calls on Congress to take enough to assess a V2V device’s 5. Consumer Education action to protect consumer privacy in misbehavior and, if a product defect Many commenters emphasized the the V2V system. EFF and Privacy Rights seems likely, to provide defect need to educate consumers about the Clearinghouse took the position that

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00075 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 3928 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules

Federal legislation is imperative to informed regulatory policy decisions by logs, electronic toll transactions, cell protect driver privacy. The Alliance enhancing an agency’s understanding of phone history, vehicle-specific cell called on Congress to coordinate the privacy impacts, and of options connections (e.g., OnStar), traffic relevant Federal agencies ‘‘to articulate available for mitigating those potential surveillance cameras, electronic toll a framework for privacy and security impacts. transponder tracking, and databases fed before further rulemaking proceeds’’ After reviewing a PIA, members of the by automated license plate scanners. As because, in its view, NHTSA alone does public should have a broad compared to the potential approaches to not have the authority to address V2V understanding of any potential privacy V2V tracking discussed below, many of privacy and security issues. Honda and impacts associated with a proposed these non-V2V tracking methods appear EPIC emphasized the need for ensuring regulatory action, and the technical and may be cheaper, easier, require less that data is legally protected from third policy approaches taken by an agency to (and/or no skill) under certain party access, and that unauthorized mitigate the resulting privacy impacts. scenarios. access is legally punishable. EPIC’s 2. PIA Scope 4. V2V Data Flows/Transactions With comment focused on legal protections Privacy Relevance from OEM access, while Honda’s The V2V system is complex and involves many different components, comment focused on legal protections As a starting point for the analysis from government access. entities, communications networks, and data flows (within and among system that underlies this PIA, NHTSA NHTSA understands why legislation identified and examined all data flows making it illegal for third parties or components). For this reason, NHTSA opted not to analyze the potential within the V2V system to determine government agencies to collect V2V which included data fields that may messages, or limiting those parties’ privacy impacts in the V2V system on a component-specific basis. Rather, have privacy impacts, either alone or in retention or use of V2V messages, would combination. We identified three data be attractive to stakeholders—and the NHTSA focused its PIA on discrete data flows within the system, as an organic flows relevant for privacy impact Alliance is correct in its assertion that purposes: such government action is outside the whole. NHTSA worked with privacy • scope of the agency’s regulatory experts to zero in on discrete aspects of Broadcast and receipt of V2V authority over manufacturers of motor the V2V system most relevant to messages (also called Basic Safety vehicles and motor vehicle equipment. individual privacy for impact Messages (BSMs) As noted above, the introduction of V2V assessment purposes, identify and • Broadcast and receipt of Misbehavior technology creates new privacy risks prioritize potential privacy impacts Reports requiring further analysis (such as that cannot be fully mitigated. That said, • dynamic modeling), and validate the Distribution of Certificate Revocation in the agency’s view, the V2V system is List (CRL) protected by sufficient security and privacy-related requirements in privacy measures to mitigate NHTSA’s regulatory proposal. Below, we describe these three data unreasonable privacy risks. NHTSA The V2V NPRM PIA identifies those flows and detail the technical, policy seeks comment on these tentative V2V transactions involving data most and physical controls designed into the conclusions—and on whether new relevant to individual privacy and the system to mitigate potential privacy legislation may be required to protect multiple technical, physical and policy impacts in connection with each flow. consumer privacy appropriately. controls designed into the V2V system We then discuss the potential privacy to help mitigate potential privacy impacts that remain, notwithstanding D. Summary of PIA impacts. existing privacy controls. These To place our discussion of potential 1. What is a PIA? constitute potential areas of residual V2V privacy issues in context, NHTSA’s risk for consideration by decision- Section 522 of the Consolidated PIA first briefly discusses several non- makers. Appropriations Act, 2005 (Pub. L. 108– V2V methods of tracking a motor 447) requires that Federal agencies vehicle that currently exist. (a) Broadcast and Receipt of the Basic conduct privacy impact assessments Safety Message (BSM) (PIAs) of proposed regulatory activities 3. Non-V2V Methods of Tracking involving collections or system of For comparative purposes, it is useful BSMs are one of the primary building information with the potential to impact to consider the potential privacy blocks for V2V communications. They individual privacy. A PIA documents impacts of the V2V system in the provide situational awareness the flow of information and information context of tracking mechanisms that do information to individual vehicles requirements within a system by not involve any aspect of the V2V regarding traffic and safety. BSMs are detailing how and why information is system (non-V2V tracking methods). broadcast ten times per second by a transmitted, collected, stored and These non-V2V methods of tracking vehicle to all neighboring vehicles and shared to: (1) ensure compliance with inform the Agency’s risk analysis are designed to warn the drivers of those applicable legal, regulatory, and policy because, to the extent that they may be vehicles of crash imminent situations. requirements regarding privacy; (2) cheaper, easier, and require less skill or Under NHTSA’s proposal and any determine the risks and effects of the access to a motor vehicle, they are future adaptation of the technology, proposed data transactions; and (3) relevant to our assessment of the BSMs would contain information examine and evaluate protections and likelihood of an individual or entity regarding a vehicle’s GPS position, alternative processes for handling data attempting to use V2V as a method of speed, path history, path trajectory, to mitigate potential privacy impacts. It tracking. Examples of mechanisms that breaking status and other data, as is a practical method of providing the currently may be used to track a motor detailed above in Section III.E. As public with documented assurance that vehicle target include physical discussed below, some data transactions the agency has identified and surveillance (i.e., following a car by necessitated by the security system may appropriately addressed potential visual observation), placement of a result in additional potential privacy privacy issues resulting from its specialized GPS device on a motor impacts, some of which may be activities. A PIA also facilitates vehicle, physical access to Onboard GPS residual.

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00076 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules 3929

(b) Broadcast and Receipt of (which appears to be faulty) and other (a) Privacy Controls Applicable to the Misbehavior Messages information, such as: Broadcast and Receipt of the Basic • Reporter’s pseudonym certificate Safety Message (BSM) Under NHTSA’s proposal, when a • Reporter’s signature vehicle receives a BSM from a • (1) No Directly Identifying or Time at which misbehavior was ‘‘Reasonably Linkable’’ Data in V2V neighboring vehicle, its V2V system identified Transmissions validates the received message and then • 3D GPS coordinates at which performs a cross check to evaluate the misbehavior was identified Under our proposals, the BSM would accuracy of data in the message. For • List of vehicles (device/pseudonym not contain information that directly example, it might compare the message certificate IDs) within range at the identifies a private motor vehicle (as content with other received messages or time through VIN, license plate or with equivalent information from • Average speed of vehicles within registration information) or its owner or onboard vehicle sensors. As a result of range at the time driver. BSM transmissions also would that cross check, the vehicle’s V2V • Suspicion type (warning reports, exclude data ‘‘reasonably linkable’’ or system may identify certain messages as proximity plausibility, motion ‘‘as a practical matter’’ linkable to a faulty or ‘‘misbehaving.’’ NHTSA’s validation, content and message specific individual. primary proposal for misbehavior verification, denial of service) reporting proposes that the V2V system • Supporting evidence (2) Rotating Security Credentials Æ Triggering BSM(s) Another critical control would help then prepares a misbehavior report and Æ sends it to the V2V security entity. The Host vehicle BSM(s) mitigate privacy risks created by signing Æ Neighboring vehicle BSM(s) security entity evaluates the Æ messages. At the time of manufacture, a Warnings vehicle’s V2V equipment would receive misbehavior report and may identify a Æ Neighboring devices 3 years’ worth of security certificates. defective V2V device. If it does, the V2V Æ Suspected attacker security entity will update the Once the device is initialized into the Certificate Revocation List (CRL) with (d) Distribution of Certificate Revocation V2V security system, the security information about the certificates List system would send to the device keys assigned to the defective V2V device. As explained above, by evaluating on a weekly basis that will unlock 20 The CRL is accessed by all V2V system misbehavior reports, the security entity certificates at a time. During the course components and vehicles on a periodic envisioned may identify misbehaving of the week, a vehicle’s V2V equipment basis and contains information that V2V devices in vehicles and place would use the certificates on a random warns V2V system participants not to information about those devices on the basis, shuffling certificates at five rely on messages that come from the CRL. The security entity then would minute intervals. These certificates defective device. The security entity make updated CRLs available to V2V would enable a vehicle’s V2V system to also might blacklist the device, in which system participants and other system verify the authenticity and integrity of a case it will be unable to obtain parts on a periodic basis to alert OBEs received BSM or, in the alternative, additional security credentials from the to ignore BSMs coming from the identify V2V messages that should be security entity. defective V2V equipment. There is only ignored (i.e., those that the security Also under our proposal, one type of CRL. Current system design entity has identified as coming from organizational and/or legal separation of plans do not include placing individual misbehaving V2V equipment and placed information and functions within the security certificates on the CRL. Rather, on the CRL). The shuffling and random security entity are important privacy each CRL would contain information use of certificates every five minutes impact-mitigating controls that are (specifically, linkseed1, linkseed2, time also will help minimize the risk of designed to prevent a single component period index, and LA Identifiers 1 and vehicle tracking by preventing a security or insider from having sufficient 2) that OBEs could use to calculate the certificate from becoming a de facto information to identify certificates values of the certificates in messages vehicle identifier (also referred to as a assigned to a specific vehicle or owner. that should be ignored. ‘‘quasi-identifier’’). NHTSA plans to work closely with 5. Privacy-Mitigating Controls (3) Limited Transmission Radius stakeholders to develop policies and From the inception of the research V2V equipment in vehicles would procedures to institutionalize program that would result in V2V transmit safety information in a very appropriate separation of data and technology over a decade ago, NHTSA limited geographical range, typically functions within the National SCMS. has worked with its research partners, only to motor vehicles within a 300 Under the second alternative for CAMP and the VIIC, to purse an meter radius of a V2V device. This misbehavior reporting, the no integrated, privacy positive approach to limited broadcast is sufficient to enable misbehavior reporting proposal would the V2V system. For this reason, the V2V crash avoidance applications in not involve any additional broadcast or V2V system described in our proposal neighboring vehicles, while limiting transmission of reports to V2V security would contain multiple layers of access by more geographically distant entities. This means that no additional technical, policy and physical controls vehicles that cannot benefit from the privacy risk would be imposed under to help mitigate potential privacy safety information. the no misbehavior reporting impacts system-wide. Below, we discuss alternative. the privacy impact-mitigating controls (4) No BSM Data Collection or Storage Within the V2V System (c) Misbehavior Reports that would apply to each of the three privacy-relevant data flows discussed Neither V2V devices in motor As described above, NHTSA’s above. In the course of this discussion, vehicles, nor the V2V system as a whole primary proposal for misbehavior we detail some of the key privacy would collect or store the contents of reporting proposes that the V2V controls that we expect to see in a V2V messages sent or received, except equipment in vehicles send misbehavior National SCMS (based on the current for the short time period necessary for reports to the V2V security entity. Such SCMS technical design, see Section a vehicle to use messages for safety reports will include the received BSM V.B.2). applications or in the limited case of

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00077 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 3930 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules

device malfunction. These technical the V2V Privacy Statement to in one particular component of the controls would help prevent in-vehicle consumers and seeks comment on the security organization—the Location V2V equipment or the V2V system, as most effective methods for providing Obscurer Proxy (LOP). Misbehavior a whole, from after-the-fact tracking of such notice. messages (like other communications a vehicle’s location by accessing and (b) Privacy Controls Applicable to between a vehicle’s V2V equipment and analyzing a vehicle’s BSMs. Although Broadcast and Receipt of Misbehavior the security entity) travel through the specialized roadside and mobile Messages LOP entity to get to other parts of the equipment would be able to access and security organization. The LOP would collect BSMs, the V2V data collected When a V2V device in a motor vehicle strip out information from the would contain no information directly appears to malfunction, the V2V system misbehavior message that otherwise identifying or reasonably linkable to a would collect and store only BSMs would permit other parts of the security specific private vehicle or its driver or relevant to assessing the device’s organization (like the MA) to associate owner, because the transmission of such performance, consistent with the need a vehicle’s V2V messages with its information would not be allowed by to address the root cause of the geographic location. This technical the V2V rule. Research is ongoing on the malfunction if it is, or appears to be, separation of geographic information widespread. methods, cost and effort required to use from messages transmitted between collected BSMs in combination with (1) Encryption of Misbehavior Report vehicle’s V2V systems and the security other available information or over time Like all security materials exchanged entity is designed to prevent individual to track a specific, targeted vehicle or between V2V equipment in vehicles and security entities or V2V security driver. The Agency believes that such a security authority, misbehavior reports organization insiders from colluding to linkage between collected BSMs and a would be encrypted. This would help use BSM information inappropriately or specific vehicle or driver is plausible, limit but not prevent potential privacy to track individual vehicles. but has not yet determined whether it is risks that could stem from unintended practical or reasonable, given the (4) Separation of Security Organization or unauthorized access to data in Governance resources or effort required. This misbehavior messages. Specifically, this additional research will help to ensure would reduce the possibility that BSMs The design for the V2V security entity that our proposed V2V FMVSS contained in misbehavior reports may (or SCMS) calls for the separation of incorporates all available, appropriate provide information about the past some critical functions into legally controls to mitigate unreasonable location of a reporting vehicle (and distinct and independent entities that, privacy risk related to collection of BSM thereby of the vehicle owner’s activities together, make up the SCMS. This legal transmissions by roadside or mobile and relationship between the two sensors. We acknowledge that separation of security entity governance vehicles), or of vehicles located nearby is designed to prevent individual introduction of this technology will the reporting vehicle. result in residual privacy risk that entities or V2V security organization cannot be mitigated. We seek comment (2) Functional/Data Separation Across insiders from colluding to use on these tentative conclusions. SCMS Components information for unauthorized purposes such as tracking individual vehicles. (5) FIPS–140 Level 3 HSM A key privacy-mitigating control applicable to this data stream is the (c) Privacy Controls Applicable to NHTSA has proposed performance technical design for the security entity Distribution of the CRL List requirements that include use of FIPS– proposed by NHTSA, which provides 140 Level 3 hardware security module for functional and data separation across (1) Misbehaving V2V Equipment in a (HSM) in all V2V equipment in motor different organizationally and/or legally Vehicle Stops Broadcasting vehicles. This physical computing separate SCMS components. This It is possible that information device would safeguard and manage a technical control is designed to prevent regarding a vehicle’s revoked security vehicle’s security certificates and guard individual SCMS entities or insiders certificates could enable all revoked against equipment tampering and bus from using information, including from certificates to be associated with the probing. This type of secure hardware misbehavior messages, for unauthorized same vehicle. This might be used to provides evidence of tampering, such as purposes. The technical separation of persistently identify a vehicle during logging and alerting of tampering, and information and functions within the the vehicles’ activities. In order to tamper resistance such as deleting keys security entity could be overcome only mitigate this potential privacy risk, once upon tamper detection. by a specific entity within the security a vehicle’s V2V system determines that (6) Consumer Notice organization (called the Misbehavior information about it is on the CRL and Authority or MA) after determining, NHTSA would require that motor that the security organization has based on misbehavior messages, that a revoked its security certificates, it vehicle manufacturers, at a minimum, vehicle’s V2V equipment is would stop broadcasting the BSM. include a standard V2V Privacy malfunctioning and needs to be Statement in all owner’s manuals blacklisted (i.e., prevented from 6. Potential Privacy Issues by (regardless of media) and on a publicly obtaining any additional security Transaction Type accessible web location that current and certificates). In order to do so, the MA future owners may search by make/ would need to gather information from Based on our analysis of the privacy model/year to obtain the data access and the various independent, separate parts relevant data flows and controls privacy policies applicable to their of the security entity to identify the discussed above, we identified five motor vehicle, including those device to be blacklisted. potential privacy scenarios for further specifically addressing V2V data and research and/or consideration by the functions, as detailed in Section IV.C. (3) Misbehavior Reports Are Stripped of Agency. Table IV–1 below summarizes As discussed above, NHTSA also Geographic Location Information the scenarios and corresponding system considering the possibility of requiring An example of information separation transactions identified for further additional methods for communicating serving as a privacy control is evident analysis.

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00078 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules 3931

TABLE IV–1—TRANSACTIONS IDENTIFIED FOR FURTHER ANALYSIS

Transaction type Description

BSM Broadcast Transaction ...... 1. Can data elements, such as location, in the BSM be combined to form a temporary or per- sistent vehicle identifier? BSM Broadcast Transaction ...... 2. Can data elements in the BSM be combined to identify vehicles temporarily so that different security certificates can be associated with the same vehicle during the vehicle’s activities? BSM Broadcast Transaction ...... 3. Do the physical characteristics of the carrier wave (i.e., the wave’s fingerprint) associated with a vehicle’s BSM serve as a vehicle identifier? Broadcast and Receipt of a Misbehavior Mes- 4. Do BSMs in misbehavior reporting provide sufficient information about the past location of sage. the reporting or other vehicles to retrospectively track the vehicle’s path? Certificate Revocation List (CRL) Distribution 5. Does information regarding blacklisted vehicles’ security certificates enable all vehicle secu- Transaction. rity certificates to be associated with one another and thus, with the same specific vehicle?

As noted above, based on our actions regarding EHS in support of this Administration (FDA), the National exploration of privacy impacts and NPRM. More specifically, NHTSA Institute for Occupational Safety and analysis of the V2V system design to needed to learn more about the potential Health (NIOSH) and the Occupational date, it is NHTSA’s expectation that the conditions causing EHS, actions taken Safety and Health Administration multiple technical, policy and physical by other federal agencies that have been (OSHA) have been actively involved in controls incorporated into the design of involved in similar technology monitoring and investigating issues the V2V system detailed will help to deployments or whose mission is related to radio frequency (‘‘RF’’) mitigate privacy risks to consumers. primarily human health-focused, and exposure. Federal, state, and local Methods of tracking vehicles, such as any qualifying actions granted by the government agencies and other surveillance and use of specialized GPS Americans with Disabilities Act (ADA) organizations have generally relied on devices already exist and may be easier, related to EHS among other potential RF exposure standards developed by less expensive, and require less skill externalities that may affect a potential expert, non-government organizations and access than would vehicle tracking V2V technology deployment. such as the Institute of Electrical and using V2V messages or other Electronics Engineers (IEEE) and the information in the V2V system in 1. Overview National Council on Radiation certain conditions. Nevertheless, DOT is According to the World Health Protection and Measurements (NCRP). continuing to work with privacy experts Organization (WHO), EHS is Several U.S. government agencies and to perform dynamic modeling and characterized by a variety of non- international organizations are working explore the viability of additional specific symptoms that are attributed to cooperatively to monitor research on the controls that might further mitigate any exposure to electro-magnetic health effects of RF exposure. The potential impacts demonstrated in the frequencies (‘‘EMF’’) by those reporting World Health Organization’s (WHO) privacy-relevant transactions identified symptoms. The symptoms most International Electromagnetic Fields above for further analysis. The planned commonly experienced include Project (IEFP) provides information on implementation by DOT of a PoC dermatological symptoms (redness, health risks, establishes research needs, security entity (SCMS) and related PKI tingling, and burning sensations) as well and supports efforts to harmonize RF policy research will provide an as neurasthenic and vegetative exposure standards. Some health and operational environment in which to symptoms (fatigue, tiredness, difficulty safety interest groups have interpreted continue to explore the viability of concentrating, dizziness, nausea, heart certain reports to suggest that wireless additional privacy-mitigating controls palpitation, and digestive disturbances). device use may be linked to cancer and applicable to the V2V System, as The collection of symptoms is not part other illnesses, posing potentially currently envisioned and designed. We of any recognized syndrome. Reports greater risks for children than adults. seek comment on whether there are have indicated that EHS can be a While these assertions have gained other potential privacy risks stemming disabling problem for the affected increased public attention, currently no from the V2V systems proposed that the individual; however, EHS has no clear scientific evidence establishes a causal agency should investigate and, if so, diagnostic criteria and it appears there link between wireless device use and 188 what specific risks. is no scientific basis to link EHS cancer or other illnesses. E. Health Effects symptoms to EMF exposure. Further, 3. Exposure Limits EHS is not a medical diagnosis, nor is In the U.S, IEEE has developed limits NHTSA received numerous comments it clear that it represents a single for human exposure to RF energy, and from individuals in response to the medical problem.187 ANPRM concerning the potential for these limits have been widely V2V technology to contribute to 2. Wireless Devices and Health and influential around the world and require electromagnetic hypersensitivity Safety Concerns periodic updates. Internationally, the exposure limits for RF energy vary (‘‘EHS’’). Overall, the comments focused The Federal Communications widely in different countries. A few on how a national V2V deployment Commission (FCC), federal health and countries have chosen lower limits, in could potentially disadvantage persons safety agencies such as the 186 part due to differences in philosophy in that may be electro-sensitive. In Environmental Protection Agency setting limits. IEEE and most other response, NHTSA engaged the DOT (EPA), the Food and Drug Volpe Center to review available literature and government agency 188 ‘‘Wireless Devices and Health Concerns’’, 187 ‘‘Electromagnetic fields and public health: Federal Communications Commission (FCC), Backgrounder’’, The World Health Organization Consumer and Governmental Affairs Bureau, 186 ‘‘Electromagnetic Hypersensitivity Comment (WHO), December 2005. Available at http:// updated March 12, 2014. Available at http:// Review and Analysis’’, NHTSA V2V Support—Task www.who.int/peh-emf/publications/facts/fs296/en/ www.fcc.gov/guides/wireless-devices-and-health- 3, dated March 13, 2015, Noblis. (last accessed Sept. 28, 2015). concerns (last accessed Dec 12, 2016).

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00079 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 3932 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules

Western exposure limits are designed on Smart Grid Investment Grant (SGIG) an array of meters, were at levels similar the basis of identified thresholds for program. Ultimately, 15.5 million to those from other devices that produce hazards of RF and thus are science- advanced meters are expected to be RF in the home and surrounding based. Switzerland, Italy, and a few installed and operational under SGIG. environment.196 other countries have adopted All SGIG projects are expected to reach A typical ‘‘smart’’ utility meter device ‘‘precautionary’’ exposure limits for RF completion in 2014, with continued uses a low power one watt wireless energy. These are not based on reporting requirements through 2016.192 radio to send customer energy-usage identified hazards, but reflect the desire In the last several years, some information wirelessly.197 to set exposure limits as low as consumers have objected to deployment The V2V economically and technically practical, of the ‘‘smart’’ utility meters needed for DSRC devices used for NHTSA research to guard against the possibility of an as- DOE’s Smart Grid implementation. in the Safety Pilot activities are allowed 198 yet unidentified hazard of RF exposure Smart meters transmit information via to transmit at up to 33 dBm at low levels.189 wireless technology using (approximately 2.0 watts of power electromagnetic frequencies (EMF). output), as defined by FCC 4. U.S. Department of Energy (DOE) Smart utility meters operate in the 902– specifications.199 The ‘‘normal’’ Smart Grid Implementation 928 MHz frequency band and the 2.4 operating transmission output range for Many comments to the ANPRM were GHz range, which is where the human these devices is 20 dBm (or related to the implementation and body absorbs energy less efficiently and approximately 100mW) for devices expansion of ‘‘smart grid’’ or ‘‘smart the Maximum Permissible Exposure operating in the allocated DSRC meter’’ technology being deployed in (MPE) limits for RF exposure are less frequency range. For additional the . The ‘‘smart grid’’ restrictive.193 comparison purposes, the typical generally refers to a class of technology Smart utility meters in households or cellular phone operates at higher power used to bring utility electricity delivery businesses will generally transmit data output levels of 27 dBm (approximately systems into the 21st century, using to an access point (usually on utility 500 mW). Cellular phones are capped at computer-based remote control and poles) once every four hours for about the same maximum transmission power automation. These systems are made 50 milliseconds at a time. Once the output of 33 dBm. smart grid is fully active, it is expected possible by two-way communication The public objections to these technology and computer processing that smart utility meters will transmit more frequently than once every four deployments have been based on that has been used for decades in other concerns over potential health effects. industries.190 hours, resulting in a higher duty Specifically, some consumers are Federal legislation was enacted in cycle.194 A 2011 report from the both 2005 (Energy Policy Act, or California Council on Science and concerned about exposure to wireless ‘‘EPAct’’) and 2007 (Energy Technology (CCST) showed minimum RF emissions emanating from smart Independence and Security Act, or and maximum exposure levels for meters in their homes, which has led to ‘‘EISA’’) that contained major provisions various sources, including a smart meter legal challenges for smart meter on demand response, smart metering, that is always on at two distances from programs. Due to these objections, and smart grids.191 The primary purpose the body. The CCST concluded that RF several state commissions authorized an of using smart meters and grids is to exposure levels for smart meters in ‘‘opt-out’’ provision for individual improve energy efficiency—very precise either scenario would be less than consumers who do not wish to have electricity usage information can be microwave ovens and considerably less smart meters installed in their homes. In transmitted back to the utility in real- than cell phones, but more than Wi-Fi response to public perception of the time, enabling the utility to better direct routers or FM radio/TV broadcasts.195 It technology, the Department of Energy how much electricity is transmitted, and should also be noted that a 2011 report pursued development of outreach when, which in turn can improve power from the Electric Power Research materials citing current scientific and generation efficiency by not producing Institute (EPRI) assessed exposures in industry evidence that radio frequency more power than necessary at a given front of and behind smart utility meters. from smart grid devices in the home is time. According to a report prepared by It determined that the average exposure not detrimental to health. The materials the Federal Energy Regulatory levels from smart utility meters, are being provided to state Commission (FERC) in December 2014, measured from a single meter and from commissions, utilities in the DOE Smart approximately 15.3 million advanced Grid Program, and other community- meters were installed and operational 192 ‘‘Assessment of Demand Response and based organizations in effort to convey Advanced Metering’’, Federal Energy Regulatory through the Department of Energy (DOE) Commission (FERC) Report, December 2014. Available at https://www.ferc.gov/industries/ 196 ‘‘RF Exposure Levels from Smart Meters: A 189 ‘‘COMAR Technical Information Statement the electric/indus-act/demand-response/dem-res-adv- Case Study of One Model’’, Electric Power Research IEEE exposure limits for radiofrequency and metering.asp (last accessed Dec. 12, 2016). Institute (EPRI), February 2011. Available at http:// microwave energy’’, Marvin C. Ziskin, IEEE 193 Federal Communications Commission, (FCC), www.epri.com/abstracts/Pages/Product Engineering in Medicine and Biology Magazine, 2011. Radio frequency safety, available at https:// Abstract.aspx?ProductId=000000000001022270 March/April, 2005. Available at http://ewh.ieee.org/ www.fcc.gov/encyclopedia/radio-frequency-safety (last accessed Dec 12, 2016). soc/embs/comar/standardsTIS.pdf (last accessed (last accessed Dec 12, 2016). 197 Radio Frequency FAQ, http://www.pge.com/ Dec. 12, 2016). 194 ‘‘Review of Health Issues Related to Smart en/safety/systemworks/rf/faq/index.page (last 190 Department of Energy ‘‘Smart Grid’’ Web site. Meters’’, Monterey County Health Department, accessed Jun. 5, 2015). Available at http://energy.gov/oe/services/ Public Health Bureau, and 198 dBm or decibel-milliwatt is an electrical technology-development/smart-grid (last accessed Evaluation, March, 2011. Available at https:// power unit in decibels (dB), referenced to 1 Dec 12, 2016). www.nema.org/Technical/Documents/ milliwatt (mW). The power in decibel-milliwatts 191 ‘‘Demand Response & Smart Metering Policy Smart%20Meter%20Safety%20-%20Marin%20 (P(dBm)) is equal to 10 times base 10 logarithm of Actions Since the Energy Policy Act of 2005—A Co%20CA%20whitepaper.pdf (last accessed Dec the power in milliwatts (P(mW)). Summary for State Officials’’, Prepared by U.S. 12, 2016). 199 ‘‘Table I.5a—Maximum STA transmit power Demand Response Coordinating Committee for The 195 ‘‘Health Impacts of RF Exposure from Smart classification for the 5.85–5.925 GHz band in the National Council on Electricity Policy, 2008. http:// Meters’’, California Council on Science and United States’’, IEEE specification 802.11P–2010, energy.gov/oe/downloads/demand-response-and- Technology, April 2011. Available at https:// Page 31. Available at https://www.ietf.org/mail- smart-metering-policy-actions-energy-policy-act- ccst.us/publications/2011/2011smart-final.pdf (last archive/web/its/current/pdfqf992dHy9x.pdf (last 2005-summary-state (last accessed: Dec 12, 2016) accessed Dec 12, 2016). accessed Dec. 12, 2016).

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00080 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules 3933

these messages to the end-user • National Telecommunications and physical agents. NIOSH research is community.200 Information Administration: NTIA is an focused on radio frequencies, extremely agency of the U.S. Department of low frequencies (ELF) and static 5. Federal Agency Oversight & Commerce and is responsible for magnetic fields. CDC/NIOSH provides Responsibilities authorizing Federal Government use of various guidance documents related to Many consumer and industrial the RF electromagnetic spectrum. Like the focused research areas.204 products use or produce some form of the FCC, NTIA also has NEPA • The Architectural and electromagnetic energy. Various responsibilities and has enacted similar Transportation Barriers Compliance agencies within the Federal Government guidelines and processes to those of Board (Access Board): The Access Board have been involved in monitoring, FCC to ensure compliance. is the federal agency devoted to the researching, or regulating issues related • Food and Drug Administration accessibility for people with disabilities. to human exposure to radio frequency (FDA): by authority of the Radiation In November 1999, the Access Board radiation. A summary of the federal Control for Health and Safety Act of issued a proposed rule to revise and Government’s role is provided 1968, the FDA’s Center for Devices and update their accessibility guidelines. below: 201 Radiological Health (CDRH) develops During the public comment period on • Federal Communications performance standards for the emission the proposed rule, the Access Board Commission (FCC): The FCC authorizes of radiation from electronic products received approximately 600 comments and licenses most RF including: X-ray equipment, other from individuals with multiple telecommunications services, facilities, medical devices, television sets and chemical and electromagnetic and devices used by the public, microwave ovens, laser products, and sensitivities. The Board issued a industry, and state and local sunlamps. The CDRH has not adopted statement recognizing that people with governmental agencies. The FCC’s performance standards for other RF- these sensitivities may be considered exposure guidelines that V2V devices emitting products. The FDA is the disabled under the ADA if conditions are anticipated to follow, and the ANSI/ leading federal health agency in perceived to be caused by these IEEE and NCRP guidelines upon which monitoring the latest research sensitivities ‘‘so severely impair the they are based, specify limits for human developments and advising other neurological, respiratory, or other exposure to RF emission from hand- agencies with respect to the safety of functions of an individual that it held RF devices in terms of specific RF-emitting products used by the substantially limits one or more of the absorption rate (SAR). Additionally, public, such as cellular and mobile individual’s major life activities.’’ The under the National Environmental devices. Board contracted with the National Policy Act of 1969 (NEPA), the FCC has • Environmental Protection Agency Institute of Building Sciences (NIBS) to certain responsibilities to consider (EPA): EPA activities pertaining to RF establish the Indoor Environmental whether its actions will ‘‘significantly safety and health are presently limited Quality (IEQ) Project. The overall affect the quality of the human to advisory functions. EPA has chaired objectives of the IEQ project were to environment.’’ To meet its NEPA an Interagency Radiofrequency Working establish a collaborative process among obligations, the Commission has Group, which coordinates RF health- a range of stakeholders to recommend adopted requirements for evaluating the related activities among federal agencies practical, implementable actions to both impact of its actions (47 CFR 1.1301, et who have regulatory responsibilities in improve access to buildings for people seq.). One of several environmental this area. with EMS while also improving indoor factors addressed by these requirements • Occupational Safety and Health environmental quality to create is human exposure to RF energy emitted Administration (OSHA): OSHA is healthier buildings for the entire by FCC-regulated transmitters and responsible for protecting workers from population. The NIBS IEQ Final Report facilities. The FCC’s rules provide a list exposure to hazardous chemical and was issued in July 2005 and provides of various Commission actions that may physical agents. In 1971, OSHA issued recommendations for accommodations have a significant effect on the a protection guide, which V2V devices for people with chemical and/or environment. If FCC approval to are anticipated to operate within, for electromagnetic sensitivities. The construct or operate a facility would exposure of workers to radiation (29 agency is unaware of any further actions likely result in a significant CFR 1910.97). The guide covers by the Access Board on this issue.205 environmental effect, the applicant must frequencies from 10 MHz to 100GHz. • Department of Defense (DOD): The submit an Environmental Assessment The guide was later ruled to be only DOD conducts research on the (EA). The EA is reviewed by FCC staff advisory and not mandatory.203 biological effects of RF energy. • National Institute for Occupational to determine whether an Environmental 6. EHS in the U.S. and Abroad Impact Statement (EIS) is necessary.202 Safety and Health (NIOSH): NIOSH is part of the U.S. Department of Health (a) Americans With Disabilities Act 200 Recommendations on Consumer Acceptance and Human Services, Centers for The Americans with Disabilities Act of Smart Grid, Electricity Advisory Committee, Disease Control and Prevention (CDC) (‘‘ADA’’) does not contain a lengthy list Richard Cowart, Chair to Honorable Patricia and conducts research and of medical conditions that constitute Hoffman, Assistant Secretary for Electricity investigations into issues related to Delivery and Energy Reliability, U.S. Department of disabilities. Instead, the ADA provides a Energy, June 6, 2013. http://energy.gov/sites/prod/ occupational exposure to chemical and general definition for ‘‘disability,’’ files/2013/06/f1/EAC_SGConsumerRecs.pdf (last which requires a showing of a having a accessed Dec 12, 2016). Electromagnetic Fields’’, Federal Communications physical or mental impairment that 201 ‘‘Questions and Answers about Biological Commission, Office of Engineering & Technology, Effects and Potential Hazards of Radiofrequency OET Bulletin 65 (Edition 97–01), August 1997. substantially limits one or more major Electromagnetic Fields’’, OET Bulletin 56, Fourth Available at https://transition.fcc.gov/Bureaus/ Edition, August 1999, Federal Communications Engineering_Technology/Documents/bulletins/ 204 ‘‘EMF (ELECTRIC AND MAGNETIC FIELDS),’’ Commission, Office of Engineering and Technology. oet65/oet65b.pdf (last accessed Dec 12, 2016). available at http://www.cdc.gov/niosh/topics/emf/ Available at https://transition.fcc.gov/Bureaus/ 203 OET Bulletin #56, Federal Communications (last accessed Dec 12, 2016). Engineering_Technology/Documents/bulletins/ Commission, FCC, available at https:// 205 ‘‘IEQ Indoor Quality Final Report, National oet56/oet56e4.pdf (last accessed Dec 12, 2016). transition.fcc.gov/Bureaus/ Institute for Building Services, July 14, 2005. http:// 202 ‘‘Evaluating Compliance with FCC Guidelines Engineering_Technology/Documents/bulletins/ apps.fcc.gov/ecfs/document/view?id=7520945309 for Human Exposure to Radio frequency oet56/oet56e3.pdf (last accessed Dec 12, 2016). (last accessed: Dec 12, 2016).

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00081 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 3934 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules

life activities, a history or record of such agencies such as the Federal production deployment to remain an impairment, or being perceived by Communications Commission and the consistent with the levels used in the others as having such an impairment. Food and Drug Administration, among Safety Pilot activities. Based on these Several states have enacted even more others, which have been involved with two conditions, we believe it is liberal policies on disability rights that electromagnetic fields, in parallel with reasonable to anticipate that any new afford greater potential protections than the pervasiveness of cellular phone guidance issued by the RFIAWG and its the ADA as it relates to EHS. deployment in the United States and participating federal agencies on future To date, the agency is unaware of any globally. cellular phone or wireless device usage finding that EHS constitutes a disability. The FDA currently states in response could potentially be relevant to V2V As mentioned above, the NIBS IEQ to the question, ‘‘Is there a connection devices, albeit in a somewhat provided some recommendations, but between certain health problems and diminished magnitude based on the did not conclude the EHS was in fact a exposure to radiofrequency fields via distances the devices will operate in disability. The agency is unaware of any cell phone use?’’ that ‘‘The results of relation to persons. further actions, either by the Access most studies conducted to date indicate Board or some other entity, which that there is not. In addition, attempts V. Device Authorization recognized EHS as a disability or any to replicate and confirm the few studies A. Approaches to Security Credentialing science that would prove this. that did show a connection have As part of exploring different methods failed.’’ 208 However, NHTSA (b) Global Recognition of authenticating V2V messages, the acknowledges that research is still Globally, some nations have agency has examined in addition to the ongoing and, as technology evolves; primary message authentication heightened awareness of EHS by wireless communications will most requiring provisions to accommodate proposal’s PKI base SCMS (single-root likely continue to increase. The agency approach), two potential approaches to those claiming its effects. In Sweden, for believes the continued efforts of the example, these provisions could include ensuring V2V messages are secure. Radiofrequency Interagency Work These include a vehicle based approach, unique lighting fixtures and/or Group (RFIAWG) 209 may yield any computer monitors for places of and an approach where multiple roots potential future guidance for wireless of confidence would be utilized. Each employment. The Canadian device deployment and usage. Government, The Canadian Human approach is described in the following V2V devices are currently certified for sections. Rights Commission (CHRC) has also use in the 5.9 GHz frequency allocation recognized EMS, describing by the FCC, and the agency additionally B. Federated Security Credential environmental sensitivities as follows: anticipates any future certifications by Management (SCMS) ‘‘The term ‘‘environmental sensitivities’’ the FCC will ensure that V2V devices 1. Overview 211 describes a variety of reactions to will comply with all criteria related to chemicals, electromagnetic radiation, RF emissions. For V2V communications to work and other environmental factors at Currently, the FCC publishes a very effectively and as intended to facilitate exposure levels commonly tolerated by helpful guide on ‘‘Wireless Devices and crash avoidance safety applications, it is many people.’’ 206 The CHRC published Health Concerns,’’ 210 in which the critical that users of the network have a series of recommendations for Commission states, ‘‘While there is no confidence in the validity of basic safety building environments in effort to federally developed national standard messages received from other system reduce potential EMS conditions.207 In for safe levels of exposure to users—indistinct users whom they have 2009, the European Parliament urged radiofrequency (RF) energy, many never met and do not know personally. member states to follow Sweden’s federal agencies have addressed this For this reason, DOT and its research example to provide people with ES important issue.’’ The Commission partners have developed a sophisticated protection and equal opportunities. acknowledges the efforts the interagency security system that allows for the creation and management of digital 7. Conclusion working group, its members, and their ongoing monitoring and investigating security credentials (referred to as The agency appreciates the ANPRM issues related to RF exposure. ‘‘certificates’’) that enable users to have comments bringing attention to V2V V2V devices would operate at confidence in one another, and the technology and a potential relationship distances to humans significantly system as a whole. In fact, the security to EHS. The agency takes these concerns further that the distance relationship of system designed to create confidence in very seriously. The literature review a portable cellular phone to its operator, the V2V environment is a more complex conducted by the agency highlighted where the device is generally carried on and sophisticated version of the same long, and still ongoing, activities to a person or pressed directly to the ear. public key infrastructure (PKI) system better understand the relationship to V2V devices used in the Safety Pilot that consumers and merchants use every electromagnetic radiation and the operated at similar power levels to day to verify credit card transactions at symptoms of individuals reporting handheld cellular phones and the the supermarket or make on-line electromagnetic hypersensitivity. As a agency expects power levels for purchases (any time you see the ‘‘https,’’ Federal government agency focused on for example). PKI systems also have automotive safety, NHTSA 208 Radiation-Emitting Products, ‘‘Current long been used by the Federal acknowledges the expertise of our sister Research Results,’’ available at http://www.fda.gov/ government and corporate America, Radiation-EmittingProducts/ 206 ‘‘What You Should Know About RadiationEmittingProductsandProcedures/ 211 The SCMS overview and governance Electromagnetic Sensitivity (EMS)’’, Christiane HomeBusinessandEntertainment/CellPhones/ discussions in this notice are based in significant Tourtet. B.A, International MCS/EMS Awareness, ucm116335.htm (last accessed Dec. 8, 2016). part on a report DOT entitled, ‘‘Organizational and available at http://www.nettally.com/prusty/ 209 Group members can be found at http:// Operational Models for the Security Credentials CTEMS.pdf (last accessed Dec. 8, 2016). www.emrpolicy.org/litigation/case_law/docs/ Management System (SCMS); Industry Governance 207 Sears, Margaret E., ‘‘The Medical Perspective workgroupmemberslist.pdf (last accessed: Dec 8, Models, Privacy Analysis, and Cost Updates,’’ dated on Environmental Sensitivities,’’ May 2007. 2016). October 23, 2013, prepared by Booz Allen Hamilton Available at http://www.chrc-ccdp.ca/sites/default/ 210 See ‘‘Wireless Devices and Health Concerns’’ under contract to DOT, non-deliberative portions of files/envsensitivity_en_1.pdf. (last accessed Dec. 8, https://www.fcc.gov/guides/wireless-devices-and- which may be viewed in docket: NHTSA–2014– 2016). health-concerns (last accessed Dec. 8, 2016). 0022.

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00082 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules 3935

successfully and securely, to verify the and V2V stakeholders) that could be National SCMS. Following is a identity of their employees for access used to govern the organization, discussion of ICANN as a comparative and security purposes. accreditation, and operation of a V2V industry example of successful, private In the V2V context, system SCMS and its components, including sector multi-stakeholder governance, the participants use digital certificates to drafts of an SCMS Certificate Policy evolution of which is instructive to validate the integrity of safety messages (CP), Certification Practice Statement government and private sector exchanged 10 times per second by V2V (CPS), and Privacy Policy; stakeholders in the SCMS ecosystem. devices in motor vehicles. The body of • Develop a model for, and then Finally, we outline NHTSA’s plan to each safety message is unencrypted; the prototype a private, multi-stakeholder issue, on the basis of this additional PKI sender signs the message with a digital governance entity (on the basis of and organizational research, a policy certificate and the receiver checks to existing multi-stakeholder models) that statement on SCMS governance on ensure that the signature is valid before could support deployment of an which we will seek comment from relying on the message content. This operational SCMS. stakeholders representing all aspects of • PKI verification process requires an Develop one or more public-private the SCMS ecosystem. organization referred to as a Security governance models (on the basis of Credential Management System (SCMS) existing comparable organizations) that 2. Technical Design to provide those necessary signing could support deployment of an The technical design for a SCMS credentials (i.e., digital certificates) and operational SCMS, given appropriate reflects the processes associated with conduct related security functions, such funding. certificate production, distribution, and as identifying and removing We are hopeful that this critical revocation, and illustrates how these malfunctioning V2V devices from the technical and policy research will SCMS functions interact with each other system. The V2V Readiness Report provide government and private and with OBE. Several functions work details the SCMS component of the V2V stakeholders with a detailed blueprint of together in a PKI system. The V2V system.212 several viable options for standing up an SCMS is based on a standard PKI design When NHTSA issued its V2V SCMS. One promising path that DOT to which additional functions have been Readiness Report, for a variety of actively will continue to explore is that added specifically to address the reasons discussed therein, the agency of working with a private sector, multi- identified security and privacy needs of envisioned that the SCMS would be stakeholder entity that could serve as an V2V, V2I, and V2X technologies. The established, funded, and governed SCMS Manager to deploy, govern, and term ‘‘pseudonym functions’’ is used to primarily by one or more private coordinate operation of a fully- refer to those functions responsible for entities—possibly a consortium of operational V2V SCMS, in which DOT creating the short-term certificates used automobile and V2V device would play an ongoing advisory role. by the OBE in V2V messaging. The term manufacturers—with limited Federal However, DOT’s planned research also ‘‘pseudonym’’ is used to indicate that involvement. Through comments to the encompasses robust exploration of other short-term certificates contain no ANPRM, the SCMS RFI process, paths that could support the unique or personally-identifying collaborative research with the VIIC, deployment of a sustainable, operational information about users or their V2V SCMS, given appropriate public and additional DOT policy research, vehicles, but still allow users to and/or private funding. NHTSA now has developed several participate in the system, in essence We begin this discussion with a different potential processes by which a allowing use of a pseudonym. The V2V SCMS might be stood up, owned, description of the technical and organizational design of the SCMS that pseudonym functions differ from those operated, and governed. DOT is functions that take part in the committed to playing a central pre- will support V2V, V2I, and V2X communications. We then summarize ‘‘bootstrap’’ process, described later in deployment role in developing the this section. Pseudonym functions organizational framework of a viable and address comments on the technical create, manage, distribute, monitor, and and sustainable V2V SCMS, as well as design received by NHTSA in revoke short-term certificates for the policies and procedures required to connection with the ANPRM, V2V vehicles. support the SCMS—depending on Readiness Report, and RFI process. As These functions are listed below in comments received in response to this the foundation to a discussion of SCMS governance, we identify the diverse alphabetical order: NPRM. In order to do so, DOT has • expanded the scope of its pre- group of public and private entities and Intermediate Certificate Authority deployment policy research stakeholders with interests in (Intermediate CA) deployment of a V2V SCMS (together • Linkage Authority (LA) significantly to include several • additional critical activities. DOT described in this document as members Location Obscurer Proxy (LOP) of a ‘‘SCMS ecosystem’’ or ‘‘SCMS • Misbehavior Authority (MA) intends to work closely with • experienced PKI and organizational industry’’ requiring governance for Pseudonym Certificate Authority management consultants and successful deployment of V2V (PCA) communications). We summarize and • Registration Authority (RA) stakeholders to: • • Deploy a Proof-of-Concept SCMS address governance comments received Request Coordination in response to the ANPRM, V2V • Root Certificate Authority (Root CA) based on the current design to support • additional privacy and security Readiness Report, and during the RFI SCMS Manager research, as well as the certificate needs process. We detail DOT’s planned Distinct from the pseudonym of CV Pilots funded by DOT and early deployment of the proof-of-concept functions that execute the short-term industry adopters of V2V; (POC) SCMS. We then detail planned certificate processes are the functions • Develop policies and procedures work with experts and SCMS that carry out the ‘‘bootstrap’’ process (based on industry best practices, ‘‘industry’’ participants to develop (the initialization of the device into the standards, comparable privacy-sensitive policies and procedures for the National system). The bootstrap process PKIs, and individual input from SCMS SCMS, and to flesh out one or more a establishes the initial connection viable model for organization, between OBE and the SCMS. This 212 See Section IX.B of the V2V Readiness Report. ownership, and governance of the process is characterized by its chief

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00083 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 3936 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules

component, the Enrollment Certificate connection to individual identifying • Certification Lab Authority (ECA), which is responsible information (like a VIN) during • Device Configuration Manager (DCM) for assigning an enrollment certificate to bootstrap. • Enrollment Certificate Authority each OBE. The bootstrap functions The functions within the bootstrap (ECA) remain separate from the pseudonym process are listed below in alphabetical A brief description of each SCMS functions because of the potential order: function is provided in Table V–1.

TABLE V–1—SCMS COMPONENTS AND DESCRIPTION

Abbreviation Function name Activities

Certification Lab ...... Certification Lab ...... Tests OBE and informs ECA that units of a particular type are eligible for enrollment certificates. DCM ...... Device Configuration Manager ...... Coordinates initial distribution with OBE and enables OBE to request certifi- cates from RA. ECA ...... Enrollment Certificate Authority ..... Activates OBE and credentials users. Intermediate CA ...... Intermediate Certificate Authority .. Shields Root CA from system and provides more flexibility for trust manage- ment. LA ...... Linkage Authority ...... Each pair of LAs communicates with the RA to provide linkage values nec- essary for certificate production, and assists the MA in misbehavior proc- esses. LOP ...... Location Obscurer Proxy ...... Obscures the locations of requesting devices (e.g., OBE requesting certifi- cates) from other functions, such as the RA. MA ...... Misbehavior Authority ...... Collects misbehavior reports from OBE and analyzes system-wide mis- behavior. Coordinates with PCA and RA to produce CRL. Other activities include CRL generation, broadcast, and store; internal blacklist manager (IBLM); and global detection. PCA ...... Pseudonym Certificate Authority ... Generates and signs short-lived certificates. RA ...... Registration Authority ...... Coordinates certificate production with other functions; sends certificates to OBE (during full deployment). Request Coordination ...... Request Coordination ...... Coordinates certificate requests from OBE to RA. Root CA ...... Root Certificate Authority ...... Provides system-wide confidence through CME certificates issued to all CMEs; represents the basis of confidence in the system. SCMS Manager ...... Security Credentials Management Defines and oversees standards and practices for the SCMS, related to both System Manager. technical and policy issues.

The technical design of the SCMS is approach that separates information and administrative organizations within the focused on communications and organizational functions in order to larger SCMS ‘‘industry,’’ while still activities of the various PKI functions. mitigate potential risks to consumer protecting consumer privacy Among other fundamental principles, privacy. The model depicted in Figure appropriately and ensuring secure, the technical design for the system V–1 below illustrates one way these efficient communications. incorporates a ‘‘privacy by design’’ functions could be grouped into legal/

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00084 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules 3937

Blue boxes in the diagram represent throughout V2V research program as the how the identified requirements Certificate Management Entities (CMEs), system has evolved to meet revised or addressed the potential risks. The or groupings of SCMS functions. additional needs. Additionally, results of the SCMS design evaluation Functions carried out within the CMEs evolutionary changes have occurred as a are detailed in Final Requirements are represented by the white boxes. For result of implementation and operation Report, September 11, 2015, Report purposes of this illustrative model, in support of the USDOT’s Safety Pilot Number: FHWA–JPO–15–235, and Final these groupings clarify those functions Model Deployment. Design Analysis Report, September 18, that may be owned by multiple To better understand maturity and 2015, Report No: FHWA–JPO–15–237. organizations, versus those that may be robustness of the SCMS, the USDOT The MITRE evaluation was based on best handled in a more centralized retained the MITRE Corporation to the previous 6 years of research that manner. However, as noted in the V2V conduct an independent evaluation and investigated core issues related to: Readiness Report, ultimately, the risk assessment of both security and Securing DSRC communications; decision as to which SCMS functions privacy design features of the SCMS. privacy implications; achieving may be perform by a single entity and This work was used to inform interoperability; governance and whether central and non-central continuing refinements and provide organizational structure; and identifying functions may be combined are matters USDOT with a basis for future policy and addressing communication threats of governance defined by the system’s and technical decisions related to and risks. The Government provided Certificate Policy. For this reason, if this deployment. reports associated with these studies to PKI technical design for the SCMS is MITRE was directed to conduct: (1) the MITRE Corporation as a basis to implemented, the final decision on An independent and comprehensive conduct their evaluation and identify which organizations can be owners/ evaluation and risk assessment of the the minimum requirements of the SCMS operators and how scope and July 2013 SCMS design for a V2V that would support the three primary responsibility will be divided among the connected vehicle environment; and (2) components of the system that are: CMEs will likely be a central policy a technical analysis of the potential 1. V2V devices that support DSRC issue determined jointly by NHTSA and privacy risks of the entire V2V system messages broadcast to and received from the entity that takes the lead in that includes security but also focuses other devices; and the ability to send/ governing and coordinating operation of on the operation of V2V receive messages to/from the Security the V2V SCMS. communications in support of crash Certificate Management System for 3. Independent Evaluation of SCMS avoidance safety applications. digital security credentials that provide Technical Design The independent evaluation by the means of message authentication; MITRE identified security requirements 2. A Security Certificate Management The design of the Security Credential needed to support secure V2V System (SCMS) which is the security Management System has gone through communications, and revisited threats organization that issues, distributes, and many iterations and adjustments and risks in relation to the design and revokes digital security credentials. The

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00085 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 EP12JA17.010 3938 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules

SCMS is comprised of a number of assessment based on the NIST 800–30 assessment of how the latest SCMS entities and functions. It is also publication, Guide for Conducting Risk design aligns with these minimum designed to detect and remove Assessments. Using the NIST requirements (Final Design Analysis misbehaving devices; and framework, attackers and attack Report—September 18, 2015, Report No: 3. A communications network that scenarios were identified. Identified FHWA–JPO–15–237). The Requirements facilitates two-way encrypted attackers included, for example, a clever Report also includes a risk assessment communications between an SCMS and outsider and a well-funded foreign where MITRE reviewed past risk a DSRC device (to include both vehicles hostile organization. Attack scenarios assessments and identified threats, and roadside units). included local and widespread Sybil threat actors, attacks, vulnerability, The MITRE evaluation focused on a attacks, Root Compromise, Intermediate consequence, likelihood, impact revised SCMS technical design that Certificate Authority Compromise, severity, and risk in relation to the benefited and evolved from knowledge Registration Authority Compromise, minimum requirements and latest gained during operation of a technical False Misbehavior Report, False design information base on the NIST prototype implemented as part of the Certificate Requests, and Trust 800–30, Guide for Conducting Risk Safety Pilot Model Deployment. This Management Compromise. For various Assessments. prototype implementation exercised attack scenarios risk was estimated The risk assessment assessed a initial technical functionality needed to based on likelihood and impact. The number of possible threats to the produce and manage security certificate estimates were based on a modified system, some described by the CAMP material for the deployed devices, and, NIST risk matrix given the NIST matrix reports, others identified by the MITRE there was a rudimentary technical did not rate any scenario as ‘‘high’’. The team. Of the twenty-one threats organization and management structure. risk assessment identified Root identified, MITRE concluded that This early SCMS prototype provided Compromise, Intermediate Certificate fourteen may be mitigated by a system technical data related to PKI Authority Compromise, Registration design that conforms to the minimum architecture and functions, and there Authority Compromise, and Trust requirements, but for seven of the were new insights gained regarding the Management Compromise to have high threats, no system design requirements over-the-air transmission of security risk even after possible mitigation seemed to apply.213 In some cases, materials and use of alternate techniques were considered. This work threats may be mitigated by additional communication media that include informed the next stage of SCMS design system design features that perform to DSRC and cellular. refinement which included (among the minimum requirements. For other Prior to the MITRE evaluation were other refinements) an objective of years of research conducted to threats, no system requirements are finding new innovative techniques to listed. These include threats that understand and develop the SCMS move high risks to medium risks, and design. The first forma research was involve compromises of or unauthorized medium risks to low risks. access to SCMS or OEM system conducted in 2010. CAMP An updated high level SCMS design components or databases. For these, commissioned 5 leading was completed July 2014 and mitigation will depend not on system communication/internet security documented via 4 separate but technical design but rather on entities to assess the security needs and connected reports that included: (1) implementation of security policies and identify a security approach for DSRC Study 1, Security Credential communications. Security Innovations, Management System, Final Report, July operational practices that would be part Escrypt, Telcordia Technologies 2014; (2) Vehicle Safety of the SCMS operational governance Carnegie Mellon University, University Communications Security Studies Final function. Further, MITRE noted that of Illinois at Urbana-Champaign, and Report, July 2014; (3) Study 3 Final such Governance functions and policies India Science Lab Report, Definition of Communication may be captured in documents such as investigated aspects of the system and Protocols Between SCMS Components, a Certificate Policy and the Certificate collaborated on recommendations. July 2014; and, (4) Phase 2 Final Report Practice Statement. These documents Security Innovations and Escrypt Volume 3: Security Research for and other governance policies and conducted a risk analysis and identified Misbehavior Detection, Nov 2014. protocols will be developed as part of initial risks related to broadcast These reports formed the base of the the SCMS PoC operations project that communications among vehicles and information available to MITRE will support V2X deployment projects devices. These risks included denial of regarding the latest design of the SCMS. as discussed in Section V.B.6.e). service attacks, Sybil attacks, altered Other reports provided to MITRE The MITRE Final Design Analysis messages, replay of messages, and included past research findings report evaluates the SCMS design (as compromised nodes. The risks were concerning interoperability, initial documented in the above listed Reports rated and mitigation techniques communications security needs, and from CAMP) against a list of derived identified. The risk analysis was SCMS organizational analysis. minimum requirements from the Final combined with investigations by: MITRE also had access the standards Requirements Report. Telcordia Technologies (design and referenced in the reports that included MITRE noted that the design of the analysis of applicable and scalable PKI SAEJ2735, IEEE 1609, and the latest SCMS has several innovative elements systems); Carnegie Mellon and input to SAEJ2945 that was being that deserve further development and University of Illinois at Urbana- developed during the MITRE analysis in future design revisions and Champaign (adaptations to address evaluation. system operational implementations. privacy); and Lab MITRE used the information The list below identifies areas (misbehavior detection solutions). The described above to identify the overall recommendation was a PKI minimum or essential requirements 213 The threats list from the MITRE report is not based system with frequently changing needed for a SCMS design to support a comprehensive list of threats or risks to overall certificates. the three primary components identified V2V system success, but are focused on threats to the objectives of providing secure V2V Two years later after preliminary above (Final Requirements Report— communication, protecting the privacy of vehicle work was done on the SCMS design, September 11, 2015, Report Number: operators, and enabling the identification and USDOT and CAMP conducted a risk FHWA–JPO–15–235), and an removal of bad actors from system participation.

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00086 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules 3939

recommended by MITRE for further and detailed organizational designs, (RFI) 216 regarding a potential Security development: governance structures, and operational Credential Management System (SCMS) • Required cyber-resiliency policies and procedures remained to be that could support the National capabilities, such as designs for completed and implemented. However, deployment of a secure V2V continuous monitoring for proper the risk assessment performed by communication system. operation, anomaly detection functions, MITRE did follow the basic process of The purposes of the RFI were to help and systematic software reset of identifying the state of the current the agency: (1) Become aware of private installed software components. system and developing a target state of entities that may have an interest in • Misbehavior Authority (MA) cybersecurity to obtain through exploring the possibility of developing design. The MA constitutes a critical refinement and additions to technical, and/or operating components of a V2V single point of failure as conceived. operational and governance aspects of SCMS; (2) Receive responses to the Additionally, it presents enticing points the system. Examples include the questions posed about the establishment for adversary compromise against key MITRE risk assessment, the of an SCMS provided in the last section system objectives surrounding investigation regarding the role, of the RFI; and (3) Obtain feedback, trustworthiness, misbehavior handling, functions, and governance expressions of interest, and comments and acceptance. responsibilities of an SCMS manager, • from all interested public, private, and Design of capabilities that would and the analysis and evaluation of academic entities on any aspect of the enable secure updating of on board cybersecurity protection needs that SCMS. equipment (OBE), Security Credential moved the protection requirement from NHTSA received twenty-one Management System (SCMS), and other FIPS–140 Level 2 to Level 3. The SCMS responses to the RFI with approximately component software, especially given design continues to mature to address eleven of the responses indicating an the complexity and lifetime of the risks such as Root Compromise 214 and interest in running aspects of, or the system and its components. software updates. Continued refinement entire, SCMS. The respondents included • Completion and clarification of the is also evident through the ‘‘SCMS vehicle manufacturers, software specifications of the operation and Proof-of-Concept End-Entity component developers and suppliers, reporting functions around misbehavior, Requirements and Specifications cryptography experts, certificate blacklist, revocation, and of the data Supporting SCMS, Software Release management entities, satellite and elements maintained. Version 1.1, being used by Connected • Evaluation of the reduction of risks cellular service providers, and Vehicle Pilots as they prepare to in privacy protection with the academia. connect to the SCMS PoC for pseudonym certificate (PC) design Deployment of a V2V security.215 instead of other, less complex, yet communications system, and of an Further, it should be understood that SCMS to support confidence in V2V suitable privacy sensitive designs. the SCMS PoC is being implemented at The above areas will be addressed by communications, are unprecedented this time by USDOT to serve USDOT USDOT and its industry partners as the activities. For this reason, the agency sponsored demonstrations and early SCMS design continues to be refined, believed it was appropriate to meet with deployments—and to allow for a better and as part of the implementation and a subset of respondents, the eleven understanding both technically and operation of the first-ever fully expressing interest in operating aspects operationally of how the SCMS may be representative SCMS proof of concept of the SCMS or the SCMS as a whole, deployed at a national level. To this (PoC). to ensure there was a shared Further, even though it is not yet clear extent, the designs, methods, policies understanding of respondents’ whether the SCMS should be designated and procedures implemented to ensure comments, potential role in an SCMS, as a ‘‘critical national infrastructure’’, secure communications, manage privacy and the agency’s position on a possible once the SCMS Proof-of-Concept risks, and address cybersecurity threats SCMS creation and implementation. becomes operational, USDOT intends to will need to be accepted and The agency was able to meet with ten apply the NIST Framework for implemented by the private entities that of the eleven respondents that had Improving Critical Infrastructure choose to establish and operate a indicated interest in operating aspects of Cybersecurity, (currently, Version 1.0, National SCMS. a potential SCMS. One respondent, We welcome comment concerning: February 12, 2014). Much of the , was not able to meet with the The cybersecurity risks associated with guidance provided in The Framework agency. The meetings took place the SCMS; the analysis methods used to for Improving Critical Infrastructure between January and March of 2015 at date to assess risk; and what framework/ Cybersecurity is directed at DOT headquarters either in person or assessment methods should be used organizational practices to identify via teleconference. during SCMS PoC implementation and cybersecurity risks; protect against Overall, the meeting discussions were operation; and any other information threats and detect cybersecurity events; very informative and the agency greatly regarding possible threats and risk that and respond to and recover from appreciated the time and effort the have not yet be identified. cybersecurity breaches. As the SCMS respondents expended following-up PoC organizational design and 4. SCMS RFI Comments and Agency their RFI responses. In general, based on governance policies mature and are Responses the RFI comments and the discussions with respondents, the team identified actually being implemented, then As discussed in Section II.F, NHTSA the following key themes concerning USDOT will be able to apply the NIST issued a Request for Information Framework to help identify and mitigate various aspects of the SCMS. • Government must play a significate residual risks. 214 See Root Elector System Design at http:// In should be noted that USDOT (and www.mycreativeregistry.net/IPCOM/000245336 (last role in the establishment and MITRE) were precluded from applying accessed Dec 4, 2016). management of the SCMS. the NIST Framework for Improving 215 The EE Requirements and Specifications can • Business opportunities are seen at be found via the following link: http:// the CME and Security services levels. Critical Infrastructure Cybersecurity www.its.dot.gov/pilots/pdf/ because the design of the SCMS was SCMS_POC_EE_Requirements.pdf (last accessed only conceptual (not yet implemented) Dec 7, 2016). 216 79 FR 61927 (Oct 15, 2014).

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00087 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 3940 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules

• Security system entities understand interest in participating in the SCMS advisory board regarding the policy, the relationship of the design to privacy, Manager and potentially being ‘‘a proper specifications, and requirements of the with some indicating they may be able candidate’’ for operating the two SCMS, V2V initiative, and its to find some efficiency as they develop Linkage Authorities identified in the components, (2) creating components their systems. current system design. UMTRI indicated and solutions, such as the Registration • One respondent indicated that the their regular work on classified projects, Authority or Device Configuration design sets a new paradigm that other existing infrastructure, and their Manager, and (3) creating software and/ regions may adopt in the future. experience ‘‘running highly privacy or managed service offerings for • An SCMS Board of Directors needs sensitive computer systems such as the operations and oversight such as to be initialized by the Federal University of Michigan Health System ‘‘dashboards’’ used for monitoring Government—specifically citing the support their interest in operating the system performance. existing ICANN Model,217 charged with Linkage Authorities.’’ CSS’s response to the RFI centered on managing the world-wide-web domain UMTRI indicated other parties may be the first question related to governance. and server naming allocation and better suited to provide a response CSS foresees a large and diverse array of standard, as an example framework that regarding financial sustainability. In our participants involved in the operation of could transcend to V2V. meeting, however, UMTRI indicated a National SCMS deployment. As such, • Establishment of the SCMS they could possibly pose the SCMS CSS indicated examples of ‘‘self- Manager would require capital/initial financial sustainability proposition to governance’’ advisory boards that have, funding. their MBA students as a potential ‘‘proven to be relatively effective in • One entity discussed being the project. improving the interoperability and SCMS Manager. When discussing potential SCMS overall security of their respective • One entity indicated they would operational and policy standards, areas.’’ In their view, CSS suggested that build and operate the entire SCMS UMTRI indicated support for NHTSA’s this sort of overall model ‘‘makes the system but would need another entity to approach that SCMS components like most sense when considering the be the SCMS Manager. the CME should be legally distinct. magnitude and importance of an • Little information provided about Support for keeping SCMS components initiative such as the SCMS.’’ These potential financial models. legally separate is rooted in the need to examples included: • Possible revenue sources included: ensure privacy and based on the key • The certification authorities (CA)/ CME license fees, certificate notions that firewalls within a single Browser forum (https://cabforum.org), subscription fees, yearly service fees. legal entity might not be sufficient to comprised of CA and web browser • To move forward with ensure privacy, different legal vendors with a focus on defining a development/deployment, all indicated organizations will most likely protect a coordinated set of guidelines to improve they need more information regarding data center with a differing browser and SSL security. the Government role, the SCMS technologies, and that distinct legal • The Internet Engineering Task Manager, and details about the security organizations inhibit the possibility of a Force (IETF) (www.ietf.org) and its design. single point of entry into multiple collection of specific Working Groups. • Liability was a major concern, with systems. • The Industrial Internet Consortium a strong interest from all participants in UMTRI suggested two types of (www.iiconsortium.org), an industry- some form of Federal indemnification. operational policies, Type 1 for driven working group aimed at solving the challenges posed by large-scale (a) SCMS RFI Comments applications that are under governance of SCMS Manager (e.g., V2V safety machine-to-machine (M2M) (1) UMTRI applications) and Type 2 for communication. The University of Michigan’s applications that are not under the The agency’s meeting with CSS Transportation Research Institute governance of SCMS Manager but are yielded additional details on their (UMTRI) met with representatives from part of the V2X application portfolio written response along with ideas for the NHTSA V2V NRPM Team to discuss (e.g., mobility applications provided by potential approaches to a National their SCMS RFI response. UMTRI’s third party providers). SCMS deployment. At the highest level, CSS indicated a potential SCMS response provided views regarding (2) Certified Security Solutions, Inc. privacy, governance, potential SCMS advisory board would be responsible to component separation and linkage. Certified Security Solutions, Inc. define the appropriate certificate policy UMTRI’s RFI response indicated other (CSS) represented the exposure to new standards to ensure consistent and parties may be better suited to respond potential stakeholders, suppliers, and successful implementations that will be on specific governance organizational services V2V is bringing to NHTSA. CSS required for the anticipated multiple aspects but supported a public-private supplies security solutions such as CAs deployed across multiple systems. partnership model for overall security certificate management systems CSS indicated that utilizing multiple governance, a potential model discussed and managed public-key infrastructures root CAs may benefit from redundancy in the V2V Readiness Report. UMTRI (PKI). CSS also provides digital security versus a single root CA, and also went one step further by offering the consulting services related to PKI and brought forth the notion of ‘‘bridged’’ suggestion of an additional ‘‘public- identity and access management. root CAs that could be cross-signed to private-academic’’ model that could Historically, the agency has not allow different vehicle or device potentially benefit from an academic interacted with suppliers such as CSS in manufacturers to ‘‘trust’’ each other partner’s fundamentally neutral stance, the course of regulating vehicle while maintaining their own ‘‘root of little commercial interests and direct manufacturers and, similarly, CSS has trust,’’ enhancing confidence in message access to significant research resources. been involved with industries far exchanges. SCMS financial sustainability More specifically, UMTRI expressed removed from the auto industry, such as supporting digital certificates for discussions were limited to existing approaches for certificate management 217 See, e.g., https://www.icann.org/resources/ surgical devices like heart pacemakers. pages/chart-2012-02-11-en (last accessed Dec. 7, CSS indicated interest in three areas services, where per certificate fees could 2016). of the SCMS: (1) Participation in an potentially be avoidable.

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00088 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules 3941

(3) Trustpoint Innovation Technologies, device security mechanism, ECC is the role of developing and Ltd. much more compact yet provides a implementing the SCMS governance Representatives from Trustpoint higher level of security. Trustpoint board and participating as a member. Innovation Technologies met with the indicated that 500 bits of ECC Dura was the only respondent V2V NPRM Team to discuss their information is equivalent to nearly 1500 indicating interest in taking the role of submission to the RFI response. bits of RSA cryptographic information. developing functions at the SCMS Trustpoint was founded in 2012 by Dr. Trustpoint supported the Manager level and above. Scott Vanstone and Sherry Shannon. development of a ‘‘test bed’’ for Dura favored a private model Mr. Vanstone was also a co-founder of components that could operate in a governance approach for the SCMS, Certicom, whom also provided a National, deployed system. Successful excluding some identified issues. In response the SCMS RFI, which was deployment and verified operation in their response, DURA identified two acquired by BlackBerry in 2009. the test bed could be considered successful examples of both private and Trustpoint has been involved with the ‘‘certified for deployment.’’ Components public models currently in place that SCMS and security design research certified in the test bed would support address requirements similar to those conducted with the agency’s research an ‘‘off-the-shelf’’ software component identified in the RFI. A private model partner, CAMP. Trustpoint’s response to approach that, for example, would yield example is the Internet Corporation for the RFI focused on their interest in Registration Authorities for each Assigned Names and Numbers helping to develop deployment-ready manufacturer. Trustpoint stressed the (‘‘ICANN’’),220 a private, not-for-profit SCMS components such as the need to have standardized components corporation established in 1998. The Pseudonym CA, Registration Authority, for consistent system interaction while public model cited by Dura is the Linkage Authority, Enrollment CA, allowing each OEM to manage their operating arrangement for the Federal Intermediate CA, and Root CA. vehicle fleets individually versus a Aviation Administration (FAA) and the Trustpoint indicated that significant central management approach. The national air traffic control system.221 investment and development in SCMS Proof of Concept project DURA specifically suggested, ‘‘a software and testing will be necessary to currently under development by the policy statement from the Department of deploy a National SCMS. This is based agency and CAMP, to support Transportation advising the public that on their belief the PKI approach used for connected vehicle test beds that will be the U.S. government is prepared to enter SCMS research will need to be extended deployed regionally along with into an agreement with a new, not-for- and extensively proven for a production expansion of the Safety Pilot Model profit corporation formed by private system, based on the need for a new Deployment environment more broadly sector transportation multi-stakeholders software stack 218 built around new throughout southeastern Michigan, to administer the Security Credential cryptography and protocols. Trustpoint could potentially serve as a test bed for Management System’’ and suggested the is interested in being part of a broader, National system deployment. corporation be referred to as, ‘‘the Inter- consortium to deploy production SCMS Trustpoint suggested, however, that Connected Automotive Safety Network components. additional definition and (‘‘ICASN’’). Additionally, Dura When meeting with the agency, implementation will be needed in the suggested that its incorporation, Trustpoint expanded on their views of areas of operation, management, and governance and operation mirror as a National SCMS deployment. The key auditing for a successful National SCMS much as possible to that of ICANN.’’ discussion points included deployment. Dura suggested a subscription-based cryptography approaches, attack Trustpoint suggested the cost model approach for ongoing SCMS vectors, participation in a consortium, provided by the agency and used in the sustainability and further recommended and thoughts on production deployment V2V Readiness Report cost calculations ‘‘aligning the subscription period with that includes clear policies and needed some adjustment in the areas of vehicle licensing/annual license plate procedures, and thoughts on device bandwidth, hardware security module, renewal.’’ Dura also commented on how level security. In addition, Trustpoint and software development costs. More liability for system operation could reviewed the cost model the agency specifically, Trustpoint indicated influence costs; more specifically, from provided with the ANPRM and V2V replication for hardware security would an insurance cost perspective. Readiness Report. be needed for redundancy and (5) Bosch—ESCRYPT Trustpoint discussed how Elliptic continuous, uninterrupted system Curve Cryptography (ECC) is, in their operation. Trustpoint estimates the Robert Bosch LLC affiliate ESCRYPT opinion, the only feasible security annual issuance of 36 million provided a response to the SCMS RFI solution for resource-constrained certificates will have additional with comments on potential governance environments where processing power, bandwidth needs beyond that estimated strategies and expressed interest in power consumption, storage space, and in the cost model. Finally, Trustpoint implementing the Pseudonym bandwidth are limited. In comparison to believed the software development cost Certificate Authority (PCA) and Linkage RSA,219 an early wide-spread remote used in the cost model was substantially Authority (LA) components. underestimated. Bosch-ESCRYPT supported a private- 218 A software stack is a set of programs that work (4) DURA Automotive Systems, LLC public collaboration versus a self- together to produce a result; typically an operating governance model and commented that system and its applications. For example, a Dura Automotive Systems, LLC is a SCMS ownership should take a multi- smartphone software stack comprises the operating Tier 1 supplier to the automotive layered approach, with high level system along with the phone app, Web browser and industry supplying structural body other basic applications. See http:// www.pcmag.com/encyclopedia/term/51702/ systems, mechatronic control systems, 220 For more information on the ICANN private software-stack (last accessed Dec. 8, 2016). and exterior systems including window model, see https://www.icann.org/resources/ 219 RSA is a cryptosystem for public-key systems and exterior trim. Dura unthemed-pages/icann-mou-1998-11-25-en (last encryption, and is widely used for securing responded to the SCMS RFI with a accessed Dec. 8, 2016). sensitive data, particularly when being sent over an 221 For more information on the public FAA insecure network such as the Internet. See http:// vision of how the SCMS Manager could model, see http://www.faa.gov/about/office_org/ searchsecurity.techtarget.com/definition/RSA (last be formed, implemented and sustained. headquarters_offices/agc/pol_adjudication/agc400/ accessed Dec. 8, 2016). Dura indicated they would like to fulfill litigation/ (last accessed Dec. 8, 2016).

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00089 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 3942 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules

policies residing within the USDOT and certificates for an identified device and expressed interest in the SCMS lower level implementation preventing future certificate updates operational roles of the Certificate responsibility given to private allowing, in theory, the device to ‘‘fade Management Entity (CME) such as organizations. ESCRYPT supported away’’ from the system. Finally, when operating a Certification Authority (CA) having the SCMS spread amongst discussing potential hardware security and/or a Registration Authority (RA). differing, distinct organizations to help needs, Bosch indicated they have However, Certicom indicated revenue maintain privacy, and recommended a experience with hardware security models and costs would need to be governance board to fulfill the SCMS modules (‘‘HSM’’) and secure hardware better understood before committing Manager function, with membership extensions (‘‘SHE’’) successfully definitively to any portion of the system defined by NHTSA but to include deployed in Europe and that, in terms operation. representatives from government, of V2V, a lower-security Certicom commented that long-term vehicle manufacturers, private implementation limits potential use viability of the SCMS is highly organizations, and privacy groups. cases of a system. The agency interprets dependent on public acceptance. As ESCRYPT expressed interest this discussion, overall, that proposing such, participants in the system need a implementing a production SCMS PCA a hardened device could extend a strong public identification (brand) and and LA based on their support of the device’s capability and contribute to experience with successful security, Safety Pilot Model Deployment. In their overall system confidence. safe, reliable and privacy SCMS RFI response, ESCRYPT implementations. proposed an architecture that utilizes (6) Certicom/Blackberry Technology During the agency’s meeting with two types of certificates to ensure Solutions Certicom, the discussion focused on privacy. The first is short term Certicom, a wholly owned subsidiary clarifying the RFI responses but also in pseudonyms, lasting from seconds to of Blackberry Ltd., provided a response key areas of revenue generation, security hours and being switched frequently. to the SCMS RFI and also met with the approaches, and certificate and device The second is long-term certificates agency to follow-up their response. management approaches used for along with three Certification Certicom provides ‘‘applied Authorities: Long-Term; Pseudonym; cryptography and security solutions for Blackberry devices and other and a Resolution Authority, the latter of the embedded market’’ including implementations that Certicom has which strips anonymity from engagement with governments and supported, which includes public utility pseudonym certificates that are believed vehicle OEMs. Certicom has experience installed residential ‘‘smart meters.’’ to be a potential threat. implementing Elliptic Curve Certicom indicated there could be When meeting with the agency, Cryptography (ECC), ‘‘which provides many reasons that entities would want Bosch-ESCRYPT expressed the the most security per bit of any known to participate in a National SCMS and importance of regional policy public key cryptosystem.’’ Certicom’s there could be potential opportunities harmonization and stable standards, parent company, BlackBerry, builds presented such as the support of the indicating that, once implemented, devices used by government and security needs for manufacturing and these important pieces will be not be enterprise organizations, and operates a system operations. In addition, changed easily or quickly. global secure network and mobile expanded future roadside equipment The agency asked ESCRYPT for their messaging platform. BlackBerry could lead to yet-unknown revenue experience on device management and Technology Solutions also operates generation opportunities. Overall, V2V how ESCRYPT has handled conditions BlackBerry’s QNX group which has and a supporting SCMS could, in such as managing and closing security presence in automotive telematics theory, ‘‘create a whole new market.’’ breaches, device ‘‘end of life’’ implementations. Certicom also suggested participants in management, and hardware security to Certicom supported a private the SCMS could generate on-going help inform potential approaches for consortium to manage a V2V SCMS, revenue by royalties from device this NPRM. ESCRYPT indicated that indicating that this approach could help manufacturers. over-the-air (OTA) software update is ‘‘accelerate the deployments of V2X In terms of approaches to device the best approach to closing potential systems’’ serving both infrastructure and security, Certicom indicated there are at security breaches and in support of aftermarket devices. They stated that a least three security key-scenarios for NHTSA’s vital recall efforts. When possible ‘‘concern could arise if devices. The following table provides an discussing device ‘‘end of life’’ regulation unnecessarily limits the overview of these approaches and a scenarios, ESCRYPT suggested the opportunity for participants to drive corresponding, relative level of security approach of revoking existing commercial innovation.’’ Certicom provided by each.

TABLE V–2—OVERVIEW OF SECURITY APPROACHES

Security Method ...... PKI ...... Keys/Certificates sent to device at time of manufac- In device chipset (‘‘silicon’’). ture. Example ...... Thermostat ...... Telematics ...... Blackberry. Relative Security ...... Sufficient ...... Better ...... Best.

When discussing device and device original equipment manufacturer. The registration seed certificate management, Certicom manufacturers (OEMs). could be viewed like a V2V enrollment provided an overview of three certificate The certificate service for Blackberry certificate, all of which is linked to the distribution and management systems: devices is designed for scalability, and ‘‘root of trust’’ for the Blackberry Blackberry PKI, the ZigBee Smart secures devices from ‘‘birth’’ where a ecosystem. Energy public utility residential meter registration ‘‘seed’’ is embedded in the Certicom’s overview of the ZigBee system, and Certicom’s approach to a device’s onboard microchip public utility smart meter certificate certificate and asset management for (‘‘silicon’’) at the time of device system varies from Blackberry devices,

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00090 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules 3943

in that devices participating in that utilize an EQCV format issued in performed to confirm that each device’s system are supplied from various batches of one million. Certicom media access control (MAC) 222 address manufacturers—similar to how V2V indicated they are able to issue is unique. Key pairs for each device are device implementation is envisioned, approximately one million certificates then bound to the device MAC address but the ecosystem itself could be viewed in approximately one and half hours of and vendor ID through the certificate. as localized. processing. Each device participating in Figure V–2 shows a graphic In this implementation, ZigBee the system is identified by unique representation of the ZigBee certificate ‘‘Smart Energy’’ device certificates vendor identification, and verification is management system.

Finally, Certicom provided an are assembled at geographically- and tracking, and support for anti- overview of a certificate authority and dispersed locations, similar to how cloning and anti-counterfeiting. Figure asset management system that they are vehicles are assembled. The system V–3 provides a representation of this able to supply for device original described provides operational visibility system and shows the remote equipment manufacturers. The system is and control of secure key injection into management across various locations. designed to enable OEMs and silicon a device at time of manufacture or The ‘‘tester’’ would be the point of vendors to remotely secure devices that initialization, secure device serialization security key injection into a device.

222 Media Access Control address refers to the of and Wi-Fi devices that identifies that www.pcmag.com/encyclopedia/term/46422/mac- unique 48-bit serial number in the network circuitry machine from every other globally. See http:// address (last accessed Jul. 14, 2015).

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00091 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 EP12JA17.011 3944 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules

Certicom indicated that this system information, to an untrusted contract loading security information to a device enables OEMs to manage and distribute manufacturing environment supplying in an untrusted manufacturing the sensitive security keying material, components for their end product. environment. along with potentially other sensitive Figure V–4 shows the process flow for

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00092 Fmt 4701 Sfmt 4725 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 EP12JA17.012 EP12JA17.013 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules 3945

As mentioned elsewhere in this discussed Blackberry’s OTA update This system also gathers status and data section, device management also service used for updating, configuring, to support fleet monitoring capabilities involves potential updates to device and managing software and for device operation. A graphic software to support technology updates applications. Their updates leverage the overview of the system is shown in and, importantly, in support of potential existing Blackberry exclusive secure Figure V–5. device recall scenarios. Certicom infrastructure for global distribution.

With end-of-life and misbehavior not have roadside units deployed. module (HSM) for V2V-enabled devices being key elements of a national V2V SiriusXM indicated that their as part of a trusted, secure data deployment, the agency inquired about infrastructure ‘‘could provide the exchange environment. SiriusXM approaches for managing devices under ubiquitous, simultaneous, and robust provided very detailed technical these conditions. Certicom indicated distribution of security certificates and descriptions of how device-level that Blackberry devices can be remotely the certificate revocation list (‘‘CRL’’) in security could be implemented and made non-functional (‘‘bricked’’) when a V2V system.’’ SiriusXM’s satellite managed using satellite radio service. a device is determined to be out of network covers the contiguous United This included discussing the potential service, stolen, not functioning properly States and portions or Canada and use of group codes, interaction with the or potentially ‘‘misbehaving.’’ Mexico, which could possibly assist HSM, in-use certificate downloads, Reactivation of a ‘‘bricked’’ device with potential cross-border challenges. available service channels, and revoked requires interaction with Blackberry. Their network also includes signal vehicle identification, all of which repeating equipment to supplement (7) SiriusXM Satellite Radio leverages its experience with the service in urban areas where satellite development and deployment of its SiriusXM Satellite Radio provided a reception could be blocked by buildings satellite that appears to response to the SCMS RFI and also met or other obstacles. have addressed many similar challenges with the V2V NPRM team as follow-up. According to SiriusXM, 69 million found in V2V device deployment and Their written response to the RFI vehicles are currently equipped with management. focused on the opportunity for satellite their radios, and they expect this to transmission to perform non-safety- increase to 100 million vehicles by 2017 (8) Ford Motor Company and critical, ‘‘back haul’’ type operations for as approximately 70% of new vehicles Group of America a SCMS. This could include certificate are equipped with their receiver. distribution, over the air updates, and When discussing privacy, SiriusXM Ford Motor Company (‘‘Ford’’) and certificate revocation list distribution, indicated that no subscription would be Volkswagen Group of America among other potential supporting required to receive satellite V2X data (‘‘Volkswagen’’) submitted joint transactions. SiriusXM commented that and that it would be available to any comments to the SCMS RFI. Together, employing a satellite network as an vehicle equipped with their satellite Ford and Volkswagen indicated they are alternative distribution path for safety receiver. SiriusXM did not present any encouraged by the progress made in the certificates and the CRL would promote potential revenue generation concepts collaborative activities between NHTSA the development of a V2V system by during the discussion. Additionally, and CAMP, in which they participate. enhancing scalability and the SCMS SiriusXM stated V2X will be a However, they state in their comments network footprint, and enable faster transparent data service on its system, that remaining items need resolution to distribution of security information for meaning that no V2X-related data is enable an effective deployment of a V2V V2V-equipped vehicles. collected on the vehicle, and that the communications system, such as: (1) SiriusXM indicated that satellite satellite delivery system has no NHTSA’s authority to mandate an transmission could potentially ‘‘bridge knowledge of which vehicles are active SCMS; (2) an acceptable and stable the gap’’ between initial V2V and receiving data or where vehicles are funding model, and; (3) measures to deployment and roadside unit located. address potential liabilities associated deployment and, in the longer term, In terms of device management, with participating in and/or being support more remote regions that may SiriusXM suggested a hardware security subject to a SCMS.

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00093 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 EP12JA17.014 3946 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules

Ford and Volkswagen commented compromised.’’ AMA also expressed but must be conducted under the that the SCMS cannot be a private entity concern about the potential for authority and supervision of a because vital functions of the SCMS ‘‘hacking’’ into a future V2V network, significant governmental entity.’’ cannot be delegated to a ‘‘private’’ and specifically, the potential to Global Automakers further stated that, entity, ‘‘which lacks the authority to manipulate traffic signals which could to be effective, the SCMS must be a require all participants in a V2V (let be ‘‘especially disconcerting for monopoly, which is not allowed under alone V2X) communication system to motorcyclists who comprise the most law for a private entity, and that funding adhere to the system’s necessarily vulnerable roadway user group.’’ AMA for the SCMS should come from the rigorous operational policies, and closed their comments stating that the government rather than from revenue enforce revocation based on safety of all highway users should generated by consumers; less potential unacceptable performance.’’ Ford and always be a priority whenever new consumer subscription funding Volkswagen stated that they, other technologies are considered. opportunities for some potential V2I OEMs, and others that will necessarily services. Additionally, the SCMS should rely on the SCMS must have a role, (11) Alliance of Automobile be developed to support V2V and V2X along with government, in establishing Manufacturers, Inc. holistically, at the outset, in partnership SCMS operational policy. Additionally, The Alliance of Automobile with the Federal Highway they stated that Federal authority over Manufacturers, Inc. (‘‘Alliance’’) Administration (FHWA) and possibly the SCMS is essential and a binding reiterated their comments to NHTSA’s other agencies such as the Federal governance board for SCMS V2V ANPRM where they ‘‘agreed with Communications Commission and the management is needed. NHTSA’s assessment that a strong Federal Trade Commission where Finally, Ford and Volkswagen stated SCMS is necessary for a properly privacy is of concern. Global that funding for centralized SCMS functioning V2V communications Automakers stated that cross-agency components or functions should come system.’’ The Alliance also reiterated its coordination and harmonization is from a federal source. They do not ANPRM comments expressing concerns critical to the effective operation of the support any funding model relying on with how a privately-run SCMS could SCMS. the sale of data to third parties, and, address the broad structural and Global Automakers expressed concern additionally, the SCMS funding model governance challenges that an SCMS with the potential approach for the ‘‘should not be based on a potential manager would need to address, such ‘‘Device Non-compliance and Potential requirement that specific services must as: Recalls’’ discussion in the RFI materials, be enabled within the vehicle to offset • Funding, deployment, operation and specifically, that it believed that the operational costs.’’ Conversely, non- maintenance of a DSRC-based V2X approach suggested by the agency centralized components, like the security communications network would undermine consumer privacy, be certificate management entity (CME) or • Sustainable funding for V2X PKI impractical, and be redundant to registration authority (RA), could be security system operations and systems that are already in place to established independently for their own management manage recalls. It commented that the use. • Governance of a V2X security system proposed ‘‘link between specific installed V2V devices or production lots (9) SAE International (Rules of Use, Certification, and system access) of devices and enrollment certificates’’ The Society of Automotive Engineers • Protection of consumer privacy would create a potential perception that (‘‘SAE’’) responded to the RFI with • Liability, risk management, and V2V communications could be traced to interest in playing a supporting role in intellectual property protections individual vehicles and drivers. SCMS deployment. SAE indicated • International considerations including interest in working with SCMS (13) Verizon Communications, Inc. possible Canada-US-Mexico cross- stakeholders in a partnership and/or Verizon Communications’ RFI border traffic, international larger consortium to support the SCMS response focused on potential steps and agreements, or standards functions, ‘‘through a combination of pathways to achieving a National SCMS harmonization. standards development, conformance deployment and focused on three key programs and training.’’ The Alliance maintained in its RFI approaches to SCMS policies and SAE International standards J2735 response that addressing the above operations standards and potential and J2945 were revised and are being policy issues, which are necessarily adjustments to the PKI implementation. developed to support a national V2V national in scope, requires strong In more detail, Verizon suggested that: deployment by providing a consistent, unified Federal leadership, not just (1) NHTSA should define a system of standardized approach to V2V device presence. policies, regulations, workflows, and implementation across the industry. (12) Association of Global Automakers technical interoperability that provides for the management and control of the (10) The American Motorcyclist The Association of Global overall SCMS; (2) implement an Association Automakers (‘‘Global Automakers’’) ‘‘identity PKI’’ as a baseline and The American Motorcyclist provided general comments along with ‘‘bootstraps’’ anonymously allowing Association (‘‘AMA’’) commented to the direct responses to the RFI questions. In linkage between certificates and SCMS RFI by urging DOT to test the its comments, Global Automakers supporting potential device recalls; and V2Vcommunication systems to ensure strongly supported a public-private (3) an ‘‘anonymity PKI’’ solution that that motorcyclists’ safety and privacy partnership model for SCMS operation allows the device to perform any are secure. AMA expressed their by stating that ‘‘the agency has necessary operations anonymously. support for DOT’s position ‘‘for further underestimated the necessary testing before adopting the rule governmental role in managing the (14) General Motors, LLC authorizing U–NII devices (e.g., Wi-Fi) SCMS and too narrowly constrained the General Motors, LLC (‘‘GM’’) to operate in the band to ensure vehicles participation of other agencies in SCMS submitted comments to the SCMS RFI using advanced crash-avoidance and operations. Contractor operation of that also included broader V2V vehicle-to-vehicle technologies are not many aspects of the SCMS is feasible rulemaking comments. GM stated, in the

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00094 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules 3947

broader context of V2V, that they proposed system has gaps that must be (b) SCMS RFI Agency Response support NHTSA’s rulemaking initiative addressed before it is implemented. The RFI responses and subsequent for all passenger cars and light trucks to Tesla narrowed its primary concerns meetings benefitted NHTSA greatly by be sold in the United States, and that ‘‘a into the following: (1) Because inputs providing additional technical comprehensive and connected are insecure, false messages are likely, perspectives on the SCMS PKI design. ecosystem must be developed and even with secure V2V subsystems; (2) For example, DOT had originally implemented offering seamless and vehicles must have some way to dismissed the use of satellites as a trusted communication between determine whether messages, viable communications media for vehicles’’ to obtain all the potential particularly misbehavior reports, are transmission of security materials benefits of V2V technology. GM legitimate; (3) certificate revocation lists between the SCMS and OBE, but our commented that it strongly believes that (‘‘CRLs’’) do not scale well for meeting with Sirius XM Radio brought a NHTSA rulemaking process is the widespread use; (4) public-key to NHTSA’s attention the fact that, due only method to successfully establish a cryptography is poorly suited to the to advances in technology and the close V2V ecosystem; that, as envisioned, the demands of an embedded, high-speed working relationship between the auto system cannot be established and environment; and (5) transmitted and satellite industries, satellite could managed by a single manufacturer or messages could be the source of privacy in fact be a technologically and industry group. breaches. economically viable, secure and private Focused comments regarding the Tesla concluded their comments by media for such security transmissions. SCMS stated its belief in the stating that ‘‘the Company believes that Similarly, the PKI technical model put requirement for Federal oversight of the the CAMP system has fundamental forth by NHTSA in its Readiness Report SCMS Manager, the central root issues and challenges that must be assumes that a single root must form the authority organization, direct revisited in order to allow for successful basis for trust system-wide. However, as engagement with the Misbehavior implementation of the SCMS.’’ a result of meetings with CSS, NHTSA Authority and coordination of now is aware of the possibility that, certification labs. (17) Intercede Ltd. through use of a trust bridge, one or more SCMS organizations, possibly (15) CTIA—The Wireless Association Intercede, Ltd. is a software company solely focused on producing and representing different regions or even CTIA is an international nonprofit delivering identity and credential manufacturers, may be able to co-exist organization representing the wireless management solutions to entities such and together, provide more redundancy communications industry. CTIA’s as Government, Aerospace and Defense, in security for V2V and V2X DSRC members include wireless carriers and Finance, Healthcare, Large Corporations communications. their suppliers, as well as providers and and Managed Service Providers. 5. SCMS ANPRM Comments and manufacturers of wireless data services Intercede’s response to the RFI focused Agency Response and products. CTIA’s comments to the on the need for the SCMS to provide a SCMS RFI focused on the benefit of secure and trusted environment for (a) ANPRM SCMS Comments leveraging existing authentication and V2X, and stated that it will be necessary With limited exception, comments security technology, along with utilizing to consider the V2X communication received in response to the ANPRM existing networks and infrastructure to devices over their entire lifetime, which generally endorsed the PKI design as an promote standardization and was defined as: appropriate security solution for V2V interoperability. CTIA also stated that • Initial manufacture; and V2I DSRC communications. For the private sector is best positioned to • Upgrade; example, GM, the Alliance, Toyota, and address V2V SCMS cybersecurity and • Maintenance; the Automotive Safety Council all privacy concerns and should be utilized • concurred that the SCMS design to help implement cybersecurity best Transfer of ownership; • described in the ANPRM and the V2V practices. Renewal; Readiness Report should provide the • Compromise; (16) Tesla Motors, Inc. required level of security while also • Natural end of life. protecting the privacy of the end users. Tesla Motors, Inc. (‘‘Tesla’’) Intercede’s response went on to state Throughout all the comments there commented primarily on the security of that ‘‘it is also important to consider the were two major concerns with the the SCMS design presented in the V2V interactions beyond the communication SCMS design that were cited by Readiness Report by urging NHTSA ‘‘to channels that must be established into multiple commenters: (1) The overall ensure that all possible security aspects a secure trust system. Failure to do so complexity of the design; and (2) a are considered and accounted for when would open up potential back doors fallback plan for a compromised root. implementing its chosen design.’’ Tesla into this trust system that could allow One of the recurring comments in the commented that much more analysis for compromise to occur from within.’’ ANPRM focused on the overall and consideration needs to be given to Follow-up discussion with Intercede complexity of the design of the SCMS the SCMS before it is implemented as stressed its views regarding the need for and the plan for implementing such a proposed. Tesla acknowledges that it a complete, systems approach to system. The design of the SCMS is more has not been involved with the Crash security—encompassing ‘‘cradle to complicated than any existing PKI Avoidance Metrics Partnership (CAMP) grave’’ for devices. And that, ‘‘By systems due primarily to the need to consortium and that this brings a new adopting a controlled and secure protect the privacy of the end users both perspective to the CAMP SCMS design. approach to device identity from outsider and insider attacks. As Tesla believes that, as envisioned, the management, NHTSA will enable a such the various functions in the system CAMP system fails to consider strong trust environment to be are separated logically and adequately how the system could be established that can then be built on for organizationally in an attempt to ensure attacked or the vast amounts of large-scale key generation during the that one organization does not have information that will necessarily pass lifetime of the device in the field for access to all the information needed to between vehicles and that NHTSA’s V2X communications.’’ identify the end users. Therefore, this

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00095 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 3948 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules

level of complexity is necessitated by recommendation and is employing in it SCMS POC to ensure that in the event the system requirements. the development of the SCMS Proof-of- of a compromised root, the system can The second technical concern Concept. This system is being be recovered without the need to recall highlighted in the comments is the developed using an incremental every V2V and V2I device. impact on the system if the private key approach that focuses on first of the SCMS root certificate authority is implementing and testing the core 6. SCMS Industry Governance compromised. If the root CA is components of the system, followed by (a) The SCMS ‘‘Industry’’ compromised, then this would the non-core components. After the compromise certificates for all V2V system is developed and tested, it will Deployment of an SCMS PKI to secure devices, roadside infrastructure devices, be operated for a significant period of V2V DSRC communications will require and SCMS components. Reissuing the time by DOT. During this operational governance of a wide range of complex certificates for over 350 million end period, existing V2V and V2I test beds functions and involve numerous public users would require a significant will be integrated with the SCMS POC, and private stakeholders, which amount of time and resources to and it will provide the necessary together we refer to here as the SCMS complete. For example, all V2V devices security credential materials to these ‘‘industry’’ or SCMS ‘‘ecosystem.’’ We would need to be re-initialized in order test beds. The knowledge gained from expect that SCMS stakeholders will to receive a new enrollment certificate; the operation of the SCMS POC will include: Manufacturers of OBE, RSU, however, this process must occur over inform the development of the National and aftermarket safety devices (ASD); a secure communications channel. This SCMS that will be required to support certification labs that test OBE (and may require all devices to return to the an eventual FMVSS. potentially ASDs); organizations dealership or service center in order to The agency also concurs that it would supporting V2V communications; auto have access to the secure be a catastrophic event for the root CA manufacturers; standards organizations; communications channel required for to be compromised, and as such we are PKI experts; State and local government the initialization process. exploring various approaches for users, and others. In Figure V–6, below, disaster recovery that can be the shapes represent different groups of (b) ANPRM Agency Response implemented to mitigate this risk. The organizations that interact with the In response to the first concern, the SCMS Proof-of-Concept will implement SCMS in some way. Some of these agency agrees that the level of and test root management and disaster organizations will need to be stood up, complexity of the design does increase recovery solutions that will allow a root while others currently exist today and the risk associated with the CA to be revoked without requiring the will likely expand their operations to implementation and deployment of this recall and re-initialization of all the V2V play a role in the SCMS. The system. To combat that risk, one and V2I devices in a secure overlapping of shapes represents mutual commenter suggested that the system be environment. One of the solutions to be reliance in executing operations, and implemented through a phased tested in the SCMS POC is a distributed the arrows represent communication development approach where root management approach that utilizes and the need for inter-organizational components of the system are root electors to manage the trust arrangements. The SCMS is the focal developed, tested, and deployed relationships in the system. Another point of the certificate management incrementally. This approach would solution being evaluated includes the industry, as it encompasses the CMEs ensure that the deployed components use of redundant root CAs where only that oversee all PKI functions are secure and reliable for additional a single root is active at any one time. responsible for establishing the components are deployed into the These approaches will be tested and foundation of security in the V2V/V2I/ system. The agency agrees with this evaluated during the operation of the V2X system.

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00096 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules 3949

Some of the questions that NHTSA private SCMS ownership and private model could be a viable raised in the V2V Readiness Report governance that assumes costs will be mechanism for SCMS governance in about industry governance structure for covered by increases in the purchase which NHTSA would have only a the SCMS include: price of new vehicles and V2V safety minimal role in ensuring system • How and by whom are decisions devices. As we noted our V2V integrity, largely through its traditional made about various policies, standards, Readiness Report, in a private SCMS regulatory activities. We also indicated requirements, and practices? industry the organizational structure that NHTSA’s existing legal authority • Who has the authority to mandate and operation of the SCMS would be would accommodate the use of grants, and enforce compliance with the determined largely by private owners cooperative agreements, or other policies, standards, and industry and operators of CME components, agreements to facilitate stakeholder— requirements? under oversight of an SCMS Manager • and even DOT—input into governance Who makes up the overseeing (ideally an industry-wide coalition of of a private SCMS. financial, legal, management, and CME owners and other stakeholder executive operations of the entities in representatives who, together, agree on (b) ANPRM Governance Comments the SCMS? • the terms of self-governance and system- Comments to the ANPRM and Is there a central industry body and, wide rules and policies). The SCMS if so, who oversees it? Who is part of Readiness Report relating to SCMS Manager would provide critical system ownership and governance came mostly this central industry body? management by enforcing and auditing • How do the various entities interact from members of the automotive compliance with uniform technical and with each other? industry and their trade groups. While policy standards and guidance system- • How is risk and liability allocated agreeing with NHTSA’s assertion that a wide. Uniform standards and guidance across the organizations? V2V system is not complete without a • Who will own the intellectual would establish and ensure consistency, robust SCMS, almost without exception, property (data and software) of the effectiveness, interoperability, industry commenters vehemently system and how will it be licensed sustainability, and appropriate privacy disagreed that a private self-governing (allocated) among responsible entities? protections across the CMEs to facilitate industry coalition could be a viable In answering these questions, NHTSA necessary communications, sharing of mechanism for SCMS system continues to explore a variety of information, and operational governance. Commenters believed that a governance models (ranging from public connections, and would be based in private SCMS could not provide the to public-private to private) as potential large part on existing technical and security, privacy, certainty, stability, options for governing the SCMS policy standards applicable to PKI long-term functionality, or management industry. Due primarily to the absence systems. of costs and risk required for a of Federal funds to support a public The Readiness Report explained nationwide SCMS to support V2V DSRC SCMS, to date NHTSA has focused NHTSA’s view that, in the context of a communications, and lacked the legal primarily on fleshing out a model of privately owned SCMS ‘‘industry,’’ a authority to address cross-border issues

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00097 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 EP12JA17.015 3950 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules

or require industry-wide participation framework, and should consider a • Credit Card Payment industry and PCI and compliance with uniform public-private partnership as an option standards requirements. For these reasons, for the operation and management of the • Hospital/Health care industry virtually all industry commenters took SCMS, with federal oversight, Of the governance models we the position that a strong leadership role supervision and funding. examined, governance of the internet for the Federal government in the SCMS The agency agrees with commenters naming protocol systems (DNS) by the would be required for successful that, for a variety of policy reasons, Internet Assigned Numbers Authority deployment of V2V and V2X DSRC ideally the Federal government should (ICANN) possessed numerous communications. play a more central leadership role in characteristics that seem to translate For example, both the Alliance and the establishment and governance of a most directly to a private or public- Mercedes described the SCMS as a V2V SCMS. For this reason, as detailed private governance model for the V2V ‘‘core government responsibility.’’ above, DOT now has taken the lead in SCMS. ICANN is a private, not-for-profit Noting that ‘‘for V2V to work effectively, working with SCMS stakeholders to corporation created by private sector every vehicle manufacturer will have to develop the policies and standards that entities in direct response to efforts by participate in the SCMS and abide by its should form the basis for governance of the Federal government to privatize rules,’’ the Alliance explained that: a National V2V SCMS, as well as to certain Internet-related tasks in a a private organization, such as a voluntary model and prototype organizational manner that permits robust competition coalition of manufacturers, cannot compel options for a governance entity to and international participation in its unwilling manufacturers to join the manage SCMS operations. management. ICANN is managed by a organization, and cannot enforce deviations multi-stakeholder Board of Directors (c) A Comparative Industry Example: from the organization’s rules except by (representative of the functional and expelling misbehaving members. There is no ICANN effective mechanism to ensure the universal geographic diversity of the Internet) that participation of all manufacturers and to In analyzing SCMS governance oversees a number of Internet-related compel their obedience to the necessary options, NHTSA and its research functions previously performed directly common SCMS requirements. . . partners have investigated a variety of on behalf of the Federal government by industries with characteristics similar to The Alliance also stated that other organizations, notably the Internet those seen as critical for a V2V SCMS ‘‘resolution of policy issues requires Assigned Numbers Authority (IANA) governance model, including security, coordination among multiple federal (formerly located within the Department privacy protection, stability, agencies (FHWA, FTC, FCC, EPA),’’ and of Commerce but now operated by sustainability, multi-stakeholder that ‘‘Congress was best positioned to ICANN). Pursuant to various representation and technical provide the needed coordination and Memoranda of Understanding with complexity.223 We investigated an array nationwide-scope for addressing ICANN (ICANN MOUs), the Department of public, public-private and private infrastructure, governance of networks of Commerce agreed gradually to governance models, with particular and SCMS, consumer privacy, transfer to ICANN certain Internet- emphasis on safety-critical and privacy- sustainable funding, international cross- related functions, with the goal of sensitive systems. We also examined border and liability/IP policy issues.’’ having ICANN carry out operational Global commented that ‘‘private how risk was managed in the context responsibility for these functions in a sector options for operating the Security these models. Some of the industries financially self-sustaining manner after researched included: a limited transition period. At the same Credential Management System (SCMS) • do not guarantee certainty over the Internet Corporation for Assigned time, the Department of Commerce also management or the cost of operation the Names and Numbers (ICANN) entered into a series of funded project • DTE Energy Company system and its long-term stability.’’ GM, agreements with ICANN, on a sole • Aeronautical Radio Incorporated likening the issuance of security source basis, to perform technical and (ARINC) certificates to the minting of coinage by policy activities required to facilitate the • End of Life Vehicle Solutions the Federal government, argued that transition of authority for those Corporation (ELVS) functions to ICANN.224 ensuring a secure V2V system would • The FAA’s Next Gen Air require that the Federal government: (i) The ICANN MOUs and project Transportation System agreements called for the Federal Operate or support operation of a • The FRA’s Positive Train Control government to exercise significant central root CA that all V2V certificates • Smart Grid must use, or mandate that all V2V • oversight of ICANN’s activities until The Rail/Transit Train Control such time as ICANN was stable and certificates use a central root CA; and Systems (ATC and CBTC) (ii) review and approve minimum levels • could provide certain stability, FMCSA’s EOBR sustainability and policy assurances to of security for the keys and • Coast Guard’s MSSIS cryptography used by the root CA and • the Federal government. After 11 years, Army Corp of Engineer’s MRGO the Department of Commerce gave up its subordinate CAs authorized by the root • Medical Devices failure and liability oversight of ICANN with respect to the CA. Mercedes described the SCMS as a • Security in nuclear industry and operation and governance of specific ‘‘backbone infrastructure, which must liability Internet naming protocol functions, but be set up and controlled with the • Warning/Signal Failures leadership of state and federal • UAVs committed to ongoing participation in authorities’’ and echoed the comments • HIPAA/Health Care industry/ ICANN’s Governmental Advisory of the Alliance that only Federal Electronic Health Records (EHRs)/ Committee (GAC). ICANN continues to government oversight would ensure CONNECT system perform certain technical maintenance industry-wide participation in an SCMS tasks under contract to Commerce, as do and compliance with its requirements. 223 VIIC Assessment of Key Governance Policy other Commerce contractors. In 2014, Similarly, Honda commented that the Considerations for a Connected Vehicle Cooperative Safety Communications System,’’ dated March 12, 224 ICANN background information, contract and federal government should be 2013, at page 11 http://www.regulations.gov/ agreement content can be found at http:// responsible to ensure the safe and #!documentDetail;D=NHTSA-2014-0022-0046 (last www.ntia.doc.gov/page/docicann-agreements (last efficient operation of the V2V security accessed Dec. 8, 2016). accessed Dec. 8, 2016).

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00098 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules 3951

Commerce announced its intention to (GNSO), the At-Large Community and Act much like a standard-setting body. To work with ICANN to privatize key the President ex officio. Directors may the extent that the new corporation operates Internet domain name functions still not be officials of countries or in an open and pro-competitive manner, its remaining under its control. multinational geo-political entities. actions will withstand antitrust scrutiny. Its How is ICANN relevant to governance standards should be reasonably based on, Only ICANN’s President can be both a and no broader than necessary to promote its of the V2V SCMS? ICANN provides Director and ICANN employee. Non- legitimate coordinating objectives. Under NHTSA with a potential road map for voting liaisons are a means for the Board U.S. law, a standard-setting body can face how it can work with public and private to obtain input from world-wide antitrust liability if it is dominated by an stakeholders to develop a successful governments, through the Government economically interested entity, or if governance structure for a multi- Advisory Committee (GAC), and three standards are set in secret by a few leading stakeholder, geographically and function-specific expert committees, the competitors. But appropriate processes and functionally diverse technology-intense Internet Engineering Task force (ETF), structure will minimize the possibility that system not unlike V2V. Like the V2V Security and Stability Advisory the body’s actions will be, or will appear to a court to be, anti-competitive.226 SCMS, successful deployment of an Committee (SSAC) and Root Server Internet naming protocol required System Advisory Committee (RSSAC). Later the same year, in July 1998, the uniform and consistent application of The organization has an Ombudsman Department of Commerce opted to technical and policy standards enabling appointed by the Board to act as a proceed with privatizing management of interoperability and system-wide neutral dispute resolution practitioner the internet DNS not through confidence. As would be required for and provide an independent internal rulemaking but by issuing a Statement enforcement in a privately governed evaluation of complaints by members of of Policy expressing the Government’s SCMS, ICANN uses a binding Registry the ICANN community who believe that intent to ‘‘recognize, by entering into Agreement as the enforcement the ICANN staff, Board or an ICANN agreement with, and to seek mechanism through which it ensures constituent body has treated them international support for, a new, not-for- that its policy and technical standards unfairly. profit corporation formed by private are applied Internet-wide. Like the sector Internet stakeholders to SCMS ecosystem or ‘‘industry,’’ the NHTSA also found quite instructive the procedures used by the Department administer policy for the Internet name Internet ‘‘industry’’ involves numerous 227 of Commerce to effectuate the process of and address system.’’ In a July 7, commercial, academic, geopolitical, and 228 successfully privatizing certain Internet- 2000 report, the GAO confirmed the other private and public stakeholders appropriateness of the Department of involved in a broad range of Internet- related functions. In July 1997, the Department of Commerce first Commerce’s actions. The GAO related functions, the success of which determined, among other things, that: requires system-wide, coordinated published a Request for Comments on • behalf of an interagency working group Department of Commerce had the governance. As would be likely in the authority to support privatization of the SCMS context, ICANN was developed examining the appropriate future role of the Federal government in the DNS and DNS on the basis of its general and operates on a foundation of the 229 other issues related to the authority to foster, promote, and fundamental principles of security, develop foreign and domestic commerce stability, resiliency, multi-stakeholder administration of the DNS. The following year, in early 1998, based on and NTIA’s more specific authority to participation, openness, fairness and coordinate the telecommunications robust completion. Additionally, as the 1400 pages of comments it received 230 to its Request for Comments, it issued a activities of the executive branch; detailed in the ICANN MOUs, after a • The APA notice and comment period of direct government oversight rulemaking notice proposing certain actions designed to privatize the requirements did not apply to the and funding, the privatized functions Department of Commerce’s general governed and coordinated by ICANN management of Internet names and addresses in a manner that allowed for statement of policy, as it contained not were designed to be financially self- substantive regulatory requirements but sufficient (i.e. financed by fees paid for the development of robust competition and facilitates global participation in a general framework for privatizing the services). DNS; We agree with Dura and the VIIC that Internet management.225 The proposed • Establishment of ICANN by the ICANN’s organizational structure could rulemaking addressed a variety of issues private sector was not subject to the translate well to a potential V2V SCMS relating to DNS management including Government Corporation Control Act or governance model. The details of private sector creation of a new not-for- various other legal requirements ICANN’s mission, core values, powers, profit corporation (the ‘‘new applicable to entities that are part of or responsibilities, governing principles corporation’’) managed by a globally controlled by the Federal Government; and procedures are set forth in its and functionally representative Board of • Articles of Incorporation, Bylaws, Directors. The rulemaking proposed, Department of Commerce had Charter, and other publicly available among other things, the new authority to enter into the MOUs, documents. In accordance with those corporation’s authorities, detailed the 226 http://www.ntia.doc.gov/files/ntia/ documents, ICANN is governed by the role of the federal government in policy publications/022098fedreg.txt, at page 8818 (last binding decisions of a Board of oversight during the transition, accessed Dec. 8, 2016). Directors, consisting of both voting identified funding, and contained a 227 See https://www.ntia.doc.gov/federal-register- Directors and non-voting liaisons. The detailed proposed governance structure notice/1998/statement-policy-management-internet- voting Directors consist of members (specific to the number of seats on the names-and-addresses (last accessed Dec. 8, 2016). 228 See Department of Commerce: Relationship selected by a functionally and regionally Board of Directors) with substantive with the Internet Corporation for Assigned Names diverse nominating committee that stakeholder participation and openness and Numbers, July 7, 2000 (B–284206) http:// reflects the diversity of Internet requirements. The rulemaking www.gao.gov/new.items/og00033r.pdf (last accessed ecosystem, as a whole: the Address- explained that, the new corporation Dec. 8, 2016). Supporting Organization (ASO), the 229 In so doing, GAO noted that ‘‘there is no would: explicit legislation requiring the government to Country-Code Names Supporting exercise oversight over the domain name system.’’ Organization (CCNSO), the Generic 225 http://www.gpo.gov/fdsys/pkg/FR-1998-02-20/ Id at 3. Names Supporting Organization html/98-4200.htm (last accessed Dec. 8, 2016). 230 47 U.S.C. 902(b)(2)(H).

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00099 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 3952 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules

cooperative agreements and sole source V2V communications equipment in ICANN) by which the Department contracts with ICANN based on its light motor vehicles and moves forward could, if it chooses to, work general legal authority to work with and with implementing the SCMS technical collaboratively with a new multi- enter into these types of agreements design described above, the agency stakeholder private entity to develop the with non-profit entities. believes that one promising path was binding policies and technical standards It must be noted that the that pursued by Department of required for stable and sustained circumstances that led to creation of Commerce when it spurred private operation of a V2V SCMS. After an ICANN are different, in significant sector establishment of ICANN. initial period of joint policy respects, than those that now necessitate Specifically, DOT could facilitate the development and direct DOT oversight the creation of an SCMS to support V2V creation of a multi-stakeholder entity under contract, prior to full SCMS DSRC communications. When it issued capable of governing and coordinating deployment, DOT gradually could its Policy Statement, Department of operation of a National SCMS. DOT’s terminate some or all its oversight of the Commerce had funds dedicated to expanded policy research, including new entity’s activities, completing the administration of the DNS it sought to stakeholder input, modeling, and transition of authority prior to full privatize and already had taken on prototyping of potential governance SCMS deployment. Thereafter, responsibility for performing that models, as well as comments on the representatives of NHTSA and other function, in accordance with Federal NPRM, will help determine whether Federal government agencies, both law. For this reason, the Department of such an SCMS should be a purely within DOT (DOT–R, FHWA, FMCSA, Commerce had a legal obligation closely private entity in which DOT plays an and the others) and elsewhere in the to oversee ICANN’s assumption of advisory role—or whether the Federal Federal Government (FCC, FTC), could responsibility for the DNS during a government should assume control over serve in an advisory capacity on a transition period. It also continued to some critical SCMS functions (for Government Advisory Committee or as fund ICANN in the performance of example, ownership of the definitive nonvoting SCMS Manager Board certain additional functions previously root). Members. performed by IANA, even after it ceased The process followed by the to oversee ICANN’s policies and Department of Commerce as it (e) SCMS Proof-of-Concept Operational operation of the DNS in 2009. By privatized certain DNS functions could Model Development Plan contrast, to date, NHTSA has not be a useful roadmap for how NHTSA As a result of a better understanding assumed responsibility for carrying out might work with the private sector to obtained from operating the prototype any security functions relative to establish a new, multi-stakeholder security system during Model mandated automobile equipment, so no entity to take on governance and Deployment, as well as feedback from infrastructure or funding for this coordinate operation of a V2V SCMS. the SCMS Request for Information, ITS– purpose now exists. Additionally, NHTSA’s 2014 ANPRM, V2V Readiness JPO and NHTSA realized that NHTSA seeks not to privatize existing Report and SCMS RFI could be viewed expanding to a National level SCMS federal security functions or as the first steps in this process. NHTSA would require an intermediate step. infrastructure, but to work closely with used the input the agency received in Specifically, that additional research public and private V2V stakeholders to response to these public documents, in was required to prove the concept and take the technical design, intellectual meetings with RFI respondents, and develop a SCMS working model that property and body of policy developed through SCMS policy research allows for investigating the full range of through DOT’s SCMS research and performed by the VIIC and others, to technical, policy, and organizational facilitate the creation of a new expand the scope its planned SCMS elements involved in deploying and operational entity—a National SCMS to governance and policy research operating the SCMS. Investigating these support V2V, V2I, and V2X DSRC discussed in Section V.B.6. This critical components includes providing security communications. SCMS policy research is intended to certificate management services to Despite these differences, NHTSA give DOT a central role in, and direct continuing vehicle communications believes that ICANN serves as a strong control over, development of draft research activities and early comparative industry model of how policies, procedures and standards that deployments. NHTSA can work with stakeholders in could the basis for governance of a As part of developing a working the SCMS ecosystem to facilitate National SCMS, including draft a SCMS model, DOT will: creation and support of a multi- Certificate Policy, Certificate Practice • Develop and implement a proof of stakeholder private sector entity to Statement, Registration Agreements, and concept SCMS (the SCMS PoC) that is govern and coordinate operation of the Privacy Policy. Another central aspect fully representative of the Final SCMS V2V SCMS. of DOT’s planned SCMS policy research design, and which will provide will be working with PKI and certificate management services to early (d) Potential SCMS Implementation organizational consultants and deployments and demonstrations, Model stakeholders to prototype a multi- including but not limited to CV pilots, It is clear that there are numerous stakeholder governance structure (much • Act as the overall SCMS PoC different paths that government and like ICANN’s Board of Directors) Manager, including developing policy private stakeholders theoretically could capable of satisfying the needs of the and procedures that will govern the follow in implementing a National broad range of diverse participants in interactions between the various entities SCMS to support the V2V ecosystem— the SCMS ecosystem. If successful, this involved in the V2X eco-system, and paths the organization, governance and prototype could serve as a model for a • Based on stakeholder input, will financial viability of which DOT expects private sector entity that could establish advanced and adapt SCMS PoC policies its expanded policy research to develop and oversee a deployed National SCMS. and protocols such that they would and assess. There may even be other If appropriate based on the represent possible policies and viable security models that could Department’s planned research, DOT protocols suitable for the establishment provide sufficient confidence and then could issue a draft V2V SCMC and operations of a SCMS that could consumer privacy protection to V2V Policy Statement describing a process support a national deployment of messages. However, if NHTSA mandates (similar to that followed by DOC and vehicle communication technology.

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00100 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules 3953

The SCMS proof-of-concept (PoC) will addition to MITRE) independent cyber- cases indirectly interface with other be fully representative of a production security testing and evaluation Team to research activities such as the CV Pilots, SCMS in terms of functionality, conduct a thorough design review on and other support entities that include features, and capabilities. It will support the Final SCMS design, and to complete Certification Service entities, and all certificate management ‘‘use-cases’’ focused penetration testing and Device Suppliers. The most direct envisioned for a production system, and vulnerability discovery on the actual outside relationship will be with the incorporates all elements of the final SCMS prototype by leveraging the National SCMS Prototype Policy design developed by DOT and its Development environment platform. Development research. The SCMS industry partners. While not intended to DOT will develop, operate, and Governmental Management effort will be ‘‘full-scale’’, the SCMS PoC will be manage the SCMS PoC through multiple need to interface with the National capable of servicing up to 17 million contract/agreements with multiple SCMS Prototype Policy Development vehicles annually. The SCMS PoC is entities, illustrated via Figure 1. Figure research to support national level SCMS being developed to: 1 identifies five research activities prototype policy development. 1. Support end-to-end testing of the including the SCMS PoC Governmental The SCMS PoC environment, together certificate management use-cases thus Management that represent the SCMS with the connected vehicle pilot sites demonstrating feasibility and PoC Manager Environment. This sponsored by DOT, will provide an practicality of system; environment depicts the boundaries of opportunity to refine the SCMS Manager 2. Demonstrate the extensibility of the the SCMS PoC Governmental concept and other non-technology SCMS design (multiple non-central Management activities. DOT has already related policies and procedures needed components); established an agreement that is to address security threats. 3. Support scalability testing through currently developing an initial (f) SCMS Request for Comment modeling, simulation, and real-world prototype of the SCMS PoC that will be deployments; the basis for the operational NHTSA has invested considerable 4. Support integrity, robustness and environment and support ongoing resources and effort in refining and system vulnerability testing; functional (refinement) development. maturing the Security Credential 5. Will be used in actual connected SCMS PoC Governmental Management Management System Design. The vehicle operations by servicing a variety includes the development of policies Agency has enlisted the assistance of of early deployments and that support the technical processes and leading PKI experts in developing the demonstrations including the procedures and the organizational design, and the design has been Connected Vehicle pilots (Tampa, NYC, protocols that establish interfaces formerly reviewed by MITRE Wyoming), the Smart City Challenge (communications) between entities that Corporation (see Section V.B.3 for program recipient, as well as other support policy and operational summary of MITRE review) and other government sponsored (state & local) execution. DOT, with the support Federal Agencies including DARPA and and private sector deployments that we provided by the Governmental NIST have also reviewed the design. anticipate emerging over the next Management contractor, will be the NHTSA believes that the SCMS concept several years; and SCMS Manager and set policies and and design offers a practical, efficient 6. Will be able to support future protocols that will address threats in and effective means for addressing the connected vehicle application relation to access and change authority. need for confidence in V2V and V2I demonstrations programs for FMCSA, The SCMS Manager will develop and communications—while simultaneously FTA, and FRA (e.g., wireless roadside establish a Certificate Policy and addressing privacy concerns arising inspections; electronic credentialing; Certificate Practice Statement that sets from potential vehicle tracking using grade-crossing safety; transit-pedestrian the policies and protocols that must be V2V communications. Nevertheless, a safety; and other applications). accepted and followed to be approved to fully representative prototype of the NHTSA and its industry partners participate in the SCMS environment. SCMS system has not yet been (CAMP) are currently in the process of A separate agreement will establish developed and tested, although NHTSA prototyping an SCMS system that is the operational SCMS PoC (provides the and the JPO are in the process of doing capable of executing all the core use- technical functions that enables just that, (see Section V.B.6.e) for cases associated with the security generation, distribution and monitoring details). certificate management life cycle of SCMS security materials). Related to In addition, the SCMS concept calls including enrollment, certificate the separate agreement that establishes for periodic (or routine) generation, certificate request and PoC operations is an agreement that communications between the vehicle fulfillment, and revocation. This proof- provides for the technical management and various certificate management of-concept SCMS (the SCMS PoC) is that encompasses the development and entities (which reside in the being developed to support real-world documentation of technical process and ‘‘infrastructure’’ on the internet) to operations of early V2V deployments at procedures end entities will use to execute a variety of certificate connected vehicles pilots sponsored by initialize devices and obtain security management life-cycle services DOT (in Florida, New York City, and materials. Another contract will provide including: re-provisioning of on-board Wyoming and elsewhere). NHTSA and Connected Vehicle Support Service that pseudonym certificates; distribution of its industry partners will continue to supports the initial interactions certificate revocation lists; and potential refine, test and mature the design of the regarding end entity applications for a component for sending misbehavior SCMS—including addressing the device initiations, technical support detection reports from vehicles to the functions and features listed above—by questions, and questions about policies Misbehavior Authority of the SCMS as leveraging this prototype environment. and procedures. The Connected Vehicle described in the Proposal. While To support these refinement efforts, we Support contractor will establish and NHTSA believes that such periodic are establishing multiple instantiations operate the initial interface with end vehicle to infrastructure of the SCMS including Production, users. communications can readily be Quality Assurance and Development Beyond the SCMS PoC manager accommodated thru either V2V DSRC environments. Further, we are in the environment, the SCMS PoC communications (using roadside units, process of retaining an additional (in Governmental Manager will in most or RSUs), or through the rapidly

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00101 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 3954 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules

increasing connectivity of vehicles to expand its governance role in certificates. The SCMS approach relies using commercial wireless services development of a viable organizational on individual vehicles to periodically (cellular or satellite services that are model and policies and procedures request pseudonym certificates from either integrated into vehicle or made applicable to a National SCMS, and the infrastructure-based entities, (most available through links with an use of ICANN as a possible roadmap for notably a Pseudonym Certificate operator’s cell phone), NHTSA how to facilitate establishment of a Authority, or PCA) which in turn nevertheless recognizes that security private, multi-stakeholder entity to generates and signs short-term certificate management concepts that manage and oversee operation of the certificates. Vehicles then download inherently minimize the need for such National SCMS. batches of certificates which are used to periodic V2I communications may offer C. Vehicle Based Security System digitally sign BSM messages. In advantages relative to maintaining (VBSS) contrast, the VBSS concept calls for proper on-board certificate credentials. delegating this authority to individual In late 2012 NHTSA began To manage the normal risk associated vehicles, and as a result the with any new and complex information investigating a certificate management communications with the infrastructure security system, and to address a means concept termed the ‘‘vehicle based are reduced. for potentially reducing the need for V2I security system’’ (VBSS). VBSS is based security communications, NHTSA has on principals associated with Group DOT funded a Feasibility Study of the been, and continues to investigate Manager concepts for managing VBSS concept in 2014 (completed by alternatives to the SCMS concept. cryptographic materials—and adapted Oakridge National Laboratory, ORNL) NHTSA seeks comments on all for vehicular application by NHTSA and the first phase of study was aspects of the SCMS. In technical engineers. completed in December, 2015.231 Figure design, development, and potential The major difference between SCMS X depicts a high level comparison of the deployment, including DOT’s proposal and VBSS is in generating short-term VBSS and SCMS architectures.

Under the VBSS concept, the each vehicle to act as a certificate ephemeral pseudonym certificates by Pseudonym Certificate Authority (PCA), authority—an entity that can generate signing the public key from a self- Registration Authority (RA), Linkage short-term certificates. generated key pair with its group Authorities (LAs) and Request Each vehicle is a member of a group signing key; vehicles act as subordinate Coordination, that are fundamental and is assigned a unique membership Certificate Authorities and pseudonyms components in SCMS, are eliminated. secret, a signing key. All member are generated on demand based on VBSS establishes a Group Manager/ signing keys for a particular group are travel requirements. Pseudonym Group Managers (GM) to provide associated with a single group verifiers use the group certificate to credentials that make it possible for certificate. A vehicle generates its own authenticate the pseudonym certificate,

231 ‘‘Vehicle Based Safety Systems: A Feasibility Study: December 23, 2015, ORNL.

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00102 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 EP12JA17.016 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules 3955

and then the pseudonym certificate to The Phase I study of VBSS and There are three potential paths to verify safety messages. The pseudonym comparisons with other approaches consider, all with advantages and generator remains anonymous, since the suggests VBSS is feasible because group- disadvantages (we further note that receiver uses a single group certificate to based credentials provide a means to these paths are not exclusive and that as authenticate signatures made by all delegate infrastructure-based operations the technologies evolve, they may members from a particular group. to vehicles in an effective way while converge): Groups are managed by one or more facilitating the basic requirements of (1) There is the path of establishing a infrastructure-based authorities. authentication, privacy, and single chain to the Root Authority that Members may be removed from groups maintenance of confidence. However, allows for devices/equipment or by distributing information that allows while Group-based signature schemes operational entities to become enrolled participants to update their group are an active area of research they are and implicitly trusted by the system. In credentials; this provides a means to evolving and much less mature than such a system: revoke misbehaving vehicles since the other cryptographic systems. For this a. The Root Authority requires a pseudonyms they create will no longer reason, VBSS remains in its preliminary significant level of security to ensure be authenticated by vehicles that have stages. that it is not comprised. updated their group credentials. NHTSA is continuing its research of b. The root authority can authorize Use of pseudonyms (short-lived the VBSS concept and is beginning a intermediate certificate authorities identifiers) and separation of distributed Phase II research Study in 2016. This which can support a diversity of identifiers are the primary means of work will focus on modeling a Group operational parameters. However, all achieving an acceptable level of privacy. Manager and enhancing our intermediate certificate authorities Within a VBSS, how groups are understanding of the Group Manager under a single root authority must designed will also affect the software engineering requirements. operate with the allowable policies of preservation of individual privacy. As NHTSA seeks comment on the viability the root authority. the number of distinct groups increases of the VBSS certificate management c. There is a requirement for a within a geographical area, privacy approach including potential mechanism to manage root authorities protection decreases; if every vehicle advantages and disadvantages relative to which is capable of transitioning the within a geographic area were in its own the SCMS approach. Specifically, we fundamental cryptographic elements if group (the extreme case); the group seek comment on the following: the Root Authority is compromised. identifier becomes a unique vehicle —Could requirements to update an This mechanism must be similarly as identifier. This situation can be entire group’s credentials (to enable highly secured as the root authority and mitigated by ensuring group diversity is revocation of selected vehicles) has the ability to revoke the minimized regionally. compromised root and add a new root Misbehavior detection and reporting, actually increase V2I communications during early deployment (versus in a controlled and efficient way for all and revocation are maintenance participants in the security system.233 operations that are common to both distribution of a CRL)? —Are there CRL distribution schemes While allowing for some diversity of SCMS and VBSS. There are misbehavior operational usage within the policies of reporting alternatives discussed in that could limit, or otherwise manage, the growth of the CRL—particular as the root, there is a minimum of SCMS security section of this proposal. interfaces between the root and other In relation to misbehavior and vehicles reach the end of their life and are place on the CRL? nodes, consequently, the threat surface revocation, VBSS may offer some remains smaller. advantages relative to managing —How will requirement to self-generate short-term certificates onboard the d. The mechanism for managing the communications associated with root, although requiring (and incurring revoked vehicles. With SCMS, as the vehicle impact processing and memory requirements onboard the costs for) a high level of security, allows number of revoked vehicles grows— for orderly migration of the security including those vehicles revoked vehicle—as well as the need to provide high integrity hardware system to incorporate root replacements because they are at the end of their and cryptographic improvements (as useful life, the CRL list must also grow. security modules to support such operations? long as the devices within the system NHTSA and its industry partners are are capable of adopting such new investigating mechanisms for managing D. Multiple Root Authority Credential cryptographic processes), thus future- the size the CRL but nevertheless Management proofing the overall system to the extent remains a challenge. With VBSS, U.S. DOT research, performed in possible within known parameters. instead of sending out CRLs to revoke partnership with European, Australian, This is the path that the US is taking vehicles, a Group Broadcast (GB) and Japanese partners, has recognized to establish initial operations to support distributes group credential updates to emerging connected vehicle participating vehicles; this occurs when that the world will evolve into a multi- root world and that crypto-agility will environments. a sufficient number of vehicle (2) There is the path of establishing misbehavior reports have been validated be a required capability as a response to 232 multiple, co-existing roots in which resulting in one or more revocations; increasing cybersecurity attacks. While these capabilities are not each Root Authority must have an otherwise, group credentials do not agreement with other root authorities change. With comparison to the SCMS required at the initiation of a connected, cooperative environment, they are that describe an appropriate level of using CRL list to remove compromised trust. Based on the trust level, a host of devices from the V2V communication useful technical and policy constructs to incorporate as the threat profile shifts interfaces have to be enacted for data system, the size of CRL will increase transfer that assures one operational with the number of compromised and as the operational environment grows. root that the other operational root devices, VBSS revocation mechanism’s remains trusted. See the report titled, advantage is that the size of group 232 This work and its outcomes are described at: credential updates will not increase https://ec.europa.eu/digital-single-market/news/ 233 See Root Elector System Design at http:// with the number of compromised harmonized-security-policies-cooperative- www.mycreativeregistry.net/IPCOM/000245336 (last devices. intelligent-transport-systems-create-international. accessed Dec 4, 2016).

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00103 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 3956 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules

‘‘Cooperative-ITS Credential aftermarket group. This could create • Governance/Certificate Policies: Management System Functional market disparity and reduce consumer New root management and recovery Analysis and Recommendations for choice. solutions will need to be developed as Harmonization Document HTG6–4 (3) There is one additional path that the initial, smaller connected vehicle Version: 2015–09’’ 234 for greater details is very similar to path #2, but also environments evolve into more on the trust levels and how to enact the incorporates the use of different types of complicated, region-wide, overlapping trust levels from both a policy security credentials (or security environments that may operate at perspective as well as a data flow certificates). The use of the NIST different levels of security. This has perspective. elliptical curve SHA–256 offers a been addressed in the first path through A benefit to this path is that with significant advantage over other types of the innovative creation of Root Electors multiple operational roots, if one is credentials in that it includes the lowest that provide the ability to revoke a compromised, another root could amount of overhead for an appropriate compromise Root and establish a new potentially take over operations level of trust and authentication among Root without having to re-initialize (although this is highly dependent upon vehicle moving at very high speeds. devices.235 the trust levels—if the other operating This version of the model would VI. What is the agency’s legal authority root that has to take over does not trust allow for different credentials (such as the credentials of the compromised root to regulate V2V devices, and how is this ‘‘brainpool’’ or other curves) to also be proposal consistent with that authority? (even if the credentials in use are still used in operations. This version of the valid and not compromised), then all model significantly increases the A. What can NHTSA regulate under the actors enrolled in the compromised root complexity of the system. While it offers Vehicle Safety Act? will have to cease operations of the greater crypto-flexibility, having the cooperative applications until they can NHTSA has broad statutory authority ability to recognize and use different to regulate motor vehicles and items of be proven to be trusted actors and credentials will require that ALL enrolled in the uncompromised root motor vehicle equipment under the equipment/devices/applications will National Traffic and Motor Vehicle authority). have to be able to recognize and trust Understanding the different trust Safety Act (the ‘‘Safety Act’’).236 As messages created with either type of levels is the key to understanding applied in this context, the agency’s credential in order to ensure continued whether there are benefits to a multiple authority includes all or nearly all interoperability. This path may increase root world. A key conclusion to the aspects of a V2V system. Congress the cost and complexity of equipment analysis on how to enact different trust enacted the Safety Act in 1966 with the on the vehicle and/or change the nature levels is that adding even one additional purpose of reducing motor vehicle of the equipment, as the receivers will root to the system increases the number crashes and deaths and injuries that have to recognize the different of interfaces among entities which occur as a result of motor vehicle cryptographic technologies and perform exponentially increases the attack crashes and non-operational safety additional/different validity checks for surface of the inter-related systems. This hazards attributable to motor the different cryptographic technologies. model also increases costs of running vehicles.237 The Safety Act, as amended, Also, this capability/path is not yet different organizations, increases the is now codified at 49 U.S.C. 30101 et proven and would need to be costs associated with data analysis, and seq. demonstrated under a number of increases the costs of auditing and The vehicle technologies that enable conditions to ensure that the updating policies. In addition, it seems vehicles to send messages to and receive transactions and timing can still meet that agreement of common security messages from each other are vastly the safety applications requirements for policies under the initialization of different from those that existed when latency of the exchange and scalability parallel operational roots, operated by the Safety Act was enacted. Then, the of the dedicated spectrum available for different organizations with different vehicle operating systems were largely low-latency communications, such as priorities, is likely to be very difficult, mechanical and controlled by the driver the V2V Basic Safety Message. adversely affecting the level of trust that via mechanical inputs and linkages. may be established among various root This is the path that is under Components and systems were either authorities. consideration within the European designed into the vehicle at the time of Furthermore the Government will Union at this time. original manufacture or were later have no authority to compel one Root All of these paths are, in some sense, Authority to interface with another Root multi-root in that it is necessary to have 235 See Root Elector System Design at http:// Authority. This would adversely affect at least a back-up root as part of an www.mycreativeregistry.net/IPCOM/000245336 (last accessed Dec. 4, 2016). interoperability given the equipment internal system. The analysis of the different paths highlights some of the 236 For more discussion and analysis of NHTSA’s under the different roots would not authority to regulate advanced crash avoidance interact in crash avoidance situations key issues that will need to be technologies, including V2V technologies, under reducing the effectiveness of V2V. For addressed as the future evolves: the Safety Act, see the Potential Regulatory • Security credentials: At some point, Challenges of Increasingly Autonomous Vehicles, example a group of OEMs could be 52 Santa Clara L. Rev. 1423 (Wood et al., 2012) at covered under one Root Authority were we can expect that the security http://digitalcommons.law.scu.edu/lawreview/ as a group of aftermarket suppliers credentials based upon the current vol52/iss4/9/ (last accessed Dec. 6, 2016). could be covered under a different Root cryptographic level will be broken due For example, the agency’s authority to address Authority. If the OEM group decides to quantum computing and that new the privacy and security of vehicle data associated security approaches and/or new with the operation of those technologies is that the aftermarket devices do not meet discussed at length. Id., at pp. 1448, 1465–72. the OEM level of performance then no cryptographic curves will be needed. Addressing data security is necessary to safeguard agreement would be implemented and Research is needed into new curves to the effectiveness of these technologies and promote equipment in the OEM group would not ensure that new security approaches do their acceptance by vehicle users. Addressing not significantly increase the privacy is similarly necessary to promote public interact with equipment in the acceptance. The views expressed in that article communications overhead in order fairly encompass the agency’s views of its 234 http://ec.europa.eu/newsroom/dae/ support the latency requirements for regulatory authority. document.cfm?action=display&doc_id=11398. V2V communications. 237 H.R. Rep. No. 89–1776, at 10 (1966).

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00104 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules 3957

attached to or physically carried into the apparent purpose of safeguarding users (3) Some non-integrated aftermarket vehicle. Sensing of a vehicle’s of motor vehicles against risk of equipment, depending on its nature and performance and the roadway accident, injury, or death.239 apparent purpose, under 30102(a)(7)(B), environment was done solely by the NHTSA’s authority over these groups if the equipment is a motor vehicle driver. of items—(1) systems, parts, and ‘‘accessory’’ (something to be used Today, in contrast, an increasing components installed or included in a while the vehicle is in operation, that number of vehicle functions are vehicle, (2) replacements and enhances that operation), or electronic. These functions can be improvements to those systems, parts, 30102(a)(7)(C), if the equipment is a activated and controlled automatically and components, (3) accessories and device used for the apparent purpose of and do not necessarily require driver additions to motor vehicles, and (4) traffic safety (purpose would be clearly involvement, unlike the mechanical devices or articles with an apparent observable from the characteristics of functions of previous generations of safety-related purpose—is very broad. the object and the context of its use, vehicles. V2V technologies require no The status of these items as motor rather than necessarily defined by the driver involvement in order to send and vehicle equipment does not depend on manufacturer’s intent for the receive information that can be used for the type of technology or its mode of equipment). vehicle safety functions. Other ways in control (mechanical or electronic), or (4) Software that provides or aids V2V which V2V technologies differ from the whether an item is tangible or functions, and software updates to all of mechanical technologies prevalent intangible. The transition from this equipment, because, under when the Safety Act was first enacted mechanical to electromechanical 30102(a)(7)(B), updates can be include the fact that how they operate systems has thus had no effect on the considered as replacements or can be substantially altered by post- extent of NHTSA’s authority over motor improvements. manufacture software updates, and that vehicle performance. NHTSA has (5) Potentially some roadside advances in communications regulatory authority under the Safety infrastructure (V2I), under technology make it possible for nomadic Act over all the systems, parts, and 30102(a)(7)(B) and (C), because if its devices with vehicle-related components installed on new motor apparent purpose is safety, it may be an applications to be brought into the vehicles, even as motor vehicle control ‘‘accessory’’ or a ‘‘device . . . vehicle. systems become increasingly electronic, manufactured . . . with the apparent The language of the Safety Act, and perhaps increasingly automated, in purpose of safeguarding users of motor however, is broad enough to the future. vehicles against accident, injury, or comfortably accommodate this Put in the context of V2V-related death.’’ We currently anticipate that evolution in vehicle technologies. motor vehicle equipment, NHTSA only a small subset of roadside NHTSA’s statutory authority over motor considers the following items subject to infrastructure may fall within this vehicles and motor vehicle equipment the agency’s regulatory authority: category. would allow the agency to establish (1) Any integrated original equipment A number of commenters to the safety standards applicable both to (OE) used for V2V communications or ANPRM and Readiness Report raised vehicles that are originally safety applications reliant on V2V issues with the agency’s discussion of manufactured with V2V communications. the bounds of its authority. While most communications devices, and to those (2) Any integrated aftermarket commenters agreed that the agency has devices added after original equipment used for V2V clear authority to require V2V manufacture. communications or safety applications communications devices in new In the Safety Act, ‘‘motor vehicle’’ is reliant on V2V communications, under vehicles and to regulate aftermarket V2V defined as a ‘‘vehicle driven or drawn 30102(a)(7)(B), if the equipment devices,240 the Alliance argued that it by mechanical power and manufactured ‘‘improves’’ an already-existing function appeared that the agency sought to primarily for use’’ on public roads.238 of the vehicle or is an ‘‘addition’’ to the regulate ‘‘the relationship between the The definition of ‘‘motor vehicle vehicle. vehicle manufacturers and their equipment,’’ as cited below, is broader customers,’’ 241 given that NHTSA had 239 Section 30102(a)(7)(C); MAP–21, Public Law discussed the potential need for and thus effectively establishes the limit 112–141, sec. 31201, 126 Stat. 405. Congress added of the agency’s authority under the subparagraph (C) to the statutory definition of additional security certificates during a Safety Act: ‘‘motor vehicle equipment’’ in 1970 when it V2V communications device’s lifetime, (A) Any system, part, or component of amended the definition in order to clarify the as well as the possibility of software Department’s authority over additional objects such updates as needed. The Alliance argued a motor vehicle as originally as motorcycle helmets. See S. Rep. No. 91–559, at manufactured; 5 (1970). However, Congress did not seek to limit that the Safety Act did not authorize a (B) any similar part or component the extension of the Department’s authority only to ‘‘lifetime maintenance mandate’’ to manufactured or sold for replacement or motorcycle helmets and instead utilized the broad cover the potential need to provide terms ‘‘device, article, and apparel’’ to describe the improvement of a system, part, or universe of objects that are within the agency’s additional certificates or software component, or as an accessory or authority. See id. Acknowledging the concerns of updates.242 Moreover, the Alliance addition to a motor vehicle; or those who authored the House version of the argued, NHTSA could not require (C) any device or an article or apparel, amendatory language that utilizing the terms consumers to renew security certificates ‘‘device, article, and apparel’’ might unduly extend including a motorcycle helmet and the Department’s authority to objects that have only or accept downloaded certificates excluding medicine or eyeglasses a tangential relation to motor vehicle safety, the pushed directly to the vehicle, or to prescribed by a licensed practitioner, conference committee added a use restriction. See ensure that DSRC remained operable that— id. Congress relaxed this use restriction in the over the lifetime of the vehicle, and statutory definition of ‘‘motor vehicle equipment’’ (i) is not a system, part, or component as part of the amendments to the Safety Act in therefore a FMVSS would not be of a motor vehicle; and MAP–21. See MAP–21, Public Law 112–141, sec. publicly accepted, and therefore (ii) is manufactured, sold, delivered, 31201, 126 Stat. 405. Thus, the Department’s inconsistent with the agency’s authority or offered to be sold for use on public regulatory authority under subparagraph (C) is limited to those devices, articles, or apparel that are streets, roads, and highways with the used for ‘‘the apparent purpose of safeguarding 240 Alliance, at 13, 15. users of motor vehicles against risk of accident, 241 Alliance, at 7. 238 49 U.S.C. 30102(a)(6). injury, or death.’’ See id. (Emphasis added.) 242 Alliance, at 15.

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00105 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 3958 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules

under the Safety Act, because regularly accept and initiate such With regard to the agency’s authority consumers might not be confident that updates. We seek comment from under the Safety Act over RSE, although DSRC would continue to work properly manufacturers on how they plan to we are not proposing in this NPRM to over the vehicle’s lifetime.243 The develop succinct and compelling regulate any RSEs, we disagree that a Alliance even suggested that it could explanations to accompany these device that performs non-safety violate the Computer Fraud and Abuse consent requests that would encourage functions in addition to safety functions Act (18 U.S.C. 1030) to push new consumers to accept the updates in a is necessarily not motor vehicle certificates to consumers without their timely manner. We also seek additional equipment. Tires, for example, perform consent.244 comment regarding all aspects of the non-safety function of helping a In response, NHTSA agrees that we consumer consent. vehicle travel down the road by creating have authority under the Safety Act to Alternatively, if manufacturers are friction between the wheel and the road, require V2V communications devices in concerned that consumers would not but that friction also plays a safety role new vehicles and mandate specific accept new certificate downloads and by helping the vehicle stop rapidly aspects of their performance, and to would thereby lose the safety benefits of when the driver hits the brakes. Brakes require similar performance from V2V communications, manufacturers and steering wheels, for that matter, aftermarket V2V devices designed to could install V2V devices that are pre- help drivers execute turns which may participate in the V2V system, as long loaded with all the certificates that the as those standards are consistent with device would need over its lifetime. be necessary to reach their intended Safety Act requirements. This approach would presumably destination, but they also help drivers We disagree, however, with the points necessitate more storage capacity on the avoid crashing their vehicles. Many raised by the Alliance regarding V2V device (and thus more cost), and items of motor vehicle equipment that certificate and software updates. At this could also present a potentially bigger NHTSA regulates perform safety time, NHTSA is not requiring that security risk if the device were functions in addition to being generally certificate and software updates be somehow compromised. We seek necessary for the driving task. NHTSA pushed to vehicles without consumers’ comment on whether requiring devices can regulate those items insofar as they consent—we are simply requiring that to come pre-loaded with a lifetime’s affect vehicle safety. By providing a link manufacturers alert consumers, via a worth of certificates could be a better between the SCMS and the vehicle, and telltale or message center indicator, to approach than requiring consumers to potentially being the mechanism by the fact that V2V will not work if they consent to (and obtain) new downloads, which the vehicle’s V2V are out of certificates or in need of some and if so, why. communications device is able to obtain other kind of update, and that devices Besides certificates, however, we new security certificates and be capable of receiving such updates.245 expect that software associated with information about which other vehicles Consumers will need to know what both the V2V communications device to trust and not to trust, the RSE may action the telltale or message center itself, and with any accompanying play a vital role in creating the indicator is telling them to take in order applications that rely on V2V environment needed for safety. A BSM to continue to obtain the safety benefits communications for information, would cannot be sent without a certificate, and of V2V, so vehicle or device likely need updating during the a V2V communications device must not manufacturers will need to ensure either vehicle’s lifetime. As explained above, trust an untrustworthy partner vehicle, that the message center indicator is clear as for certificate updates, we are or safety applications may not function about the needed action and the proposing to require that manufacturers properly. consequences of not taking that action, include a means to communicate to the That said, NHTSA does not currently or that the explanation for the message driver if and when a software update is anticipate the need to specify or telltale is contained somewhere (like needed. If the driver then chooses not to requirements for the RSE that may the owner’s information) where the accept the update, the system must participate in the overall V2V system. consumer can easily find it and continue to warn them that V2V We note that FHWA has already issued understand what to do. Alternatively, functionality is not available. If specifications for roadside units that are vehicle manufacturers could obtain manufacturers choose not to update publicly available,248 and at this point, consumer consent for automatic software when issues with it are we would expect the ones participating certificate and software updates at the discovered, and safety problems result, in the overall V2V system and time of first sale, although that consent NHTSA may choose to pursue those interacting with V2V-equipped vehicles would not cover subsequent vehicle problems under its enforcement to conform to these specifications, or to owners. Even if manufacturers make it authority. updated specifications if and when they necessary for consumers to consent to Some commenters disagreed with the exist. We seek comment on whether each new download, NHTSA expects agency’s statements in the Readiness additional regulation of RSE/RSU by that the need to do so would be Report that our Safety Act authority NHTSA might be important to ensure sufficiently infrequent and well- extended to cover RSE.246 The Alliance that, among other things, they do not explained by vehicle manufacturers in argued that RSE only indirectly served collect information that could be order to ensure that consumers a safety purpose, because they would unnecessarily harmful to privacy; pose recognize the significant safety risk of perform non-safety functions as well, no cybersecurity threat to the overall failing to accept the download. We and therefore could not be motor V2V system; or perform (or risk failing assume that, at this point in time, nearly vehicle equipment. CTIA and others to perform) any other task that could be all consumers are already well- presented a similar argument regarding harmful to vehicles or the V2V system accustomed to the need for software the agency’s authority to regulate mobile updates on their electronic devices, like devices and applications for mobile computers and , and devices, as it has elsewhere.247 248 U.S. DOT Federal Highway Administration, ‘‘DSRC Roadside Unit (RSU) Specifications Document, Version 4.0, April 15, 2014.’’ Available 243 Id, and at 15, 47–48. 246 Alliance, at 7, 16. at http://docplayer.net/11087167-Dsrc-roadside- 244 Alliance, at 15. 247 CTIA in general; TIA at 6; CEA at 2–9; Wi-Fi unit-rsu-specifications-document.html (last 245 See Section III.E.13, above. Alliance at 7. accessed Dec. 6, 2016).

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00106 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules 3959

or in any way negatively impact safety Vehicle owners are not required to to (among other things) the design of a benefits associated with V2V. comply with NHTSA’s safety standards, motor vehicle.258 The legislative history Thus, the agency believes that our which means that for vehicles already indicates that this language is not existing Safety Act authority on the roads, participation in the V2V intended to afford the agency the comfortably allows us to require V2V system would be entirely voluntary: authority to promulgate design communications devices in new motor NHTSA can regulate how aftermarket standards, ‘‘but merely to clarify that the vehicles and aftermarket equipment. devices function, but it cannot require public is to be protected from inherently The following section examines what manufacturers or drivers to add them to dangerous designs which conflict with the Safety Act requires NHTSA to used vehicles. The one exception to this the concept of motor vehicle safety.’’ 259 consider in developing an FMVSS, and rule against retrofit is that NHTSA has This clarification is evidence that how the proposal in this NPRM may authority to require retrofit of Congress recognized that performance meet those requirements. commercial heavy-duty vehicles,253 but standards inevitably have an impact on that is not part of this proposal on light- the design of a motor vehicle.260 B. What does the Vehicle Safety Act duty vehicles. allow and require of NHTSA in issuing While NHTSA is directed to establish The courts have further elaborated on a new FMVSS, and how is the proposal performance standards, the case law and the framework established by Congress consistent with those requirements? the legislative history indicate that and have recognized that, when Under the Safety Act, NHTSA’s motor when necessary to promote safety, necessary to achieve a safety purpose, vehicle safety standards are generally NHTSA can be quite specific in drafting NHTSA can be quite specific in performance-oriented.249 Further, the its performance standards and may establishing performance standards standards are required to be practicable require or preclude the installation of even if certain designs will be and objective, and to meet the need for certain equipment. The cases have precluded. For example, the Sixth safety.250 The following paragraphs will reinforced this concept by determining Circuit found that an agency provision discuss briefly the meaning of each of that NHTSA is ‘‘generally charged’’ 254 permitting rectangular headlamps, but these requirements, and then explore with setting performance standards, only if they were of certain specified how the agency believes that the instead of becoming directly involved in dimensions, was not an invalid design proposal may meet those requirements. questions of design.255 The legislative restriction and ‘‘serve[d] to ensure history further illustrates that NHTSA’s proper headlamp performance,’’ 1. ‘‘Performance-Oriented’’ standards are to ‘‘[specify] the required reasoning that ‘‘the overall safety and In the Safety Act, the Secretary is minimum safe performance of vehicles reliability of a headlamp system directed to issue motor vehicle safety but not the manner in which the depends to a certain extent upon the standards. ‘‘Motor vehicle safety manufacturer is to achieve the specified wide availability of replacement lamps, standards’’ are defined as ‘‘minimum performance.’’ 256 An example cited in which in turn depends upon standard[s] for motor vehicle or motor the legislative history points to ‘‘a standardization.’’ 261 Thus, the court vehicle equipment performance.’’ 251 building code which specifies the found it permissible for the agency to One point to note at the outset is the minimum load-carrying characteristics establish very specific requirements for party of whom performance is required: of the structural members of a building headlamps even though it would restrict NHTSA’s safety standards apply to wall, but leaves the builder free to design flexibility.262 manufacturers of new motor vehicles choose his own materials and Further, the cases indicate that and motor vehicle equipment. It design.’’ 257 In that example, the agency NHTSA can establish standards to therefore falls to those could require the wall to be built require the installation of certain ‘‘manufacturers’’—from vehicle OEMs (analogous to requiring certain specific equipment on vehicles and to OE suppliers to aftermarket device equipment in vehicles) but would be establish performance standards for that manufacturers to creators of V2V safety expected to measure the wall’s equipment. For example, the Tenth applications—to certify compliance regulatory compliance by its Circuit found in Washington v. DOT with any safety standards established by performance rather than its design. that ‘‘NHTSA’s regulatory authority NHTSA, and to conduct recalls and Although the Safety Act directs extends beyond the performance of remedy defects if NHTSA finds them.252 NHTSA to issue performance standards, motor vehicles per se, to particular however, Congress understood that the items of equipment.’’ 263 In that case, the 249 49 U.S.C. 30102(a)(8) (defining ‘‘motor vehicle agency may preclude certain designs validity of NHTSA’s FMVSS No. 121 safety’’ as ‘‘the performance of a motor vehicle . . . through these performance standards. in a way that protects the public against requiring ABS systems on air-braked unreasonable risk of accidents occurring because of ‘‘Motor vehicle safety’’ is defined in the vehicles was challenged as ‘‘imposing the design, construction, or performance of a motor Safety Act as the performance of a motor design specifications rather than vehicle’’); and sec. 30102(a)(9) (defining ‘‘motor vehicle in a way that protects the public vehicle safety standard’’ as ‘‘a minimum standard from unreasonable risks of accident due for motor vehicle or motor vehicle equipment 258 Sec. 30102(a)(9). performance’’). See also: S. Rep. No. 89–1301, at 259 H.R. Rep. No. 89–1919, at 2732 (1966). 2713–14 (1966) (stating that motor vehicle ‘‘Notification procedures’’; sec. 30120, ‘‘Remedies 260 Courts have also recognized this fact. See standards issued by NHTSA should specify a for defects and noncompliance.’’ Chrysler Corp. v. Dept. of Transp., 515 F.2d 1053, minimum level of safety performance). 253 Per 49 CFR 1.95, which delegates to NHTSA 1058–59 (6th Cir. 1975); see also: Washington, 84 250 49 U.S.C. 30111(a) (establishing requirements the Secretary’s authority under Sec. 101(f) of the F.3d at 1224 (stating ‘‘the performance-design for NHTSA to follow when issuing motor vehicle Motor Carrier Safety Improvement Act of 1999 (Pub. distinction is much easier to state in the abstract safety standards). L. 106–159; Dec. 9, 1999) to promulgate safety than to apply definitively-so. . . . This is 251 Id.; See also: Sec. 30102(a)(9) (emphasis standards for ‘‘commercial motor vehicles and particularly true when, due to contingent added). equipment subsequent to initial manufacture.’’ relationships between performance requirements NHTSA’s retrofit authority is coextensive with 252 49 U.S.C. 30115(a), ‘‘Certification of and design options, specification of the former FMCSA’s. compliance; In general’’; sec. 30116, ‘‘Defects and effectively entails, or severely constrains, the 254 noncompliance found before sale to purchaser’’; Washington v. Dept. of Transp., 84 F.3d 1222, latter.’’). sec. 30117(a), ‘‘Providing information to, and 1224 (10th Cir. 1996) (citations omitted). 261 Chrysler Corp., 515 F.2d at 1058–59. maintaining records on, purchasers; Providing 255 Id. at 1224 (citations omitted). 262 Id. information and notice’’; sec. 30118, ‘‘Notification 256 S. Rep. No. 89–1301, at 2713–14 (1966). 263 Washington, 84 F.3d at 1222, 1225 (citations of defects and noncompliance’’; sec. 30119, 257 Id. omitted).

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00107 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 3960 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules

performance criteria.’’ 264 The court’s and the potential test methods for means as reducing errors in compiling conclusion was based not only on the evaluating compliance with those statistical data on motor vehicle crashes fact that prior courts had upheld requirements. We believe that the public (in order to aid research to understand NHTSA’s standards requiring particular comments that we will receive in current safety problems and support equipment,265 but also on the fact that response (coupled with the agency’s future standards, to increase the Congress had recognized NHTSA’s ongoing research) will produce a robust efficiency of vehicle recall campaigns, former rulemakings and left NHTSA’s record upon which the agency can make and to assist in tracing stolen authority unchanged when it codified a final decision. vehicles).269 the Safety Act in 1994. The provisions allowing alternative We believe that there is a clear nexus Thus, in summary, NHTSA is technologies to satisfy the mandate are between the safety problem and the required to issue performance standards performance-oriented, but do not proposals in this document. In the case when regulating motor vehicles and specify a particular way of of DSRC-based devices, DSRC can motor vehicle equipment. However, communicating. The goal of this is to enable all of the safety applications NHTSA is able to be quite specific in maximize industry’s ability to innovate under consideration by the agency, such establishing performance standards and and potentially employ future as Intersection Movement Assist, Left may preclude certain designs that are communication technologies that may Turn Assist, and Electronic Emergency contrary to the interests of safety. be able to meet the performance Brake Light, which means that DSRC Further, NHTSA may require the requirements (like, for example, latency) can help to address the safety problems installation of certain equipment and for V2V-based safety warning of, e.g., intersection collisions, establish performance standards for that applications. While alternative collisions with forward stopped or equipment. technologies would be subject to several slowing vehicles, collisions that occur As Section III.E discusses at length aspects of the test procedures set forth because a driver chose to pass a forward and as the regulatory text at the end of for DSRC-based devices, it leaves open vehicle without enough room to do so this preamble discusses at length, for industry to develop a number of safely, etc. For some of the other safety NHTSA has developed a set of proposed aspects of performance, including applications, which can also be enabled performance requirements for DSRC interoperability with all other V2V by other technologies besides DSRC, performance. These sections explain: (1) communications technologies that such as on-board sensors, radar, or What information needs to be sent to the transmit BSMs. We believe that the cameras, DSRC can add robustness to an surrounding vehicles; (2) how the inclusion of some performance tests on-board system. DSRC will either be vehicle needs to send that information; makes these provisions consistent with the sole enabler of some safety (3) how a vehicle shows that it is a valid the Safety Act requirement of standards applications or present a possible source of information; and (4) how a being ‘‘performance-oriented.’’ We seek enhancement to on-board systems with vehicle makes sure the prior three comment on this tentative conclusion. regard to other applications. In either functions work in various operational case, DSRC will address safety needs. 2. Standards ‘‘Meeting the Need for Moreover, case law supports that conditions (i.e., broadcast under Motor Vehicle Safety’’ congested conditions, detect/report DSRC need not directly create more misbehavior, and obtain new security As required by the Safety Act, safety itself, as long as it is enabling materials). The proposal draws from standards issued by the agency must other safety applications. If VINs could existing voluntary standards while also ‘‘meet the need for motor vehicle be upheld as meeting the need for motor 266 explaining why a particular threshold or safety.’’ As ‘‘motor vehicle safety’’ is vehicle safety simply by virtue of the requirements from a voluntary standard defined in the statute as protecting the fact that they aid research in public against ‘‘unreasonable risk’’ of understanding safety problems and is appropriate. The proposal contains a 267 mandatory Privacy Statement, set forth accidents, death, or injury, the case supporting future standards, as well as in Appendix A. Finally, the proposal law indicates that there must be a nexus aiding recall campaigns and tracking of between the safety problem and the stolen vehicles, then DSRC, which includes a test method for evaluating 268 many of these aspects of performance. standard. would directly enable half a dozen However, a standard need not address Having a clear test method helps inform safety applications at its inception and safety by direct means. In upholding the public as to how the agency would perhaps many more eventually, seems NHTSA’s authority to issue a safety evaluate compliance with any final even more clearly to meet the need for standard requiring standardized vehicle FMVSS. While research is ongoing in a safety in that respect. identification numbers, the Fourth few areas (namely message congestion Non-DSRC devices should have a Circuit Court of Appeals found that an mitigation, explicit details for similar nexus to the safety problem. FMVSS requiring VINs met the need for misbehavior detection, SCMS policies motor vehicle safety by such indirect 3. ‘‘Objective’’ Standards and procedures), we have described for A standard is objective if it specifies the public the potential requirements 266 49 U.S.C. 30111(a). test procedures that are ‘‘capable of that we are considering for an NPRM 267 49 U.S.C. 30102(a)(8). producing identical results when test 268 See, e.g., Nat’l Tire Dealers Ass’n v. Brinegar, conditions are exactly duplicated’’ and 264 Id. at 1223. 491 F.2d 31, 35–37 (D.C. Cir. 1974) (stating that the performance requirements whose 265 Id. at 1225 (citing Chrysler Corp. v. Rhodes, administrative record did not support a significant 416 F.2d 319, 322, 322 n. 4) (1st Cir. 1969) (‘‘motor nexus between motor vehicle safety and requiring satisfaction is ‘‘based upon the readings vehicles are required to have specific items of retread tires to have permanent labels because there obtained from measuring instruments as equipment . . . These enumerated items of was no showing that a second-hand owner would opposed to subjective opinions.’’ 270 The equipment are subject to specific performance be dependent on these labels and no showing as to requirement that standards be stated in standards,’’ including lamps and reflective devices how often such situations would arise); see also requiring ‘‘specific items of equipment’’)); Wood v. H&H Tire Co. v. Dept. of Transp., 471 F.2d 350, Gen. Motors Corp., 865 F.2d 395, 417 (1st Cir. 1988) 354–55 (7th Cir. 1972) (expressing doubt that the 269 Vehicle Equip. Safety Comm’n v. NHTSA, 611 (‘‘requiring seat belts or passive restraints . . . has standard met the need for safety because there was F.2d 53, 54 (4th Cir. 1979). elements of a design standard’’); Automotive Parts little evidence that the required compliance tests 270 Chrysler Corp. v. Dept. of Transp., 472 F.2d & Accessories Ass’n v. Boyd, 407 F.2d 330, 332 would ensure that retreaded tires would be capable 659, 676 (6th Cir. 1972); see also Paccar, Inc., v. (D.C. Cir. 1968) (‘‘factor equipped . . . head of performing safely under modern driving Nat’l Highway Traffic Safety Admin., 573 F.2d 632, restraints which meet specific Federal standards’’). conditions). 644 (9th Cir. 1978).

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00108 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules 3961

objective terms matches the overall agency to compare results of differing 4. ‘‘Practicable’’ Standards 275 statutory scheme requiring that tests. In general, the practicability of a given manufacturers self-certify that their Other courts have also reached similar standard involves a number of motor vehicles or motor vehicle conclusions. The Ninth Circuit Court of considerations. The majority of issues equipment comply with the relevant Appeals, relying on the same reasoning concerning the practicability of a FMVSSs.271 In order for this statutory adopted by the Sixth Circuit, found that standard arise out of whether the scheme to work, the agency and the a compliance road test specifying the standard is technologically and manufacturer must be able to obtain the use of surfaces specifically rated with economically feasible. An additional same result from identical tests in order quantifiable numbers (defining the issue is whether the means used to to objectively determine the validity of ‘‘slickness’’ of the surfaces) was comply with a standard will be accepted the manufacturer’s certification.272 objective despite ‘‘[t]he fact that it is and correctly used by the public. First, significant technical Using those two elements of difficult to create and thereafter uncertainties in meeting a standard objectivity (capable of producing maintain a road surface with a particular coefficient of friction,’’ which might lead a court to find that a identical results and compliance based standard is not practicable. For the court held ‘‘does not render the on measurements rather than subjective example, the Sixth Circuit Court of specified coefficient any less opinion), the Sixth Circuit Court of Appeals upheld NHTSA’s decision to objective.’’ 276 In this case, both NHTSA Appeals found that the test procedure in amend FMVSS No. 222 to include question in an early version of FMVSS and the manufacturer would perform requirements for wheelchair securement No. 208 was not objective because the road tests on surfaces with identically and occupant restraint on school buses 277 test dummy specified in the standard for rated friction coefficients. In a later with a static 279 compliance test instead use in compliance testing did not give case, the Sixth Circuit upheld NHTSA’s of a dynamic test,280 noting that the consistent and repeatable results.273 The decision not to incorporate a test administrative record showed that this court in this case was unconvinced that suggested by a commenter for particular dynamic test was the standard met the objectivity wheelchair crashworthiness performed underdeveloped and had many requirements even though NHTSA with a ‘‘test seat’’ that ‘‘shall be capable unresolved technical problems.281 The based its test procedure on a test of resisting significant deformation’’ court noted that it is not practicable dummy in a voluntary automotive during a test as not sufficiently ‘‘[t]o attempt to fashion rules in an area industry standard (Society of objective.278 In the absence of language in which many technical problems have Automotive Engineers Recommended quantifying how much deformation is been identified and no consensus exists Practice J963). The court rejected significant, terms such as ‘‘significant for their resolution ....’’282 In NHTSA’s explanation that, although deformation’’ do not provide enough another example, the Ninth Circuit J963 ‘‘may not provide totally specificity to remove the subjective Court of Appeals found a compliance reproducible results,’’ ‘‘dummies element from the compliance test procedure using a specified friction conforming to the SAE specifications determination process. (slickness) coefficient to be are the most complete and satisfactory As discussed above, under the impracticable due to technical ones presently available.’’ 274 Further, proposal, we have developed and are difficulties in maintaining the specific the court rejected NHTSA’s reasoning proposing performance requirements, slickness test condition. As mentioned that, in the event that the agency’s test including compliance test procedures, 279 Static testing tests the strength of individual results were different from those of the for DSRC. We will continue evaluating components of the wheelchair separately, while manufacturers because of the difference the compliance test procedures further dynamic testing subjects the entire wheelchair to in the test dummies, NHTSA’s test and receiving public input during the simulated real-world crash conditions. See Simms, results would not be used to find non- comment period that can assist us in 45 F.3d at 1001. 280 Id. at 1006–08. Petitioners argued that NHTSA compliance, stating that ‘‘there is no fine-tuning the procedures and ensuring had acted unlawfully in promulgating standards for room for an [ ] agency investigation [ ] that they meet our statutory the securement of wheelchairs on school buses in this procedure’’ that enable the requirements. For alternative based only on ‘‘static’’ instead of ‘‘dynamic’’ testing. technologies, given that the testing to Id. Static testing tests the strength of the individual components of a securement device. Id. Dynamic 271 49 U.S.C. 30115(a). this point that led to the development testing is a full systems approach that measures the 272 Chrysler Corp., 472 F.2d at 675. of the test procedures for forces experienced by a human surrogate (test 273 As the court stated, interoperability did not evaluate the use dummy) in a simulated crash that replicates real- The record supports the conclusions that the test of non-DSRC communication world conditions and assesses the combined performance of the vehicle and the securement procedures and the test device specified . . . are technologies, we seek comment on how not objective in at least the following respects: (1) device. Id. The absence of an adequate flexibility criteria for the regulatory text alternative 281 Id. at 1005–07. NHTSA agreed that dynamic the dummy’s neck; the existing specifications technologies can achieve testing is the preferred approach (because it more permit the neck to be very stiff, or very flexible, or interoperability in an objective manner. fully and accurately represents the real-world somewhere in between, significantly affecting the conditions in which the desired safety performance resultant forces measured on the dummy’s head. (2) is to be provided), but explained that it was not Permissible variations in the test procedure for 275 Id. at 677–79. practicable at that time to adopt dynamic testing determining thorax dynamic spring rate (force 276 Paccar, Inc. v. Nat’l Highway Traffic Safety because there was: deflection characteristics on the dummy’s chest) Admin., 573 F.2d 632, 644 (9th Cir. 1978), cert. (1) [N]eed to develop an appropriate test dummy; permit considerable latitude in chest construction denied, 439 U.S. 862 (1978). (2) need to identify human tolerance levels for a which could produce wide variations in maximum 277 Id. (stating that the ‘‘skid number method of handicapped child; (3) need to establish test chest deceleration between two different dummies, testing braking capacity meets the [objectivity] conditions; (4) need to select a ‘‘standard’’ or each of which meets the literal requirements of SAE definition. Identical results will ensue when test surrogate wheelchair; (5) need to establish J963. (3) The absence of specific, objective conditions are exactly duplicated. The procedure is procedures for placing the wheelchair and test specifications for construction of the dummy’s head rational and decisively demonstrable. Compliance dummy in an effective test condition; and (6) need permits significant variation in forces imparted to is based on objective measures of stopping to develop an appropriate test buck to represent a the by which performance is to be distances rather than on the subjective opinions of portion of the school bus body for securement and measured. human beings.’’). anchorages. Id. at 676–78. 278 Simms v. Nat’l Highway Traffic Safety Id. at 1005. 274 Id. at 677. Admin., 45 F.3d 999, 1007–08 (6th Cir. 1995). 282 Id. at 1010–11.

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00109 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 3962 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules

above, the Ninth Circuit found the comply with the effective date of the standard are so unpopular that there is specified coefficient test condition to be standard.286 no assurance of sufficient public objective.283 However, simply being Second, a standard can be considered cooperation to meet the safety need that objective did not also make the test impracticable by the courts due to the standard seeks to address.290 condition practicable. Thus, the cases economic infeasibility. This We believe that the proposal is show that when significant technical consideration primarily involves the consistent with these requirements. 287 uncertainties and difficulties exist in a costs imposed by a standard. In the Technologically, DSRC has existed for standard promulgated by NHTSA, those instances in which a court has been over a decade, and is currently being portions of the standard can be called upon to assess whether a used in Japan to support V2I considered impracticable under the standard is economically feasible, applications and electronic toll Safety Act. typically with respect to an industry collection. The performance composed largely of relatively small However, the requirement that a requirements and test procedures being businesses, the courts have asked standard be technologically feasible proposed to help ensure interoperability whether or not the cost would be so does not include the additional should also ensure the technological prohibitive that it could cause requirement that the agency show that practicability of the proposal. In terms significant harm to a well-established the technology to be used to comply of economic practicability, NHTSA industry. In essence, this consideration with the standard is already fully currently assumes that the cost of a generally establishes a non-quantified developed and tested at the time that DSRC standard would include costs for outer limit of the costs that can be device hardware and software, as well the standard is promulgated. The Sixth reasonably imposed on regulated as costs for the security and Circuit upheld a NHTSA standard entities. If compliance with the standard communications system that would be requiring ‘‘Complete Passive is so burdensome, i.e., costly, so as to necessary in order for DSRC to function Protection,’’ that required the create a significant harm to a well- properly. As discussed in Section VII installation of as standard established industry, courts have equipment by a future date, rejecting generally found that the standard is below, we estimate the likely total cost petitioner’s contention that NHTSA may impracticable in its application to that for a V2V system to the consumer only establish performance industry. (vehicle equipment costs, fuel economy requirements which can be met with Finally, a standard might not be impact, SCMS costs, and devices which, at the time of the considered practicable if the public communication costs) at approximately rulemaking, are developed to the point were not expected to accept and $350 per new vehicle in 2020. Economic that they may be readily installed.284 correctly use the technologies installed practicability requires that compliance Relying on the legislative history of the in compliance with the standard. When with the standard should not be so Safety Act, the court found that the considering passive restraints such as burdensome as to create a significant agency ‘‘is empowered to issue safety automatic seatbelts, the D.C. Circuit harm to a well-established industry. It standards which require improvements stated that ‘‘the agency cannot fulfill its does not seem likely that a court would in existing technology or which require statutory responsibility [in regard to find the standards economically the development of new technology, practicability] unless it considers impracticable either for the auto and is not limited to issuing standards popular reaction.’’ 288 While the agency industry, or for any small business based fully on devices already argued in that case that public interests potentially implicated, since developed.’’ 285 Thus, the requirement acceptance is not one of the statutory those would more likely be in the that standards be technologically criteria that the agency must apply, the context of aftermarket devices (phone feasible is sufficiently broad that it can court disagreed. The court reasoned that apps and so forth), which are entirely be satisfied by showing that new ‘‘without public cooperation there can voluntary and do not represent a technology can be developed in time to be no assurance that a safety system can mandate. ‘meet the need for motor vehicle For the question of public acceptance, 283 Paccar, Inc. v. Nat’l Highway Traffic Safety safety.’ ’’ 289 Thus, as a part of the the main concerns with regard to the Admin., 573 F.2d 632, 644 (9th Cir. 1978). agency’s considerations, a standard proposal likely relate to security and 284 See Chrysler Corp. v. Dept. of Transp., 472 issued by the agency will not be F.2d at 671–75. Stages one and two required vehicle privacy. To address such concerns, the manufacturers to provide ‘‘Complete Passive considered practicable if the requirements in the proposal include Protection’’ or one of two other options on vehicles technologies installed pursuant to the tests to ensure tamper-resistance of the manufactured between January 1, 1972 and August DSRC unit; security requirements for the 14, 1973 (for stage one) and after August 15, 1973 286 A corollary of the agency’s authority to issue messages themselves; express (stage two). See id. at 666–67. Stage three, requiring technology-driving standards is that the agency can solely ‘‘Complete Passive Protection,’’ was required rely on data other than real-world crash data in requirements that certain identifying by August 15, 1975. Id. at 667. justifying those standards. Technology that is not information not be included in the 285 Id. at 673. In making its decision, the court yet either fully developed or being installed on BSMs, and so forth. We are also stated production vehicles cannot generate real-world proposing that manufacturers alert [I]t is clear from the Act and its legislative history performance data. Thus, in justifying the issuance that the Agency may issue standards requiring of technology-driving standards, it is permissible, drivers when software upgrades and future levels of motor vehicle performance which even necessary, for the agency to rely on analyses patches and certificate updates are manufacturers could not meet unless they diverted using experimental test data or other types of non- needed, and we are hopeful that such more of the ir resources to producing additional real world performance information in determining updates would be as seamless as safety technology than they might otherwise do. whether such standards ‘‘meet the need for vehicle This distinction is one committed to the Agency’s safety.’’ possible. discretion, and any hardships which might result 287 E.g., Nat’l Truck Equip. Ass’n v. Nat’l Highway from the adoption of a standard requiring . . . a Traffic Safety Admin., 919 F.2d 1148, 1153–54 (6th 290 Pursuant to concerns about public acceptance great degree of developmental research, can be Cir. 1990); Ctr. for Auto Safety v. Peck, 751 F.2d of various designs, NHTSA issued a final ameliorated by the Agency under . . . The section 1336, 1343 (D.C. Cir. 1985) (panel opinion by rule in 1981 adding seat belt comfort and [that] allows the Secretary to extend the effective Circuit Judge Scalia). convenience requirements to Standard No. 208, date beyond the usual statutory maximum of one 288 Pac. Legal Found. v. Dept. of Transp., 593 Occupant Crash Protection. Federal Motor Vehicle year from the date of issuance, as he has done F.2d 1338, 1345–46 (D.C. Cir.), cert. denied, 444 Safety Standards; Improvement of Seat Belt [here]. U.S. 830 (1979). Assemblies, 46 FR 2064 (Jan. 8, 1981) (codified at Id. at 673. 289 Id. 49 CFR part 571).

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00110 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules 3963

With respect to comments on the proposal at the end of this preamble possible, the agency does not believe agency’s authority received to the discuss at length, NHTSA has that sufficient quantities of V2V- ANPRM and Readiness Report, developed proposed requirements for equipped vehicles will be introduced in commenters tended to support generally DSRC performance. These sections the market absent a mandate. By the agency’s authority to establish an explain: (1) What information needs to proposing this FMVSS, we aim to create FMVSS for V2V communications, while be sent to the surrounding vehicles; (2) an information environment which, we some commenters offered their own how the vehicle needs to send that believe, will then enable the market to interpretations of what would be information; (3) how a vehicle shows bring forth the safety, mobility, and necessary for a standard to be consistent that it is a valid source of information; environmental benefits that we with the Safety Act. The Alliance, for and (4) how a vehicle makes sure the anticipate V2V can provide. We intend example, argued that a proposal to prior three functions work in various to continue working closely with other mandate DSRC in new vehicles and set operational conditions (i.e., broadcast Federal agencies and industry standards for DSRC aftermarket devices under congested conditions, detect/ stakeholders on spectrum issues, with would not meet the Safety Act criteria report misbehavior, and obtain new industry stakeholders and consumer if (1) NHTSA could not prove that the security materials). The proposal draws groups and others on consumer-related standard would improve safety as from existing voluntary standards while concerns, and with all relevant parties compared with not adopting a new also explaining why a particular on developing an SCMS to support a FMVSS; (2) NHTSA did not present threshold or requirements from a V2V network. We will also continue our how a security system would be voluntary standard is appropriate. research to improve and refine potential ‘‘established, funded, governed and Finally, the proposal includes a test performance requirements and test operated’’: and (3) FCC opened the 5.9 method for evaluating many of these procedures, as discussed above. Again, GHz spectrum to unlicensed wireless aspects of performance. Having a clear public comment on the proposal will devices and the operation of those test method helps inform the public as facilitate our careful consideration of devices resulted in harmful interference to how the agency would evaluate these issues, and we look forward to to V2X communications.291 compliance with any final FMVSS hearing from commenters on how to Additionally, the Alliance underscored based on the proposal. While research is resolve them to best serve the interests the importance of addressing public ongoing in a few areas (namely message of safety. perception issues in order to ensure that congestion mitigation, explicit details C. How are the regulatory alternatives consumers are willing to accept DSRC for misbehavior detection, SCMS consistent with our Safety Act technology, because otherwise a policies and procedures), we have authority? mandate would not be practicable and described for the public the potential Besides the proposal, the agency is the market failure would not be requirements in the proposal and the considering two regulatory cured.292 The Alliance suggested that potential test methods for evaluating alternatives—the first, a ‘‘mandate V2V the agency consider working with other compliance with those requirements. communications and safety federal agencies with more direct We believe that the public comments applications’’ alternative, under which experience in addressing health and that we will receive in response the agency also requires new vehicles to privacy concerns to address potential (coupled with the agency’s ongoing have IMA and LTA capabilities; and the public acceptance issues.293 Global research) will produce a robust record Automakers agreed that it was second, an ‘‘if-equipped’’ alternative, upon which the agency can make a final that would set baseline requirements for important to a DSRC mandate that decision. NHTSA work carefully with other V2V communications, but not require We do not agree with commenters new vehicles to have this technology on Federal agencies (i.e., FCC and NTIA) to that the proposed standard must be ensure that DSRC communications can any specific schedule. Under both the perfectly neutral regarding technology, ‘‘mandate V2V communications’’ be effective and interoperable without nor that all possible issues associated harmful interference.294 Toyota stated proposal and the ‘‘and safety with ensuring the long-term success of applications’’ alternative, the phase-in that a necessary pre-condition for a V2V must be resolved prior to issuing a rate for V2V communications for new DSRC mandate was a limited proposal. As explained above, case law vehicles would be 50 percent in the first deployment of a production-ready, supports the principle that an FMVSS required year, 75 percent in the second DSRC-equipped fleet to confirm product may restrict design flexibility if certain year, and 100 percent in the third year design.295 TIA commented that any designs would be contrary to the and beyond. We have evaluated the FMVSS for V2V communications interests of safety. Additionally, we do ‘‘and safety applications’’ alternative in should be entirely technology agnostic not believe that waiting to issue a terms of two different phase-in and focus on performance requirements proposal until, for example, DSRC is scenarios—in the first scenario, safety (data latency, size, interoperability) that more thoroughly tested in the fleet, or applications would be required for new could be met by any technology, not an SCMS is fully funded and vehicles at a phase-in rate of 0 percent— only DSRC, and allow technologies to operational, or every potential consumer 296 50 percent—75 percent—100 percent evolve over time. concern is resolved, would be in the over four years; while in the second As discussed above, NHTSA best interest of safety. S9 of the scenario, safety applications would be continues to believe that the proposal is regulatory text, however, is directly required for all new vehicles in the first consistent with the Safety Act. As responsive to the TIA comment year that V2V communications are Section III.E discusses at length and as requesting that the agency consider a required. The ‘‘if-equipped’’ alternative, the proposed regulatory text for the technology agnostic approach. As on the other hand, faces much greater covered in the discussion concerning uncertainty regarding the technology 291 Alliance at 6–7, 13–14. 292 Alliance at 9, 14. why we are proposing to require V2V adoption. Based on the estimated costs 293 Alliance at 10. communications, for a technology like of V2V radios and the SCMS, and the 294 Global at 11. V2V, where a critical mass of equipped ‘‘network’’ nature of V2V 295 Toyota at 1. vehicles is needed to create the communication, the agency believes 296 TIA at 4, 5. environment for safety benefits to be that Alternative 2 is unlikely to lead to

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00111 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 3964 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules

meaningful deployment of V2V With regard to other Safety Act that DVI requirements remain under communications. Consequently, requirements for an FMVSS, the development, and given the need for Alternative 2 would delay, potentially Readiness Report concluded as follows: continued research to avoid a high false for a significant period of time, the • Meet the need for safety: FMVSSs positive rate, more work needs to be anticipated benefits of V2V for the V2V-based safety applications done before we can be confident that communications. Furthermore, there is would be issued to address safety eventual FMVSSs for V2V safety a high probability that the designated problems that continue to cause crashes applications will not have public spectrum for V2V safety applications in the absence of regulation or market acceptance risks. would be lost if a mandate was not forces driving their adoption, and would Commenters generally agreed with the pursued. For these reasons, the ‘‘if- address those problems by warning agency’s authority to issue FMVSSs for equipped’’ alternative is not a viable drivers of dangerous conditions and V2V-based safety applications (both in alternative. Due to this, as well as to the triggering a response to avoid the terms of mandating their installation significant uncertainty surrounding the danger. However, given that research and regulating their performance), and technology adoption, the PRIA does not continues at this point to develop also agreed that more work was likely examine the costs and benefits for this driver-vehicle interfaces for each of the needed before such FMVSSs would be alternative. safety applications, and given that the consistent with Safety Act requirements. The Alliance, for example, agreed that The ‘‘if-equipped’’ alternative is agency was not yet able to demonstrate NHTSA could specify levels of consistent with the agency’s Safety Act how effective the DVIs we may eventually mandate are at warning the performance for safety applications that authority, which does not require ‘‘indirectly eliminate[d] some forms of NHTSA to require technology for new drivers and inducing them to avoid the dangerous situation, our evidence could delivering the safety application within vehicles. It is therefore not discussed the motor vehicle,’’ but stated that much further in this section. be stronger that the V2V safety applications will meet the need for work was needed before it would be The agency evaluated our authority to safety. clear that an FMVSS for any safety mandate specific safety applications in • Objective test procedures and application met Safety Act criteria.300 the Readiness Report 297 and sought performance requirements: Test Global commented that DSRC should be comment on that evaluation in the procedures and performance widespread in the fleet and ANPRM.298 requirements for the V2V safety manufacturers should already have As discussed in the Readiness Report, applications are still being developed, experience with applications before the an FMVSS for a safety application must but NHTSA would ensure that any test agency should mandate them; 301 Honda include minimum requirements for its procedures it may require would meet provided similar comments.302 Ford performance. This first requires a the criteria of being objective. commented that NHTSA should not determination of what tasks the safety • Technological practicability: mandate applications.303 Toyota, in applications need to perform, which Because test procedures and contrast, stated that NHTSA should would vary based on the types of safety requirements (including those for DVIs) require IMA and LTA at the same time risks/crash scenarios that the are still being developed for the V2V as it mandates DSRC capability, in order application is intended to address. The safety applications, additional lead time to speed introduction of safety 304 agency explained in the Readiness could be helpful to meet eventual benefits, although it also stated that Report that it is examining the standards in order to ensure that any FMVSS for a safety application 305 currently-available (research-stage) manufacturers have the opportunity to must meet Safety Act criteria. performance and test metrics associated work out how to comply.299 More Advocates for Highway and Auto Safety 306 with each safety application, and research will be helpful in informing provided similar comments. analyzing these metrics against the future assessments of technological Hyundai, TIA, and Delphi commented available safety data to determine practicability. that if the agency decided to mandate whether these metrics cover the relevant • Economic practicability: NHTSA safety applications like IMA and LTA, it safety problem. currently assumes using preliminary should ensure that standards were cost estimates that the cost of standards entirely performance-based and The Readiness Report explained that 307 for the V2V-based safety applications technology-neutral. A number of the agency envisioned that an FMVSS would primarily include costs for commenters raised concerns about the for one of the analyzed safety software that would be used by the need for additional research with regard applications would set performance 308 vehicle to interpret V2V signals and to DVIs and false positive alerts. requirements that could be met by any make decisions about whether to warn NHTSA agrees with some commenters technology, but that if V2V the driver, as well as costs for any that earlier introduction of safety communications performance hardware that would be necessary to applications would guarantee earlier requirements made it reasonable to make those warnings happen via the achievement of safety benefits require more robust performance, we DVI. While it seems unlikely that associated with V2V capability, and we could require that performance if V2V economic practicability would be an also agree with other commenters that communications were mandated. The issue for potential safety application additional work would likely be agency recognized for some FMVSSs, more research to determine necessary in order for the agency to applications, like IMA and LTA, costs more precisely would be beneficial ensure that potential FMVSSs for safety performance requirements can likely be to this assessment. met only with V2V communications- 300 Alliance at 17. • Public acceptance: Based on the based technologies due to their ability to 301 Global at 3. research we have so far from the Safety 302 detect crossing-path vehicles, but for Honda at 6. Pilot, driver enthusiasm for individual 303 others, a variety of technologies could Ford at 3–4. V2V safety applications varies. Given 304 Toyota at 1. potentially be used. 305 Toyota at 4. 299 See discussion above regarding the Sixth 306 Advocates at 1–2. 297 See Readiness Report at Section IV.B.3. Circuit’s finding in Chrysler, 472 F.2d at 659, 666, 307 Hyundai at 2; TIA at 4; Delphi at 1. 298 79 FR at 49271 (Aug. 20, 2014). and 671–75 (6th Cir. 1972). 308 Bendix at 10–11.

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00112 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules 3965

applications were objective and duplicated’’ (meaning that the agency including activities related to new and practicable. Developing minimum and the manufacturer must be able to emerging technologies. Separately, the standards for safety application obtain the same result from identical Highway Safety Act (23 U.S.C. 401 et performance requires a determination of tests) and performance requirements seq.) authorizes NHTSA to enter into what tasks the safety applications need whose satisfaction is ‘‘based upon the contracts, grants, cooperative to perform, which varies based on the readings obtained from measuring agreements, and other transactions for types of safety risks/crash scenarios that instruments as opposed to subjective research and development activities the application is intended to address. opinions.’’ As discussed above, test with a similarly wide range of outside The agency is examining the currently- procedures and performance entities in ‘‘all aspects of highway and available (research-stage) performance requirements for the V2V safety traffic safety systems . . . relating to [ ] and test metrics associated with a applications are still being developed, vehicle, highway, [and] driver . . . variety of safety applications, including but NHTSA would ensure that any test characteristics’’ (sec. 403(b)), as well as IMA and LTA, and analyzing these procedures it may require would meet collaborative research and development, metrics against the available safety data the criteria of being objective, and also on a cost-shared basis, to ‘‘encourage to determine whether these metrics technologically practicable. NHTSA innovative solutions to highway safety cover the applicable safety problem(s). would provide appropriate lead time for problems’’ and ‘‘stimulate the marketing Although this research is currently any FMVSSs to ensure these criteria are of new highway safety related underway, we request comment now on met, as well.309 More research and technology by private industry’’ (sec. whether and, if so, how the agency additional public comment will be 403(c)). Because issues related to V2V could design requirements to mandate helpful in informing future assessments are cross-cutting, spanning both the certain safety applications. of technological practicability. Vehicle Safety Act and the Highway In response to comments that In terms of economic practicability, Safety Act, these separate authorities FMVSSs should be performance- NHTSA currently assumes using provide the agency with sufficient oriented and technologically neutral, we preliminary cost estimates that the cost flexibility to enter into a variety of envision that each FMVSS for one of of standards for the V2V-based safety agreements related to the development these safety applications would set applications would primarily include of a V2V security system (although the performance requirements that could be costs for software that would be used by agency currently lacks sufficient met by any technology. However, if V2V the vehicle to interpret V2V appropriations to incur any significant communication performance communications signals and make Federal expenditures for these requirements made it reasonable to decisions about whether to warn the purposes). require more robust performance, we driver, as well as costs for any hardware A principle of appropriations law could require that performance when that would be necessary to make those known as the ‘‘necessary expense V2V communication is mandated. warnings happen via the DVI. As doctrine’’ allows NHTSA to take the We continue to believe that any discussed above, it seems unlikely that next step of entering into contracts or FMVSSs for the V2V safety applications economic practicability would be an agreements to ensure the existence of would meet the need for safety, insofar issue for potential safety application sufficient communications and security as we would issue them to address FMVSSs, but more research to systems to support deployment of V2V safety problems that continue to cause determine costs more precisely would technologies, if V2V communications crashes in the absence of regulation or be beneficial to this assessment. are mandated or otherwise regulated by market forces driving the adoption of While the Safety Pilot Model a Federal Motor Vehicle Safety Standard these technologies. The safety Deployment provided participating or other NHTSA regulation. According applications are clearly intended to manufacturers with useful real-world to that principle, when an appropriation relate to safety—they warn drivers of experience in tuning prototype is made for a particular purpose, it dangerous conditions and are intended applications to maximize effectiveness confers on the receiving agency the to promote safety by triggering a and minimize false positives, DVI authority to incur expenses necessary to response to avoid the danger. requirements remain under carry out the purpose of the There are several things that the development, and more work needs to appropriation.310 Under the necessary agency could do to help solidify the be done before we can be confident that expense doctrine, the spending agency nexus of safety application warning and eventual FMVSSs for V2V safety has reasonable discretion to determine driver response. For example, and as applications will not have public what actions are necessary to carry out raised by commenters, research acceptance risks. the authorized agency function. Here, continues at this point to develop the agency assumes that the deployment driver-vehicle interfaces for each of the D. What else needs to happen in order for a V2V system to be successful? and operation of the SCMS is necessary safety applications. We will want to be in order for V2V technology and on- able to demonstrate how effective the 1. SCMS DVIs we may eventually mandate are at Under both the Vehicle Safety Act 310 Under the necessary expense doctrine, an warning the drivers and inducing them and the Highway Safety Act, NHTSA expenditure is justified if it meets a three-part test: to avoid the dangerous situation. We (1) The expenditure must bear a logical relationship has other ways of affecting the parts of to the appropriation sought to be charged (i.e., it currently have reason to believe that the the V2V system that cannot be regulated must make a direct contribution to carrying out V2V safety applications will meet the directly. For example, 49 U.S.C. 30182 either a specific appropriation or an authorized need for safety, but additional provides NHTSA authority to enter into agency function for which more general information and analysis will make that appropriations are available); (2) the expenditure contracts, grants, and cooperative must not be prohibited by law; and (3) the case stronger and we request comment agreements with a wide range of outside expenditure must not be otherwise provided for on this. entities to conduct motor vehicle safety (i.e., it must not be an item that falls within the FMVSSs for V2V safety applications research and development activities, scope of some other appropriation or statutory also need to be objective, meaning that funding scheme. See U.S. Gen. Accounting Office, Principles of Federal Appropriations Law 4–22 (3d they specify test procedures that are 309 See discussion above regarding the Sixth ed.2004) (the ‘‘GAO Redbook’’), available at http:// ‘‘capable of producing identical results Circuit’s finding in Chrysler, 472 F.2d at 659, 666, www.gao.gov/special.pubs/3rdeditionvol1.pdf (last when test conditions are exactly and 671–75. accessed Dec. 6, 2016).

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00113 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 3966 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules

board equipment to function in a safe, that rely on V2V systems, and (2) deployed. The National Motorists secure and privacy-protective liability associated with the SCMS. Association stated that Congress needed manner.311 As designed, V2V For the first category, NHTSA stated to define liability for individual technology cannot operate without a that from a products liability motorists and expressly distribute sufficient security system, and absent standpoint, V2V safety warning liability among OEMs, operators, such a security system, misbehavior by technologies, analytically, are quite drivers, and other public and private hackers or others could compromise similar to on-board safety warnings stakeholders.316 Infineon and Harley- V2V functionality and participant systems found in today’s motor Davidson similarly commented that privacy. If the problem of vehicles, and that therefore, V2V Federal and/or state liability limitations ‘‘misbehavior’’ were sufficiently warning technologies do not create new were necessary prior to V2V rollout.317 widespread, it might even cause or unbounded liability exposure for Automotive Safety Council stated that widespread disregard of or delayed industry, because the driver remains liability should be based on ‘‘well- response to V2V warnings. Hence, a responsible for failing to avoid a crash defined performance standards, and robust SCMS is imperative in the V2V when the technology only warns and should align with other global standards regulatory environment. does not intervene. Consequently, for vehicle safety systems,’’ 318 while For these reasons, in addition to NHTSA stated that it is not necessary, Texas DOT commented more NHTSA’s research, development, and nor would it be appropriate to advocate specifically that laws will have to be collaboration authority under the the liability limiting agenda sought by enacted allowing OEMs to ‘mandate’ Vehicle Safety Act and the Highway industry in connection with potential specific operational standards of the Safety Act, the necessary expense deployment of V2V safety warning cars they sell.319 Meritor WABCO doctrine provides sufficient authority technologies via government argued that in order to reduce liability, under the Vehicle Safety Act to take the regulation—and that, in any event, only all involved parties needed to next step of entering into agreements or Congress has the authority to provide understand that ‘‘the V2V system is not contracts, either for cost or no-cost, with the V2V-based liability relief sought by a failsafe method to prevent crashes, the the goal of ensuring the existence (i.e., industry. V2V system will never be in 100 percent the development and operation) of For the second category, NHTSA of the motor vehicle population, and sufficient communications and security indicated that it was premature to take that there is a big difference between systems to support the reliability and a position on the need for liability active safety systems and V2V safety trustworthiness of V2V limiting mechanisms applicable to applications.’’ communications. As is the case under operators and owners of the SCMS, and A number of commenters disagreed the agency’s research and development that the appropriateness of such liability with the agency’s assessment that V2V- authority, discussed above, the current limiting/risk sharing measures will turn based safety warnings created no limiting factor is the absence of on: (1) The constitution and governance additional liability than what already sufficient appropriations to incur any of the SCMS; and (2) the extent to which exists for current on-board safety significant expenses in this regard. the primary and secondary insurance warnings systems.320 The Alliance NHTSA received comments to the markets make insurance coverage argued that V2V-based warnings are ANPRM and Readiness Report from available to SCMS entities and other different from existing on-board-sensor- some stakeholders suggesting that owners and operators of V2V based warnings, because their operation NHTSA itself must obtain funding for infrastructure. depends on input from another and develop at least parts of the SCMS NHTSA received a number of manufacturer’s vehicle, because V2V is as a Federal project.312 While NHTSA comments in response. Generally, a cooperative technology, and that this agrees that we would have authority, as commenters felt that NHTSA should changes the nature of ‘‘failure to warn’’ discussed directly above, to facilitate conduct additional research on liability claims.321 Mr. Dennis provided similar the development of an SCMS if we had before proceeding with a V2V mandate, comments.322 Mercedes-Benz stated the appropriations to do so, conditions including with respect to the liability of more specifically that because V2V have not changed since our issuance of automobile manufactures, owners and systems depend on the ‘‘functionality, the ANPRM and Readiness Report that operators of the SCMS and V2V quality, and timing of signals from would allow us to do so. communications and security surrounding vehicles,’’ failure to warn is infrastructure, and vehicle owners. 2. Liability no longer solely traceable to onboard While NHTSA will continue to research sensors of the manufacturer, which will The Readiness Report discussed the and analyze potential liability issues significantly increase the complexity of issue of legal liability in the context of stemming from a mandated V2V liability claims.323 The National V2V,313 and the ANPRM sought System, the Agency does not believe Motorists Association offered several comment on that discussion.314 For that additional research or work with specific research topics previously cited purposes of that discussion, the agency stakeholder and consultants on this also by the VIIC, including (1) whether, separated potential liability issues for issue should delay the rulemaking and if so, how V2V warning V2V into two categories: (1) Liability process or the deployment of this applications increase the risk of liability associated with equipment on the important new safety technology. for OEMs, operators, and drivers; (2) vehicle, particularly warning systems Bendix and Cohda agreed with the whether owners may be legally agency’s assessment of liability 311 Potentially, under some alternatives of this issues,315 while other commenters 316 National Motorists Association at 1. proposal, the agency would not assume the future 317 Infineon at 5, Harley-Davidson at 2–3. presence of an SCMS, and would leave security expressed less certainty on the topic and 318 requirements more open. In this instance, requested that the agency consider ASC at 7. presumably the agency would not need to ensure liability issues further. 319 TX DOT at 2. the existience of communications and security Several commenters stated that 320 Alliance at 13, 18–20; CEI at 5; Mr. Dennis at systems to support V2V, so the invocation of the 16; Global at 23; Harley-Davidson at 2; Mercedes- necessary expense doctrine would not be necessary. additional mechanisms to limit liability Benz at 9–10. 312 GM, at 4; Alliance, at 19. are necessary before V2V can be 321 Alliance at 18 313 See Section X of the Readiness Report. 322 Mr. Dennis at 16. 314 79 FR at 49273 (Aug. 20, 2014). 315 Bendix at 3, Cohda at 12. 323 Mercedes-Benz at 10.

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00114 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules 3967

accountable for shutting off or failing a policy issue of great concern to the placed on those who are in the best properly to maintain V2V warning automotive industry and certain other position to guard against defects and systems; and (3) whether the DVI stakeholders. It also is true that V2V warn of their potential dangers.334 required for V2V warnings systems will safety warnings rely on cooperative There is a broad range of product increase driver distraction in a way that technology that is different than the liability theories and defenses that could affect liability.324 The Alliance technologies deployed in existing on- could be applicable to liability litigation argued, in summary, that ‘‘the board safety warnings systems, which involving the V2V System. For purposes traditional paradigm of automotive do not rely on data received from of this discussion, we focus on the product liability, in which driver error devices and infrastructure outside of a product liability theory of ‘‘failure to is presumed to be at fault most of the motor vehicle. The primary policy warn,’’ which the Alliance, Mr. Dennis, time, will not apply after V2V and other issues in the OEM context are whether and Mercedes Benz raised in their autonomous technologies become more liability related to the V2V System can respective comments. A ‘‘failure to prevalent.’’ 325 The Alliance also took be addressed by the existing product warn’’ claim is based on the theory that the position that NHTSA’s reliance on a liability paradigm (i.e., statutory or even a properly designed and Risk Assessment Report prepared by the common law tort principles)—and, if manufactured product may be defective Dykema law firm was misplaced not, whether Congress is willing to as a result of its manufacturer’s failure because that report assumed that a change the existing statutory scheme for to warn consumers of any dangerous public or quasi-public entity would run V2V-related claims in order to support characteristics in its product about V2V infrastructure when NHTSA itself deployment of V2V technology. which it knows or should know and had assumed that the SCMS would be The agency has researched, analyzed which the user of the product would not private. and continues to grapple with this ordinarily discover.335 There are four With regard to the agency’s difficult and potentially quite broad basic elements of a ‘‘failure to warn’’ assessment of liability mitigation question. We do not, as suggested by claim: through insurance, the Alliance argued some commenters, dismiss the critical 1. The manufacturer knew or should that it did not believe insurance would importance of potential legal liability to have known of the risks inherent in the necessarily be available to cover entities V2V stakeholders. We recognize fully product; involved in the SCMS since no data that liability is a potential impediment 2. There was no warning, or the existed yet on which to base to deployment of V2V technology. warning provided was inadequate; underwriting estimates, citing Nevertheless, from a policy perspective, 3. The absence of a warning made the cybersecurity insurance as an example the agency continues to believe that product unreasonably dangerous; and of another area where the insurance V2V safety warnings should not create 4. The failure to warn was the cause- industry is unwilling or hesitant to liability risks for automobile in-fact or proximate cause of the provide insurance.326 The Alliance and manufacturers that differ in any plaintiff’s injury.336 FCA both commented that costs meaningful way from risks posed by To avoid liability for failure to warn, associated with defending against existing vehicle-based safety warnings a product’s instructions or warnings SCMS-related lawsuits could be systems—and that it is premature to must sufficiently alert the user to the significant.327 On whether terms of use propose or advocate the liability- possibility of danger.337 could limit liability for V2V, the limiting agendas sought by some The Alliance, Mr. Dennis, and Alliance further argued that the agency stakeholders. Mercedes-Benz all took the position that had overlooked ‘‘the strong disapproval We first address some primary V2V the cooperative nature of V2V safety of liability-limiting clauses in contracts liability risks to automotive warnings and the external data sources with consumers,’’ and that while such manufacturers raised by commenters. on which V2V warnings are based clauses might help in ‘‘allocating risk We then discuss potential liability risks change the fundamental nature of among businesses,’’ the would not work to owners and operators of SCMS ‘‘failure to warn’’ claims and make them for ‘‘limiting liability for negligence that entities, and the extent to which it is more complex.338 It is possible— allegedly causes personal injury to a appropriate for NHTSA to develop or perhaps even likely—that the factual consumer.’’ 328 advocate liability-limiting mechanisms inquiry underlying a failure to warn Other liability issues raised by applicable to such providers. claim will be more complex in the commenters included concerns about (a) Potential Liability Risks to context of a V2V System than it would liability associated with infrastructure. Automobile Manufacturers be in the context of a vehicle-based Michigan DOT requested more warning system. Additionally, not just Product liability law, which varies discussion of liability issues for owners/ message quality and timing (as noted by from State-to-State, generally concerns operators of public RSE Mercedes-Benz), but a vehicle’s 329 the liability of designers, manufacturers infrastructure. Additional potential operating environment (roadway, and distributors for harm caused to liability sources cited by commenters topographic and environmental factors) consumers and bystanders by included false or inaccurate sensing may adversely affect the performance of 330 331 ‘‘defective’’ or ‘‘unreasonably data, in-vehicle network hacking, a consumer’s V2V System. For these 332 dangerous’’ products.333 The purpose of and certificate revocation. reasons, manufacturers’ consumer these laws is: It is clear that potential liability warnings and instructions will be stemming from V2V communications is . . . to ensure that the costs of injuries particularly critical to the successful resulting from defective products are defense of V2V failure claims. As they 324 National Motorists Association at 1. borne by those who placed the defective have done in the context of new safety 325 Alliance at 21. products in the market, rather than the 326 technologies such as lane-departure Alliance at 20–21. injured person. Thus, in an effort to 327 Alliance at 31; FCA at 2. encourage the development of safer 328 Alliance at 20. 334 Dykema at 9–10. 329 Alliance at 19; MI DOT at 3. products, the responsibility for the 335 Dykema at 13. 330 Rene Struik at 2. injuries caused by defective products is 336 Dykema at 13. 331 Systems Research Associates at 9. 337 Dykema at 13. 332 Alliance at 56. 333 Dykema at 9–10. 338 Alliance at 18.

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00115 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 3968 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules

warning, backover-detection warnings response to its proposal. NHTSA instead functioned through industry and forward vehicle detection systems, received no such analyses in response to self-governance by an SCMS Manager manufacturers will need to carefully the Readiness Report and ANPRM, that would work with SCMS entities to describe the operation and limitations of including from the Alliance or any determine the appropriate distribution V2V and V2I Systems in the safety foreign or domestic automobile of liability for harm and establish context and in the foreseeable operating manufacturers. minimum insurance requirements. In environment.339 NHTSA expects that, On a related note, the Alliance response, commenters such as the by appropriately warning consumers of commented that NHTSA’s reliance on Alliance took the position that private the uses and limitations of their V2V Dykema’s OEM Risk Assessment Report insurance would not necessarily be System, automobile manufacturers can is misplaced, as that report assumes that available to cover entities involved in sufficiently limit their liability for a public or quasi-public entity will run the SCMS since no claims data existed failure to warn claims, despite V2V infrastructure when NHTSA yet on which to base underwriting operational differences between on- assumes that the SCMS will be private. estimates, citing cybersecurity insurance board and V2V safety warning NHTSA respectfully disagrees with the as an example of another area where the technologies. Alliance on this point. Dykema’s OEM insurance industry has been unwilling In the context of V2V OBE failure Report contains no assumptions, or hesitant to provide insurance. claims, it also may be quite difficult for explicit or implied, that would limit the The agency acknowledges that SCMS consumers to prove that a vehicle’s V2V utility or applicability of its analysis of entities may not be able to obtain equipment caused or contributed to an OEM risk for V2V-related product adequate liability insurance without accident. However, to the extent that the liability claims. Additionally, with Federal intervention of some sort—but it V2V communications proposed in this respect to infrastructure-based liability is simply too early to tell. As we noted rule are used as a warning system, not claims, the report specifically notes, in the Readiness Report, the extent to a control system, then, as with existing without limitation and without which the primary and secondary vehicle-based warning systems, the V2V referencing public ownership of such insurance markets will make insurance System is an aid to help drivers safely infrastructure, that ‘‘[a]lthough the coverage available to SCMS entities will operate their vehicles. As discussed in structure of VII described herein focuses be a factor in whether DOT supports varying places in this NPRM and the on a hypothetical DSRC-enabled system, development of liability-limiting accompanying PRIA, at this time, the analysis and conclusions in this mechanism to incentivize private SCMS NHTSA does not assume that V2V deliverable generally will apply to any participants. To this end, the agency communications will be used as the sole VII network that communicates expects that the issue of liability as a basis for any safety system that exercises information V2V or V2I.’’ 341 potential impediment to the actual control of the vehicle. Thus, we Dykema’s OEM Report also notes that establishment of a National SCMS will assume that any liability concerns a lawsuit might allege that a crash was be among the issues that NHTSA and related to safety systems that do take caused, in whole or in part, by a failure V2V stakeholders continue to grapple control of the vehicle will not be in the communications infrastructure with going forward—and one that DOT’s affected by the presence of V2V. supporting V2V (e.g., an RSE). However, planned PKI and organizational policy In its comment, the Alliance stated as evidenced by the numerous lawsuits research will explore fully (including that ‘‘conclusions about the claiming that failure of a traffic light through consultations with the applicability of the state of the law with contributed to an accident, such cases insurance and reinsurance industries). respect to traditional failure to warn typically are brought against public or However, due to the lack of substantive claims involving on-board warning quasi-public entities and not against evidence that the private insurance technologies grossly oversimplifies the vehicle manufacturers.342 For this market is unwilling to underwrite SCMS way such claims are likely to evolve in reason, Dykema concluded (and NHTSA risks, NHTSA continues to believe that the V2X litigation.’’ 340 We agree that it agrees) that ‘‘we would not expect it is premature to take a position on the is difficult for NHTSA (or anyone) to alleged failures in V2V infrastructure to need to develop and advocate for know exactly how products liability impact OEM liability in a significant Federal liability-limiting mechanisms litigation will evolve in the context of way.’’ 343 for a National SCMS. V2V, V2I and V2X communications. The agency also is of the view that However, NHTSA’s assessment of (b) Potential Liability Risks to SCMS Owners and Operators potential liability based on failures in potential V2V liability to date has been the SCMS may be limited substantially based, in part, on risk analyses From NHTSA’s perspective, the by lack of causation due to drivers’ roles conducted by Dykema PLLC. Dykema is critical policy issues in the SCMS in failing to avoid crashes. However, a -based law firm that specializes context are whether concerns about NHTSA wishes to clarify a comment in in automotive-related legal issues and liability will be a stumbling block to the Readiness Report relating to provides legal services to many major creation and operation of a private limitations on consumer liability— automobile manufacturers. It is also the SCMS—and, if so, whether a need exists specifically, the statement that: firm that the VIIC selected as its for DOT to work with stakeholders to It also is not clear to the agency why an subcontractor to analyze and report on, develop Federal liability-limiting SCMS Manager could not require that among other legal policy topics, options that would incentivize private individuals and entities participating in an potential V2V-related liability risks to participation in a National SCMS. SCMS to agree to terms of use that would automobile manufacturers and public In the Readiness Report (as in limit the liability of the SCMS and its sector entities under a cooperative Proposal A in this document), NHTSA component entities, either explicitly or via agreement with DOT. That said, the focused on a private model of SCMS the same type of instructions and agency welcomes and will carefully governance that did not involve Federal explanations of system limitations that the OEMs would use to limit liability.344 consider the content of submissions of funds or liability protections —but other legally substantive risk analyses in In its comment, the Alliance noted 341 Dykema at 4. that NHTSA appeared to be promoting 339 Dykema at 35. 342 Dykema at 33. 340 Alliance at 8. 343 Dykema at 33. 344 Readiness Report at 214.

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00116 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules 3969

the use of liability limitations in terms that would not be possible otherwise, as costs represent the total investment born of use agreements with consumers, well as help improve the performance of by the indicated MY vehicle, plus the which can be legally problematic and, safety applications that already exist lifetime fuel economy impact from those generally, are disfavored by courts.345 based on cameras or sensors. Further, vehicles. In either accounting measure, To clarify, NHTSA does not sanction the V2V technology is expected to speed-up the vehicle equipment, communication, use coercive liability limitation the deployment of various V2I and SCMS costs are assumed to be paid provisions in agreements between technologies, which could have by new vehicle owners when their SCMS entities and consumers. As the significant safety and congestion-relief vehicles were purchased. The only Alliance noted ‘‘such clauses can be applications. difference between the two cost effective in allocating risk among The agency is confident that these measures is the calculation of any businesses’’ and the application of such technologies will be developed and potential fuel economy impact. The clauses should be limited to entities deployed once V2V communications are annual fuel economy impact measures doing business with SCMS components, mandated. The difficulty, though, is that the collective fuel impact from all V2V- not consumers. the agency does not currently have equipped vehicles for a specific sufficient information to definitively calendar year. In contrast, the lifetime VII. Estimated Costs and Benefits predict how or when this will occur. fuel economy impact measures the fuel A. General Approach to Costs and Thus, the agency has projected an impact specifically for a MY vehicle Benefits Estimates adoption period based upon research through its operational life. All cost conducted on the deployment of other estimates are adjusted for 2014 dollars. In this NPRM, the agency proposes advanced technologies as well as other that all light vehicles be equipped with For this analysis, the agency is information obtained during the considering two potential technology technology that allows for V2V development of this proposed rule. In communications. The agency believes implementation approaches that could addition, the agency demonstrates the meet the safety, security, and privacy that this technology will facilitate the potential safety benefits by analyzing ‘‘free-market’’ development of various specifications of the proposed rule. two safety applications, IMA and LTA, These two approaches are (1) utilizing applications; both safety and non-safety both of which the agency believes are related that would not be possible one DSRC radio dedicated to V2V safety likely to lead to significant safety communications paired with secondary without a network of devices ‘‘talking’’ benefits that are likely only possible to each other. cellular, Wi-Fi, or Satellite using V2V technology. The agency has communications (‘‘one-radio’’ approach) However, at this time, the agency has therefore not quantified any benefits decided to mandate V2V technology, and (2) utilizing two DSRC radios, one attributable to the range of other dedicated to V2V safety but not mandate any specific potential uses of V2V, although we applications. The agency believes this is communications and one used for acknowledge that such uses are likely to secondary communications such as the appropriate course for several exist. The agency believes that, by reasons. First and foremost being that SCMS or other ‘‘back office’’ type focusing on only two of the many communications (two-radio approach). the agency believes V2V potential uses of V2V technology and communication’s cooperative nature As a result, both the annual and MY given our experience with other costs are presented as a range which needs a government mandate as the technologies, we have taken a ‘‘spark’’ to establish a shared ‘‘open’’ covers the costs from these two reasonable approach in estimating the approaches. platform that can be utilized to move potential benefits of the proposed rule this technology into the mainstream The following sections describe the and have likely understated the. The four parts of quantified costs, followed while not stifling potential, unforeseen agency, though, requests comments on innovations. In addition, the agency by the summary of the total quantified these assumptions to better inform the costs and non-quantified costs, and does not currently possess sufficient analysis that would support a final rule. information to mandate particular safety estimated cost per vehicle. This Is there more detailed information normalized per vehicle cost allows a applications, although, throughout this concerning manufacturer’s plans to NPRM, we request additional straightforward comparison between reduce safety impacts associated with various technology approaches and information that could inform a widespread adoption of V2V technology potential decision to mandate certain regulatory alternatives. All costs were applications? If so, what applications estimated under the DSRC and app sales applications. and on what timeline? This free-market approach to app scenario specified in the Estimated development and deployment, though, B. Quantified Costs Benefits portion of this chapter— makes estimating the potential benefits The agency was able to use Section VII.D. of V2V quite difficult. In a traditional information obtained from the V2V 1. Component Costs NHTSA analysis of a safety technology, Readiness Report in developing the cost (a) Unit Costs to OEMS the agency would determine benefits by estimates in this proposal. Where looking to the target population for the appropriate, the V2V Readiness Report As shown in Table VII–1, the total type of crash it is trying to avoid or cost estimates were adjusted to align direct component costs to OEMs were mitigate and the effectiveness of the with any new information obtained by estimated to be $162.77 for one DSRC mandated performance requirement or the agency such as: That provided radio and $229.91 for two radios. The safety technology in addressing those through comments to the V2V ANPRM, total weight of one DSRC radio is crashes. However, here, the technology experience from the SCMS RFI activity, approximately 2.91 lbs. whereas the being mandated by the agency, V2V and by developing the proposed weight of two radios is slightly heavier, communication, would only indirectly performance requirements. about 3.23 lbs. For the two-radio create safety benefits. Widespread The costs and benefits are presented approach, as previously discussed, two adoption of V2V would facilitate the in two measures: Annual and by model DSRC antennas are necessary: The first development of new safety applications year (MY) vehicles (MY costs). The DSRC radio sends and receives the annual costs represent the yearly BSM, and the second radio handles 345 Alliance, Attachment B at 3. financial commitment while the MY security aspects of receiving certificates,

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00117 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 3970 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules

the certificate revocation list, etc. We assembling the combined package at the (= $72.32 * 2), as shown in Table VII– estimated that the second radio will be supplier, as well as lower hardware 1. No such assumption was made for the $10.33 346 cheaper than the first radio costs in packaging them together rather antenna, since the antennas have to since these two radios would most than individually. Therefore, the cost remain physically separate in order to likely be packaged together, thereby for two radios would be $134.29 (= avoid interfering with each other. resulting in lower labor costs in $72.31 * 2 ¥ $10.33) instead of $144.64

TABLE VII–1—ESTIMATED COMPONENT UNIT WEIGHT AND COSTS TO OEMS

Costs One radio Two radios Component Weight Costs Weight Costs (2012 $) (lbs) (2014 $) (lbs) (2014 $)

DSRC Transmitter/Receiver ...... 70 0.55 72.31 0.65 134.29 DSRC Antenna ...... 5 0.22 5.17 0.44 10.33 Electronic Control Unit ...... 45 0.55 46.49 0.55 46.49 GPS ...... 14 ...... 14.46 ...... 14.46 GPS Antenna ...... 4 0.22 4.13 0.22 4.13 Wiring ...... 9 1.20 9.30 1.20 9.30 Displays ...... 4.79 0.17 4.95 0.17 4.95 HSM ...... 0.00 4.65 0.00 4.65 For 2 Apps ...... 0.00 1.32 0.00 1.32

Total ...... 151.79 2.91 162.77 3.23 229.91

Overall, for this analysis the vehicle (b) Consumer Costs TABLE VII–2—ESTIMATED COMPONENT equipment costs are based on an OEM The costs in Table VII–2 reflect the CONSUMER UNIT COSTS—Continued integrated device built into vehicles [2014 $] during their manufacture. This example costs that OEMs pay to a component device includes the costs of DSRC (Tier 1) supplier to purchase these components for the vehicles they One Two radios, DSRC antenna, GPS, HSM, and Component radio radios installation of relevant equipment manufacture, not the projected cost of (DSRC radios in short) and loaded with these systems to consumers. To obtain HSM ...... 7.02 7.02 two safety applications. With specific the consumer costs, each variable cost is Two Safety Applications 2.00 2.00 regard to the safety applications, the app multiplied by 1.51 (i.e., 51 percent costs include software engineering and makeup) to estimate a retail price Total ...... 245.79 347.18 development costs since the agency is equivalent (RPE; i.e., consumer cost). not assuming any additional interface The 51 percent markup represents fixed (c) Installation Costs beyond the DVI or equipment costs for costs (research and development, selling the apps. The software engineering and and administrative costs, etc.), as well Component installation costs are development costs will be shared by as OEM profits, transportation costs, primarily attributable to the labor millions vehicles, and thus is expected and dealer costs and profits. Table needed to perform the installation, but to be minimal across the fleet. The OEM VII–2 presents the component consumer the agency also accounts for potential, integrated device is used as a basis for costs. As shown, the total component additional costs associated with cost estimation as this device type costs to consumers were estimated to be materials used in the installation such provides a more accurate cost $245.79 for one radio and $347.18 for as minor attachments brackets, or expectation associated with finalizing two radios. plastic tie downs to secure wires, etc. In this proposal. Table VII–3, the installation costs are The agency also estimated potential TABLE VII–2—ESTIMATED COMPONENT separated into ‘‘Material Costs’’ (for the costs for aftermarket devices that could CONSUMER UNIT COSTS minor attachments), ‘‘Labor Costs,’’ and enter the marketplace as a result of [2014 $] ‘‘Variable Burden’’ (i.e., other costs that finalizing this proposal and enabling are not direct labor or direct material more consumers to benefit from V2V used in the part, but are costs that vary Component One Two technology. As described elsewhere, radio radios with the level of production, such as aftermarket devices could be available set-up costs, in-bound freight, in three distinct varieties: Retrofit, DSRC Transmitter/Re- perishable production tools, and ceiver ...... $109.19 $202.78 electricity). Overall, the agency standalone, and a simple awareness DSRC Antenna ...... 7.80 15.60 device. The agency estimates that the Electronic Control Unit .. 70.19 70.19 estimates the variable cost to OEMs to three aftermarket device types would GPS ...... 21.84 21.84 install the V2V equipment is $11.79 per cost $400.28 for a retrofit device; GPS Antenna ...... 6.24 6.24 vehicle and the cost to consumers will $278.33 for a standalone device, and Wiring ...... 14.04 14.04 be $17.80 using a 1.51 retail price $101.74 for a simple awareness device. Displays ...... 7.47 7.47 equivalent factor (e.g. markup).

346 Adjusted from the $10 in 2011 dollars that was estimated in the ANPRM.

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00118 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules 3971

TABLE VII–3—CONSUMER INSTALLATION COST ESTIMATES [2014 dollars]

Total Part Material Labor Variable Total consumer

DSRC Transmitter/Receiver ...... 0.04 1.61 1.04 2.69 4.06 DSRC Antenna ...... 0.04 0.10 0.07 0.21 0.31 Electronic Control Unit ...... 0.02 1.84 1.19 3.05 4.60 GPS ...... 0.04 0.10 0.07 0.21 0.31 GPS Antenna ...... 0.04 0.10 0.07 0.21 0.31 Wiring ...... 0.19 0.93 0.60 1.72 2.59 LEDs (5) Displays + Malfunction Disp...... 0.00 0.63 0.40 1.03 1.56 Light Bar ...... 0.04 1.61 1.04 2.69 4.06 HSM ...... 0.00 0.00 0.00 0.00 0.00

Total ...... 0.38 6.92 4.48 11.79 17.80

(d) Adjustment for GPS Installation 50 percent when combined with the GPS (i.e., 50%) was subtracted from the number of vehicles equipped with total costs of equipping all applicable When researching installation costs, automatic collision notification (ACN). vehicles with V2V safety applications. the agency identified the need to make Current information available to the (e) Summary of Component Costs adjustments for GPS installation. Today, agency indicates that navigation-grade many vehicles are already equipped GPS units are sufficient for the V2V Table VII–4 summarizes consumer with GPS receivers and the percentage safety applications. In these cases, the costs for original equipment equipped as standard installation is GPS component is not a cost that is manufacturers (OEMs) for the first year likely to increase going forward. The directly attributable to V2V. Overall, 50 of equipping a vehicle with V2V agency estimates approximately 43 percent of applicable vehicles would components. The consumer unit cost is percent of MY 2013 light vehicles were not incur costs to add GPS for V2V estimated to be $249.19 for one radio equipped with GPS receivers.347 This technology. Thus, the total cost and $350.57 for two radios in 2014 percentage increases to approximately associated with vehicles equipped with dollars.

TABLE VII–4—SUMMARY OF V2V COMPONENT CONSUMER COSTS PER AFFECTED VEHICLE

Cost One radio Two-radios Weight Consumer Weight Consumer Items (lb.) costs (lb.) costs

Parts * ...... 2.91 $245.79 3.23 $347.18 Installation ...... 0.26 17.74 0.26 17.74

Subtotal ...... 3.17 263.53 3.49 364.92 Minus Current GPS Installation** ...... 0.11 14.35 0.11 14.35

Total ...... 3.06 249.18 3.38 350.57 * including app software costs. ** taking into account the 50 percent GPS installation rate.

(f) Learning Curve Effect proposed rule which would require curve impacts, among other economic 100% new vehicle installation by 2023, impacts, and provide the most accurate As manufacturers gain experience which is projected to be over 16 million possible information at the time a rule through production of the same product, units annually. This large scale is proposed and finalized. To estimate they refine production techniques, production provides manufacturers with costs, the agency conducts a teardown better manage raw material and opportunities to reduce system costs study of the technologies used to meet component sources, and assembly through the learning process. Additional the standards. In some cases, the agency methods to maximize efficiency and information on the agency’s learning thus reduce production unit costs. has performed multiple evaluations over curve development and the derivation Learning curves reflect the impact of a span of years. For example, a experience and volume on the cost of for learning curves related to V2V are teardown study may be performed to production and are especially evident detailed in Chapter 7 of the PRIA that support the agency’s initial estimates of when a completely new product is accompanies this proposed rule. costs that will result from the introduced to the marketplace. V2V NHTSA routinely performs regulation, and again five years later to systems are expected to be installed on evaluations of the costs and benefits of evaluate the impacts of the regulation a growing portion of the vehicle fleet as safety standards that were previously after it has been in effect. These data, manufacturers ramp up to the meet the issued in an effort to estimate learning together with actual production data,

347 Ward’s Automotive Yearbook 2014, based on vehicles with factory-installed navigation systems or concierge systems.

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00119 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 3972 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules

supply the necessary information two safety applications, from system would decrease it from $249.18 required to develop a learning curve for approximately $350.57 in 2021 to in 2021 to $155.47 in 2060. Details of the technology. $218.85 in 2060, which is about 62.5 how learning would affect unit costs for For V2V, the agency estimates that percent. Applying the same learning both one to two radio implementations learning would reduce the unit cost for pattern, the unit cost for a one radio can be found in Table VII–5. two radio implementations, including

TABLE VII–5—ANNUAL PROGRESS RATES AND COMPONENT UNIT COSTS AFTER LEARNING

Progress rates Unit costs Total unit costs Year Calendar year Radio Apps 1 Radio 2 Radio Apps 1 Radio 2 Radios

1 ...... 2021 1.000 1.000 $247.18 $348.57 $2.00 $249.18 $350.57 2 ...... 2022 0.908 1.000 224.44 316.50 2.00 226.44 318.50 3 ...... 2023 0.853 0.872 210.95 297.47 1.74 212.69 299.22 4 ...... 2024 0.821 0.782 202.91 286.14 1.56 204.47 287.70 5 ...... 2025 0.798 0.726 197.21 278.10 1.45 198.66 279.56 6 ...... 2026 0.780 0.681 192.83 271.93 1.36 194.19 273.29 7 ...... 2027 0.766 0.647 189.27 266.91 1.29 190.57 268.21 8 ...... 2028 0.754 0.623 186.28 262.69 1.25 187.53 263.94 9 ...... 2029 0.743 0.606 183.71 259.07 1.21 184.92 260.28 10 ...... 2030 0.734 0.593 181.45 255.88 1.19 182.63 257.06 11 ...... 2031 0.726 0.582 179.44 253.04 1.16 180.60 254.20 12 ...... 2032 0.719 0.573 177.62 250.48 1.15 178.77 251.63 13 ...... 2033 0.712 0.565 175.98 248.16 1.13 177.11 249.29 14 ...... 2034 0.706 0.558 174.47 246.03 1.12 175.58 247.15 15 ...... 2035 0.700 0.552 173.07 244.06 1.10 174.17 245.17 16 ...... 2036 0.695 0.546 171.77 242.23 1.09 172.87 243.32 17 ...... 2037 0.690 0.541 170.56 240.52 1.08 171.64 241.60 18 ...... 2038 0.685 0.537 169.42 238.92 1.07 170.49 239.99 19 ...... 2039 0.681 0.532 168.35 237.40 1.06 169.41 238.47 20 ...... 2040 0.677 0.528 167.33 235.97 1.06 168.39 237.03 21 ...... 2041 0.673 0.525 166.37 234.61 1.05 167.42 235.66 22 ...... 2042 0.669 0.521 165.48 233.36 1.04 166.52 234.40 23 ...... 2043 0.666 0.518 164.64 232.17 1.04 165.68 233.21 24 ...... 2044 0.663 0.515 163.84 231.04 1.03 164.87 232.07 25 ...... 2045 0.660 0.512 163.07 229.96 1.02 164.09 230.98 26 ...... 2046 0.657 0.509 162.33 228.92 1.02 163.35 229.94 27 ...... 2047 0.654 0.507 161.63 227.93 1.01 162.64 228.94 28 ...... 2048 0.651 0.504 160.95 226.97 1.01 161.96 227.98 29 ...... 2049 0.649 0.502 160.30 226.05 1.00 161.30 227.05 30 ...... 2050 0.646 0.500 159.67 225.16 1.00 160.67 226.16 31 ...... 2051 0.644 0.498 159.07 224.31 1.00 160.06 225.31 32 ...... 2052 0.641 0.496 158.48 223.49 0.99 159.48 224.48 33 ...... 2053 0.639 0.494 157.93 222.70 0.99 158.91 223.69 34 ...... 2054 0.637 0.492 157.39 221.94 0.98 158.37 222.93 35 ...... 2055 0.635 0.490 156.87 221.21 0.98 157.85 222.19 36 ...... 2056 0.633 0.488 156.36 220.50 0.98 157.34 221.48 37 ...... 2057 0.631 0.486 155.88 219.82 0.97 156.85 220.79 38 ...... 2058 0.629 0.485 155.41 219.15 0.97 156.38 220.12 39 ...... 2059 0.627 0.483 154.95 218.51 0.97 155.92 219.48 40 ...... 2060 0.625 0.482 154.51 217.89 0.96 155.47 218.85

Table VII–6 summarizes the total more vehicles would be expected to across all new vehicles, not just affected annual vehicle component costs. As have apps. Although the projected vehicles. Due to the proposed phase-in shown, total annual vehicle component number of new vehicles that would schedule, the cost per vehicle in 2021 costs would range from $2.0 billion to have DSRC radios and safety and 2022 is significantly lower than the $4.9 billion. The cost per vehicle would applications continues to increase after unit cost shown in Table VII–5. range from $123.59 to $297.65. The 2023, the additional costs are offset by Furthermore, the agency predicts lower bound is for one radio at year the falling component costs. complete safety application deployment 2021 and the higher bound is the cost would not be achieved until 2028, (g) Annual Component Costs for two radios in 2023. In 2023, 100 resulting in a slightly lower cost per percent of vehicles would be required to Table VII–6 presented below the cost vehicle for 2023 to 2027 than that be equipped with the DSRC radios and per vehicle is the average cost spread shown in Table VII–2.

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00120 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules 3973

TABLE VII–6—TOTAL ANNUAL VEHICLE COMPONENT COSTS [2014 $ and vehicles in millions]

Vehicles Total costs Cost per Year Calendar year with (Radios + Apps) vehicle Radios Apps 1 Radio 2 Radios 1 Radio 2 Radios

1 ...... 2021 8.10 0.00 $2,000.92 $2,821.67 $123.59 $174.29 2 ...... 2022 12.26 0.61 2,751.72 3,879.94 168.40 237.45 3 ...... 2023 16.44 1.64 3,470.84 4,893.35 211.12 297.65 4 ...... 2024 16.53 4.13 3,360.54 4,736.34 203.30 286.53 5 ...... 2025 16.67 6.67 3,297.19 4,645.68 197.79 278.68 6 ...... 2026 16.75 10.89 3,244.74 4,569.60 193.72 272.81 7 ...... 2027 16.88 15.19 3,214.60 4,525.12 190.44 268.08 8 ...... 2028 17.03 17.03 3,193.60 4,494.87 187.53 263.94 9 ...... 2029 17.13 17.13 3,167.72 4,458.56 184.92 260.28 10 ...... 2030 17.30 17.30 3,159.58 4,447.19 182.63 257.06 11 ...... 2031 17.44 17.44 3,149.66 4,433.29 180.60 254.20 12 ...... 2032 17.56 17.56 3,139.20 4,418.61 178.77 251.63 13 ...... 2033 17.67 17.67 3,129.51 4,405.01 177.11 249.29 14 ...... 2034 17.84 17.84 3,132.41 4,409.12 175.58 247.15 15 ...... 2035 18.00 18.00 3,135.14 4,412.99 174.17 245.17 16 ...... 2036 18.16 18.16 3,139.24 4,418.78 172.87 243.32 17 ...... 2037 18.34 18.34 3,147.91 4,431.00 171.64 241.60 18 ...... 2038 18.49 18.49 3,152.45 4,437.40 170.49 239.99 19 ...... 2039 18.66 18.66 3,161.27 4,449.84 169.41 238.47 20 ...... 2040 18.87 18.87 3,177.54 4,472.75 168.39 237.03 21 ...... 2041 19.14 19.14 3,204.34 4,510.49 167.42 235.66 22 ...... 2042 18.56 18.56 3,090.70 4,350.52 166.52 234.40 23 ...... 2043 18.66 18.66 3,091.52 4,351.69 165.68 233.21 24 ...... 2044 18.76 18.76 3,092.91 4,353.66 164.87 232.07 25 ...... 2045 18.87 18.87 3,096.45 4,358.65 164.09 230.98 26 ...... 2046 18.97 18.97 3,098.81 4,361.98 163.35 229.94 27 ...... 2047 19.08 19.08 3,103.22 4,368.19 162.64 228.94 28 ...... 2048 19.18 19.18 3,106.39 4,372.65 161.96 227.98 29 ...... 2049 19.28 19.28 3,109.91 4,377.61 161.30 227.05 30 ...... 2050 19.39 19.39 3,115.37 4,385.30 160.67 226.16 31 ...... 2051 19.39 19.39 3,103.57 4,368.70 160.06 225.31 32 ...... 2052 19.39 19.39 3,092.23 4,352.74 159.48 224.48 33 ...... 2053 19.39 19.39 3,081.32 4,337.38 158.91 223.69 34 ...... 2054 19.39 19.39 3,070.79 4,322.57 158.37 222.93 35 ...... 2055 19.39 19.39 3,060.63 4,308.27 157.85 222.19 36 ...... 2056 19.39 19.39 3,050.82 4,294.46 157.34 221.48 37 ...... 2057 19.39 19.39 3,041.33 4,281.11 156.85 220.79 38 ...... 2058 19.39 19.39 3,032.14 4,268.17 156.38 220.12 39 ...... 2059 19.39 19.39 3,023.24 4,255.64 155.92 219.48 40 ...... 2060 19.39 19.39 3,014.60 4,243.49 155.47 218.85

2. Communication Costs DSRC. The four technologies can be • Hybrid—This system would use (a) Methodology combined in various ways to form the cellular, Wi-Fi, and satellite for vehicles communication system to support the to SCMS communication. The communication cost estimates are vehicle to SCMS communication • DSRC—This protocol would use based on the same model created by activities. The CDDS report and various DSRC exclusively for V2V Booz Allen Hamilton under the contract cost estimates were published in the with the DOT’s Intelligent communications and for vehicles to V2V Readiness Report and referenced SCMS communications through Transportation Systems Joint Program specifically in the ANPRM in an effort and used for the V2V Readiness Report. Roadside Equipment (RSE). to gather feedback on the estimated The hybrid system allows for the The model, Cost Model for costs. Communications Data Delivery System potential use of the three (CDDS), is a Microsoft Excel-based In response to the V2V ANPRM, and communication mediums cellular, Wi- model.348 the Request for Interest (RFI) regarding Fi, and satellite. Each serves as a The communication cost estimates the SCMS, the agency received complement system to the other. In an include the cost of in-vehicle information and feedback on cellular effort to address potential security communication components and any and satellite and how these technologies concerns, the agency added the cost of service fee that would be required with can support national V2V an in-vehicle hardware security module a specific communication network. For deployment.349 These new findings led (HSM). The HSM, based on agency system design, four communication the agency to conclude that two systems conversations with security experts, can network technologies were evaluated for can meet the proposed security potentially address the over-the -air the CDDS: cellular, Wi-Fi, Satellite, and requirements: communication security issues. Furthermore, the agency also recognized 348 Docket No. NHTSA–2014–0022. 349 Docket No. NHTSA–2014–0023. that satellite communication will not be

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00121 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 3974 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules

as expensive as detailed in the BAH two DSRC radios would be required for strategic highways, major network estimates since 70 percent of light this DSRC-exclusive communication connectors, and intermodal connectors. vehicles are currently equipped satellite system. BAH then used spatial optimization radio receivers. Since only 30 percent of BAH estimated the potential number and information from the 2009 National vehicles will need satellite radio of RSUs needed to support a national Household Transportation Survey receivers reduces the overall component deployment. First, RSU deployment was (NHTS) to estimate the required number cost for satellite communication in considered on three different road types: of RSE to achieve the desired amount of reduced increasing its viability. secondary roads, interstate highways, coverage. The usage of NHS roads (with A DSRC-exclusive system would and National Highway System roads 19,749 sites) was deemed the most communicate with SCMS through RSUs, (NHS). Each type is defined by BAH as logical because it achieves greater small ‘‘base stations’’ that allow vehicles the following: 350 coverage than the interstate option (with to ‘‘phone home’’ using DSRC. A • Secondary roads refer to collector 8,880 sites) while also requiring fewer separate DSRC antenna will be used roads, State highways, and county RSE than secondary roads (with 149,434 exclusively for communicating updates highways that connect smaller towns, sites) to achieve the same coverage, as ensuring continual ‘‘listening’’ for safety subdivisions, and neighborhoods. shown below in Figure VII–1. As component update related • Interstate highways are the network shown, NHS roads are the most realistic communications,. This dedicated DSRC of freeways that make up Dwight D. scenario, though secondary roads could communication channel would exist in Eisenhower National System of achieve more coverage given more addition to the dedicated V2V safety Interstate and Defense Highways. resources. Ultimately, the NHS road communications channel used for V2V • The NHS roads are the collection of deployment method was deemed to be safety communications, and, therefore, interstate highways, principal arteries, the most realistic.

(b) Assumptions of a certificate revocation list. The cost system. The agency notes that while not model also considered the costs that included in these estimates, there is The agency applied the assumptions used in the CDDS model to estimate relate to the three communication potential for road side unit costs to not communication costs. These technologies used in the Hybrid be borne solely by a V2V system. Road comprehensive assumptions included approach: Cellular data rate, cellular side units may also be deployed in the length of initial new certificate component cost in the vehicles, Wi-Fi accordance with guidance from the deployment period, the certificate component costs, satellite data rate, and Federal Highway Administration download size and frequency at the full satellite radio cost. It is also necessary (FHWA) as signaling and related traffic system deployment, the potential device to consider the cost of road side units control equipment undergoes normal misbehavior rate, and the potential size for the DSRC-exclusive approach upgrades. Overall, unless otherwise

350 BAH CDDS Final Report, at 27. See Docket No. NHTSA–2014–0022.

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00122 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 EP12JA17.017 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules 3975

stated, all cost calculations have been a 40-year timeframe. Additional details PRIA. The agency requests comment on made with the assumptions found in on the communication cost assumptions these assumptions. Table VII–7 and are estimated for over can be found the Chapter VII of the

TABLE VII–7—COST ASSUMPTIONS BY COMMUNICATION OPTIONS

Cost factors Component Hybrid DSRC

Certificate

Certificate Option 3,000 per bundle ...... 3,000 per bundle. Certificate Phase-In Period 3 years ...... 3 years. Certificate Download Frequency at Full Deployment Every 3 years ...... Every 3 years.

Misbehavior

Misbehavior Rate 0.10% ...... 0.10%. CRL Type Satellite/Incremental ...... Incremental.

Communication Technology

Cellular ...... Cellular Data Price ...... $4.00/GB ...... NA. Cellular Component Cost Per Vehicle $10.00 ...... NA. Fraction of Data Shifted from Cellular 67% ...... NA. Wi-Fi ...... Wi-Fi Component Cost per Vehicle ...... $2.00 ...... NA. Satellite ...... Satellite Data Price ...... $1.60/GB ...... NA. Satellite Component Cost per Vehicle $6.00 ...... NA. Three Above Combined ...... Annual Technology Component Replacement Rate .. 2% ...... NA. RSE ...... RSE Component per Vehicle ...... NA ...... Included in the DSRC radios. # Nationwide RSEs NA ...... 19,750. RSE Structure Supporting Cost NA ...... $8,839. RSE Replacement Cost NA ...... $22,719. RSE Installation Phase-in 16 years ...... NA. RSE Life NA ...... 15 years.

(c) Hybrid Option Costs Table VII–8. The cost increase over time that communication between vehicles represents the increases in certificate and SCMS will be very limited during The agency estimates the annual distributions and SCMS this time period. In addition, the overall costs for the Hybrid communications as fleet penetration acknowledged certificate revocations communication option would range increases. lists would be transmitted to vehicles from approximately $148 million in It is important to note the table during this time but, overall, the Year 1 to approximately $490 million at reflects zero satellite and cellular data estimated misbehavior rate of 0.1 Year 40. On a per vehicle basis, this costs for the first three years. This zero percent, combined with an anticipated, equates to $9.18 in Year 1 to $25.47 after cost results from the assumption that small revocation list size, would not 40 years. The detailed estimated annual vehicles will be pre-loaded with three have a substantive impact on communication costs are shown in years of security certificates, reflecting communication costs.

TABLE VII–8—ESTIMATED ANNUAL COMMUNICATION COSTS AND PER VEHICLE COSTS—HYBRID

Data cost Cost per Year Calendar year RSE OBE Total Satellite Cellular vehicle

1 ...... 2021 $0 $148,624,200 $0 $0 $148,624,200 $9.18 2 ...... 2022 0 213,159,926 0 0 213,159,926 13.05 3 ...... 2023 0 309,000,919 0 0 309,000,919 18.80 4 ...... 2024 0 316,361,705 14,502 5,964,604 322,340,811 19.50 5 ...... 2025 0 324,585,446 20,225 7,771,778 332,377,450 19.94 6 ...... 2026 0 331,663,749 26,516 9,558,220 341,248,485 20.37 7 ...... 2027 0 339,583,781 33,316 11,326,199 350,943,297 20.79 8 ...... 2028 0 347,798,557 41,044 13,073,502 360,913,103 21.19 9 ...... 2029 0 355,008,739 49,204 14,787,665 369,845,609 21.59 10 ...... 2030 0 363,357,905 57,691 16,463,486 379,879,082 21.96 11 ...... 2031 0 370,982,194 66,319 18,080,731 389,129,243 22.31 12 ...... 2032 0 378,019,671 74,932 19,626,112 397,720,714 22.65 13 ...... 2033 0 384,620,645 83,389 21,090,223 405,794,257 22.97 14 ...... 2034 0 392,045,404 91,615 22,473,154 414,610,174 23.24 15 ...... 2035 0 399,021,900 99,529 23,771,089 422,892,517 23.49 16 ...... 2036 0 405,714,525 107,044 24,979,082 430,800,651 23.72 17 ...... 2037 0 412,479,551 114,107 26,095,952 438,689,610 23.92 18 ...... 2038 0 418,390,535 120,627 27,113,321 445,624,483 24.10 19 ...... 2039 0 424,344,445 126,553 28,030,229 452,501,226 24.25 20 ...... 2040 0 430,726,546 131,916 28,854,679 459,713,141 24.36

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00123 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 3976 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules

TABLE VII–8—ESTIMATED ANNUAL COMMUNICATION COSTS AND PER VEHICLE COSTS—HYBRID—Continued

Data cost Year Calendar year RSE OBE Total Cost per Satellite Cellular vehicle

21 ...... 2041 0 437,935,982 136,760 29,599,075 467,671,817 24.43 22 ...... 2042 0 429,324,211 140,688 30,178,332 459,643,231 24.77 23 ...... 2043 0 432,732,888 144,189 30,688,025 463,565,102 24.84 24 ...... 2044 0 435,960,956 147,346 31,140,495 467,248,797 24.91 25 ...... 2045 0 439,237,664 150,263 31,551,344 470,939,271 24.96 26 ...... 2046 0 442,230,479 153,002 31,929,276 474,312,757 25.00 27 ...... 2047 0 445,334,157 155,668 32,285,302 477,775,127 25.04 28 ...... 2048 0 448,190,015 158,253 32,619,841 480,968,109 25.08 29 ...... 2049 0 450,983,531 160,763 32,934,626 484,078,920 25.11 30 ...... 2050 0 453,904,155 163,206 33,232,654 487,300,015 25.13 31 ...... 2051 0 454,730,556 165,503 33,494,491 488,390,550 25.19 32 ...... 2052 0 455,469,747 167,722 33,728,697 489,366,166 25.24 33 ...... 2053 0 456,124,543 169,851 33,936,162 490,230,556 25.28 34 ...... 2054 0 456,712,926 171,880 34,122,586 491,007,391 25.32 35 ...... 2055 0 457,234,600 173,792 34,287,873 491,696,266 25.36 36 ...... 2056 0 457,690,833 175,587 34,432,426 492,298,846 25.39 37 ...... 2057 0 458,084,204 177,260 34,557,062 492,818,527 25.42 38 ...... 2058 0 458,395,516 178,752 34,655,698 493,229,966 25.44 39 ...... 2059 0 458,655,327 180,143 34,738,017 493,573,487 25.46 40 ...... 2060 0 458,874,218 181,461 34,807,370 493,863,049 25.47

(d) DSRC Option Costs 1 increasing to an approximate $177 this communication option is the need million annual average by Year 40. to include road side unit replacement Table VII–9 summarizes the estimated When viewed from a per vehicle basis, based on the assumed 15-year life of annual communication costs for the the costs range from $0 in the first year span of this equipment, Years 19 and 34 DSRC exclusive approach. Estimates for to approximately $9 annual average in reflect the annual cost of replacing this this option show a range of $0 at Year the out years. An important note with equipment.

TABLE VII–9—ESTIMATED ANNUAL COMMUNICATION COSTS AND PER VEHICLE COSTS—DSRC

Data cost Year Calendar year RSE OBE Total Cost per Satellite Cellular vehicle

1 ...... 2021 $0 $0 $0 $0 $0 $0.00 2 ...... 2022 0 0 0 0 0 0.00 3 ...... 2023 0 0 0 0 0 0.00 4 ...... 2024 186,090,367 0 0 0 186,090,367 11.26 5 ...... 2025 85,882,056 0 0 0 85,882,056 5.15 6 ...... 2026 95,733,225 0 0 0 95,733,225 5.72 7 ...... 2027 105,584,395 0 0 0 105,584,395 6.25 8 ...... 2028 115,435,565 0 0 0 115,435,565 6.78 9 ...... 2029 125,286,734 0 0 0 125,286,734 7.31 10 ...... 2030 135,137,904 0 0 0 135,137,904 7.81 11 ...... 2031 144,989,074 0 0 0 144,989,074 8.31 12 ...... 2032 154,840,243 0 0 0 154,840,243 8.82 13 ...... 2033 164,691,413 0 0 0 164,691,413 9.32 14 ...... 2034 174,542,583 0 0 0 174,542,583 9.78 15 ...... 2035 184,393,752 0 0 0 184,393,752 10.24 16 ...... 2036 168,543,441 0 0 0 168,543,441 9.28 17 ...... 2037 147,767,545 0 0 0 147,767,545 8.06 18 ...... 2038 147,767,545 0 0 0 147,767,545 7.99 19 ...... 2039 252,465,284 0 0 0 252,465,284 13.53 20 ...... 2040 177,681,184 0 0 0 177,681,184 9.42 21 ...... 2041 177,681,184 0 0 0 177,681,184 9.28 22 ...... 2042 177,681,184 0 0 0 177,681,184 9.57 23 ...... 2043 177,681,184 0 0 0 177,681,184 9.52 24 ...... 2044 177,681,184 0 0 0 177,681,184 9.47 25 ...... 2045 177,681,184 0 0 0 177,681,184 9.42 26 ...... 2046 177,681,184 0 0 0 177,681,184 9.37 27 ...... 2047 177,681,184 0 0 0 177,681,184 9.31 28 ...... 2048 177,681,184 0 0 0 177,681,184 9.26 29 ...... 2049 177,681,184 0 0 0 177,681,184 9.22 30 ...... 2050 177,681,184 0 0 0 177,681,184 9.16 31 ...... 2051 162,724,365 0 0 0 162,724,365 8.39 32 ...... 2052 147,767,545 0 0 0 147,767,545 7.62 33 ...... 2053 147,767,545 0 0 0 147,767,545 7.62 34 ...... 2054 252,465,284 0 0 0 252,465,284 13.02

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00124 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules 3977

TABLE VII–9—ESTIMATED ANNUAL COMMUNICATION COSTS AND PER VEHICLE COSTS—DSRC—Continued

Data cost Year Calendar year RSE OBE Total Cost per Satellite Cellular vehicle

35 ...... 2055 177,681,184 0 0 0 177,681,184 9.16 36 ...... 2056 177,681,184 0 0 0 177,681,184 9.16 37 ...... 2057 177,681,184 0 0 0 177,681,184 9.16 38 ...... 2058 177,681,184 0 0 0 177,681,184 9.16 39 ...... 2059 177,681,184 0 0 0 177,681,184 9.16 40 ...... 2060 177,681,184 0 0 0 177,681,184 9.16

(e) Communication Cost Summary Salaries were revised using the most component functions of the SCMS. For Comparing the two communication current data from Occupational each function, the costs comprised five 351 options evaluated in this proposal Employment Statistics (OES) expenditure categories: Hardware yields a sharp cost difference between published by the Bureau of Labor Purchase, Software Purchase, Software the Hybrid and DSRC option, a Statistics (BLS) May 2014. In addition, Operation and Maintenance (Q&M), difference of approximately $325 the agency mapped new/revised BLS job Initial Facility Costs, Annual Facility million annually at full deployment. categories to those originally used by Costs, and Full Time Equivalent (FTE) Exploiting the ‘‘free’’ usage of the BAH. Compensation costs in the BAH Costs. The SCMS model identified allocated DSRC spectrum appears to model were revised to align with newer several locations that could be used to information indicating that the average provide clear advantages to consumers establish an SCMS as a way to develop hourly wages for all workers in private and the overall system sustainability. facility cost averages. The averages are industry is $21.94 and the average total Challenges deploying the approach, based on six geographically and however, are in the physical placement benefit is $9.71, where the total benefits are 44.3 percent of the wages.352 The demographically varying areas: Metro of the road side units across the nation DC, Richland, WA, Denver, CO, in a timely manner. Leveraging the 44.3 percentage is significantly higher than the 25 percent used in the SCMS Chicago, IL, San Antonio, TX, and existing cellular and satellite network Gastonia, NC. The key cost components poses a clear advantage to accelerating cost model and the agency believed it evaluated are labor costs, energy costs, deployment in the fleet. was appropriate to revised these values to accurate reflect compensation values. land cost, and monthly rent. (f) Included SCMS Costs Finally, including Year 0 costs for the Table VII–10 and Table VII–11 show The agency developed cost estimates SCMS added $20.8 million as a one- the estimated SCMS costs by specific for a potential SCMS based on time cost. The Year 0 costs include the SCMS function, the total costs, and the additional research and modeling design of the SCMS facilities, land per vehicle cost. Any equipment related conducted by BAH, like the CDDS preparation, power source redundancy, costs are adjusted for learning. As model used for communication cost power line installation, and other shown, the total estimated SCMS costs estimation. The agency determined that facility characteristics that are range from $39.1 million in the first year it was appropriate to make some minor necessary, and in some cases unique, for to $160.1 million in year 40 with per adjustments to the cost model based on a successful SCMS operation. This new, vehicle cost ranging from $2.42 to $8.29. updated information obtained between added cost was amortized over 20 years The agency requests comment on its development of the original model and which the agency believes is reasonable assumptions concerning potential SCMS in preparation for this proposal. More considering the long term commitment costs. In particular, how would different specifically, the agency updated the associated with SCMS development and model with changes to project salaries, operation. approaches to the design of the SCMS compensation costs, and by including To estimate the annual total costs for affect the costs of operating the system? costs needed for establishing the SCMS the entire SCMS, the agency first In addition, how would the costs of the (Year 0). examined the costs for each of the 10 SCMS be passed along to consumers?

TABLE VII–10—SCMS COSTS BY FUNCTION

Calendar Year year PCA RA LA MA LOP ECA

1 ...... 2021 $4,708,025 $10,358,634 $987,277 $3,679,694 $2,332,410 $4,381,260 2 ...... 2022 4,672,050 10,270,907 988,020 3,658,706 2,311,587 4,343,622 3 ...... 2023 4,677,281 10,274,580 990,346 3,658,847 2,312,044 4,343,622 4 ...... 2024 4,687,633 10,281,935 995,076 3,659,125 2,312,536 4,343,622 5 ...... 2025 6,728,645 13,103,893 1,740,502 3,889,204 2,771,798 4,781,464 6 ...... 2026 4,724,254 10,308,046 1,011,781 3,660,108 2,313,639 4,343,622 7 ...... 2027 4,744,931 10,322,789 1,021,213 3,660,663 2,314,203 4,343,622 8 ...... 2028 4,765,448 10,337,418 1,030,571 3,661,213 2,314,761 4,343,622 9 ...... 2029 4,785,584 10,351,775 1,039,756 3,661,753 2,315,308 4,343,622 10 ...... 2030 10,510,180 16,401,748 4,799,128 4,179,494 3,682,299 4,781,464 11 ...... 2031 9,308,218 14,856,461 9,073,569 5,441,652 4,543,859 4,343,622

351 MSA_M2014 File as May 2014, www.bls.gov/ 352 Based on the News Release on, EMPLOYER released June 10, 2015, http://www.bls.gov/ oes. COSTS FOR EMPLOYEE COMPENSATION, March news.release/pdf/ecec.pdf. 2015 (2015 USDL–15–1132) Table 5 (page 10),

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00125 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 3978 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules

TABLE VII–10—SCMS COSTS BY FUNCTION—Continued

Calendar Year year PCA RA LA MA LOP ECA

12 ...... 2032 9,327,079 14,869,909 9,082,173 5,442,159 4,544,359 4,343,622 13 ...... 2033 9,345,391 14,882,966 9,090,526 5,442,650 4,544,835 4,343,622 14 ...... 2034 9,363,032 14,895,544 9,098,573 5,443,123 4,545,288 4,343,622 15 ...... 2035 14,419,003 20,996,845 12,930,027 5,772,704 5,912,422 4,781,464 16 ...... 2036 9,395,586 14,918,755 9,113,422 5,443,997 4,546,114 4,343,622 17 ...... 2037 9,410,421 14,929,333 9,120,189 5,444,395 4,546,484 4,343,622 18 ...... 2038 9,424,185 14,939,146 9,126,467 5,444,764 4,546,824 4,343,622 19 ...... 2039 9,436,904 14,948,215 9,132,269 5,445,106 4,547,132 4,343,622 20 ...... 2040 18,633,720 24,737,954 15,746,265 6,126,542 7,214,409 4,781,464 21 ...... 2041 13,918,676 19,420,803 13,587,376 7,223,691 6,773,241 4,343,622 22 ...... 2042 13,927,310 19,426,959 13,591,314 7,223,922 6,773,441 4,343,622 23 ...... 2043 13,935,979 19,433,140 13,595,268 7,224,155 6,773,625 4,343,622 24 ...... 2044 13,943,871 19,438,767 13,598,868 7,224,367 6,773,790 4,343,622 25 ...... 2045 22,174,444 29,152,824 20,355,009 7,633,697 9,489,116 4,781,464 26 ...... 2046 13,955,521 19,447,074 13,604,182 7,224,679 6,774,061 4,343,622 27 ...... 2047 13,960,466 19,450,599 13,606,438 7,224,812 6,774,181 4,343,622 28 ...... 2048 13,964,937 19,453,788 13,608,477 7,224,932 6,774,292 4,343,622 29 ...... 2049 13,969,051 19,456,721 13,610,354 7,225,042 6,774,396 4,343,622 30 ...... 2050 26,815,885 33,350,158 23,655,970 8,045,813 11,171,981 4,781,464 31 ...... 2051 18,425,034 23,909,622 18,057,646 9,002,835 8,999,434 4,343,622 32 ...... 2052 18,428,332 23,911,973 18,059,151 9,002,923 8,999,513 4,343,622 33 ...... 2053 18,431,447 23,914,194 18,060,572 9,003,007 8,999,585 4,343,622 34 ...... 2054 18,434,213 23,916,166 18,061,833 9,003,081 8,999,649 4,343,622 35 ...... 2055 28,781,702 35,756,214 26,844,673 9,423,600 12,687,495 4,781,464 36 ...... 2056 18,438,804 23,919,440 18,063,928 9,003,204 8,999,755 4,343,622 37 ...... 2057 18,440,716 23,920,803 18,064,800 9,003,256 8,999,799 4,343,622 38 ...... 2058 18,442,316 23,921,944 18,065,529 9,003,299 8,999,834 4,343,622 39 ...... 2059 18,443,789 23,922,994 18,066,201 9,003,338 8,999,864 4,343,622 40 ...... 2060 31,518,164 38,029,601 28,307,710 9,825,764 13,480,752 4,781,464

TABLE VII–11 CONTINUED SCMS COSTS BY FUNCTION

Calendar Intermediate Root Total per Year year CA CA DCM Manager Total costs vehicle

1 ...... 2021 $4,317,570 $1,723,817 $4,378,553 $2,233,628 $39,100,867 $2.42 2 ...... 2022 4,279,932 1,717,795 4,340,915 2,231,119 38,814,652 2.38 3 ...... 2023 4,279,932 1,717,795 4,340,915 2,231,119 38,826,479 2.36 4 ...... 2024 4,279,932 1,717,795 4,340,915 2,231,119 38,849,687 2.35 5 ...... 2025 4,718,684 1,808,090 4,760,710 2,292,279 46,595,268 2.80 6 ...... 2026 4,279,932 1,717,795 4,340,915 2,231,119 38,931,210 2.32 7 ...... 2027 4,279,932 1,717,795 4,340,915 2,231,119 38,977,180 2.31 8 ...... 2028 4,279,932 1,717,795 4,340,915 2,231,119 39,022,793 2.29 9 ...... 2029 4,279,932 1,717,795 4,340,915 2,231,119 39,067,558 2.28 10 ...... 2030 5,968,049 1,808,090 4,760,710 2,557,780 59,448,941 3.44 11 ...... 2031 8,455,524 1,717,795 4,340,915 3,382,829 65,464,444 3.75 12 ...... 2032 8,455,524 1,717,795 4,340,915 3,382,829 65,506,362 3.73 13 ...... 2033 8,455,524 1,717,795 4,340,915 3,382,829 65,547,052 3.71 14 ...... 2034 8,455,524 1,717,795 4,340,915 3,382,829 65,586,244 3.68 15 ...... 2035 10,890,222 1,808,090 4,760,710 3,511,964 85,783,450 4.77 16 ...... 2036 8,455,524 1,717,795 4,340,915 3,382,829 65,658,556 3.62 17 ...... 2037 8,455,524 1,717,795 4,340,915 3,382,829 65,691,506 3.58 18 ...... 2038 8,455,524 1,717,795 4,340,915 3,382,829 65,722,070 3.55 19 ...... 2039 8,455,524 1,717,795 4,340,915 3,382,829 65,750,310 3.52 20 ...... 2040 12,177,224 1,808,090 4,760,710 3,774,067 99,760,445 5.29 21 ...... 2041 12,631,117 1,717,795 4,340,915 4,517,339 88,474,574 4.62 22 ...... 2042 12,631,117 1,717,795 4,340,915 4,517,339 88,493,733 4.77 23 ...... 2043 12,631,117 1,717,795 4,340,915 4,517,339 88,512,955 4.74 24 ...... 2044 12,631,117 1,717,795 4,340,915 4,517,339 88,530,450 4.72 25 ...... 2045 17,513,413 1,808,090 4,760,710 4,691,868 122,360,635 6.48 26 ...... 2046 12,631,117 1,717,795 4,340,915 4,517,339 88,556,305 4.67 27 ...... 2047 12,631,117 1,717,795 4,340,915 4,517,339 88,567,283 4.64 28 ...... 2048 12,631,117 1,717,795 4,340,915 4,517,339 88,577,214 4.62 29 ...... 2049 12,631,117 1,717,795 4,340,915 4,517,339 88,586,351 4.59 30 ...... 2050 19,214,431 1,808,090 4,760,710 4,691,868 138,296,371 7.13 31 ...... 2051 16,806,710 1,717,795 4,340,915 4,517,339 110,120,950 5.68 32 ...... 2052 16,806,710 1,717,795 4,340,915 4,517,339 110,128,271 5.68 33 ...... 2053 16,806,710 1,717,795 4,340,915 4,517,339 110,135,185 5.68 34 ...... 2054 16,806,710 1,717,795 4,340,915 4,517,339 110,141,322 5.68 35 ...... 2055 23,459,123 1,808,090 4,760,710 4,692,002 152,995,074 7.89

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00126 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules 3979

TABLE VII–11 CONTINUED SCMS COSTS BY FUNCTION—Continued

Calendar Intermediate Root Total per Year year CA CA DCM Manager Total costs vehicle

36 ...... 2056 16,806,710 1,717,795 4,340,915 4,517,339 110,151,511 5.68 37 ...... 2057 16,806,710 1,717,795 4,340,915 4,517,339 110,155,754 5.68 38 ...... 2058 16,806,710 1,717,795 4,340,915 4,517,339 110,159,302 5.68 39 ...... 2059 16,806,710 1,717,795 4,340,915 4,517,339 110,162,566 5.68 40 ...... 2060 23,459,123 1,808,090 4,760,710 4,692,026 160,663,404 8.29

3. Fuel Economy Impact and OBE for cellular, Wi-Fi and survivability can be found in Chapter satellite. A variance depending on the VII of the PRIA. In addition to the cost of V2V potential implementation is related to equipment itself, other potential costs the one or two DSRC radio (a) Annual Fuel Economy Impact include the potential for new equipment communication approach. Therefore, for Table VII–12 shows the annual fuel on vehicles to increase vehicle weight. the Hybrid option, the total additional The agency expects increased weight of economy impact for both one-radio with total weight would be 3.21 pounds the Hybrid option and two radios with V2V equipment will have a small which came from one-radio and relevant the DSRC option. Note that the weight impact on the fuel economy of the parts/materials (3.06 pounds) and difference between the two-radio system individual vehicles. Over the lifetime of satellite radios (0.15 pounds). Weight these vehicles, this impact on fuel from cellular and Wi-Fi are negligible. and the one-radio system is 0.17 pound. economy will create a cost for society. For the DSRC option, the total This small weight difference resulted in Potential fuel economy impacts can additional weight would be 3.38 pounds no discernable difference between these be evaluated in terms of annual impacts based the used of two DSRC radios and two technology approaches. To be and the lifetime fuel economy impacts relevant parts/materials. consistent with the measure used for for a specified MY vehicle (MY fuel The impact of added weight on both other cost items, the ‘‘per vehicle’’ cost impact). The annual fuel impact annual and MY fuel economic is a was estimated to be the cost per a new represents the additional fuel costs from function of vehicle volumes, vehicle vehicle. As shown, the proposed rule all V2V-equipped vehicles for that year. miles traveled, survival probability (i.e., would increase the current total annual The MY fuel impact represents the the percentage of the vehicle fleet that fuel consumption by 1.10 million additional fuel costs for a life of a MY will not be scrapped due to an gallons in 2021 to 30.51 million gallons vehicle and should be discounted. accident), the price of gasoline, and the in 2060. The corresponding annual cost As described in previous sections, change in vehicle fuel economy (i.e., for these additional fuels was estimated V2V components include DSRC radios change in miles per gallon) due to the to be $3.08 to $135.16 million, annually. and relevant parts/materials (e.g., added weight. Details on the estimating These amounts were translated into antenna, installation material, HSM etc.) vehicle volumes, miles traveled, and $0.19 to $6.97 per new vehicle sold.

TABLE VII–12—ANNUAL FUEL ECONOMY IMPACT *

Additional Total fuel Per vehicle Year Calendar Fuel price gallons economy cost year (million) (million $) ($)

1 ...... 2021 $2.80 1.10 $3.08 $0.19 2 ...... 2022 2.86 2.69 7.69 0.47 3 ...... 2023 2.91 4.70 13.68 0.83 4 ...... 2024 2.95 6.58 19.41 1.17 5 ...... 2025 2.99 8.34 24.94 1.50 6 ...... 2026 3.02 10.02 30.26 1.81 7 ...... 2027 3.06 11.66 35.68 2.11 8 ...... 2028 3.08 13.19 40.63 2.39 9 ...... 2029 3.11 14.62 45.47 2.65 10 ...... 2030 3.14 16.01 50.27 2.91 11 ...... 2031 3.18 17.32 55.08 3.16 12 ...... 2032 3.22 18.52 59.63 3.40 13 ...... 2033 3.26 19.69 64.19 3.63 14 ...... 2034 3.35 20.73 69.45 3.89 15 ...... 2035 3.38 21.76 73.55 4.09 16 ...... 2036 3.43 22.68 77.79 4.28 17 ...... 2037 3.47 23.50 81.55 4.45 18 ...... 2038 3.51 24.28 85.22 4.61 19 ...... 2039 3.58 24.99 89.46 4.79 20 ...... 2040 3.66 25.64 93.84 4.97 21 ...... 2041 3.64 26.27 95.62 5.00 22 ...... 2042 3.68 26.70 98.26 5.29 23 ...... 2043 3.72 27.11 100.85 5.40 24 ...... 2044 3.76 27.46 103.25 5.50 25 ...... 2045 3.80 27.83 105.75 5.60 26 ...... 2046 3.84 28.11 107.94 5.69 27 ...... 2047 3.88 28.44 110.35 5.78 28 ...... 2048 3.93 28.71 112.83 5.88

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00127 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 3980 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules

TABLE VII–12—ANNUAL FUEL ECONOMY IMPACT *—Continued

Additional Total fuel Per vehicle Year Calendar Fuel price gallons economy cost year (million) (million $) ($)

29 ...... 2049 3.97 28.91 114.77 5.95 30 ...... 2050 4.01 29.21 117.13 6.04 31 ...... 2051 4.06 29.43 119.49 6.16 32 ...... 2052 4.10 29.65 121.57 6.27 33 ...... 2053 4.14 29.82 123.45 6.37 34 ...... 2054 4.18 29.97 125.27 6.46 35 ...... 2055 4.22 30.10 127.02 6.55 36 ...... 2056 4.27 30.20 128.95 6.65 37 ...... 2057 4.31 30.33 130.72 6.74 38 ...... 2058 4.35 30.41 132.28 6.82 39 ...... 2059 4.39 30.47 133.76 6.90 40 ...... 2060 4.43 30.51 135.16 6.97 * For both one-radio and two-radios approaches.

(b) MY Fuel Economy Impact and the discount rate chosen to express primarily due to projected higher fuel MY fuel cost (i.e., lifetime fuel lifetime impacts in their present value. prices and vehicle sales, both of which economy cost) is the cost of additional Additional details on the deriving the can vary. The cost per vehicle for a gasoline used over the vehicle’s life and MY fuel economy impact can be found particular MY vehicle is calculated by is estimated on a per vehicle basis. The in Chapter 7 of the PRIA. dividing the total fuel cost for that MY fuel economy cost for a specific MY Table VII–13 shows the MY fuel by the total vehicle sales of that MY vehicle is derived by applying the economy impacts at both 3 and 7 vehicle. For the first two years, due to specific MY fuel economy cost per percent discount rates. As shown, at a the proposed phased in implementation, vehicle to every vehicle. The cost is 3 percent discount rate, the MY fuel the cost per vehicle is smaller than the accrued throughout the vehicle’s life economy impact of V2V related cost per affected vehicle since cost per and is discounted to reflect its present equipment is estimated to be $32.75 vehicle as defined is the average cost value (in 2014 dollars) using 3% and million at MY 2021 and gradually over all new vehicles. 7% discount rates. The MY fuel increasing to $104.73 million for MY At a 7 percent discount rate, the MY economy impact also is a function of 2050 vehicles. The cost per vehicle is fuel economy impact is estimated to be mileage, survival probability (i.e., the estimated to be $2.02 for MY 2021 and $25.03 for million MY 2021 and $80.52 percentage of the vehicle fleet that will $5.40 for MY 2050 vehicles. The million for MY 2050 vehicles. The cost not be scrapped due to an accident), the increase in fuel cost in the future, per vehicle for these two MY vehicles price of gasoline, the change in vehicle especially after the third year when the would be $1.55 and $4.15 for MY 202 fuel economy due to the added weight, full adoption of DSRC radios starts, is and MY 2050 vehicles, respectively.

TABLE VII–13—MY FUEL ECONOMY IMPACT * BY DISCOUNT RATE

MY fuel economy impact Per vehicle Model Gallons per Total gallons (million $) cost Year year vehicle (million) @3% @7% @3% @7%

1 ...... 2021 0.83 13.38 $32.75 $25.03 $2.02 $1.55 2 ...... 2022 1.22 19.88 49.33 37.71 3.02 2.31 3 ...... 2023 1.58 26.01 65.34 49.96 3.97 3.04 4 ...... 2024 1.54 25.52 64.90 49.62 3.93 3.00 5 ...... 2025 1.49 24.80 63.85 48.81 3.83 2.93 6 ...... 2026 1.50 25.07 65.31 49.92 3.90 2.98 7 ...... 2027 1.50 25.39 66.95 51.17 3.97 3.03 8 ...... 2028 1.51 25.74 68.69 52.50 4.03 3.08 9 ...... 2029 1.52 26.03 70.32 53.74 4.11 3.14 10 ...... 2030 1.53 26.42 72.30 55.27 4.18 3.19 11 ...... 2031 1.53 26.77 74.21 56.74 4.26 3.25 12 ...... 2032 1.54 27.06 76.00 58.14 4.33 3.31 13 ...... 2033 1.55 27.34 77.77 59.52 4.40 3.37 14 ...... 2034 1.55 27.71 79.86 61.15 4.48 3.43 15 ...... 2035 1.56 28.07 81.82 62.67 4.55 3.48 16 ...... 2036 1.56 28.40 83.76 64.18 4.61 3.53 17 ...... 2037 1.57 28.77 85.80 65.76 4.68 3.59 18 ...... 2038 1.57 29.09 87.73 67.25 4.74 3.64 19 ...... 2039 1.58 29.45 89.80 68.86 4.81 3.69 20 ...... 2040 1.58 29.87 92.00 70.56 4.88 3.74 21 ...... 2041 1.58 30.30 94.14 72.18 4.92 3.77 22 ...... 2042 1.59 29.53 92.69 71.07 4.99 3.83 23 ...... 2043 1.59 29.69 94.15 72.20 5.05 3.87 24 ...... 2044 1.59 29.85 95.63 73.36 5.10 3.91 25 ...... 2045 1.59 30.03 97.17 74.56 5.15 3.95

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00128 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules 3981

TABLE VII–13—MY FUEL ECONOMY IMPACT * BY DISCOUNT RATE—Continued

MY fuel economy impact Per vehicle Model Gallons per Total gallons (million $) cost Year year vehicle (million) @3% @7% @3% @7%

26 ...... 2046 1.59 30.19 98.66 75.72 5.20 3.99 27 ...... 2047 1.59 30.37 100.21 76.94 5.25 4.03 28 ...... 2048 1.59 30.53 101.73 78.14 5.30 4.07 29 ...... 2049 1.59 30.69 103.20 79.30 5.35 4.11 30 ...... 2050 1.59 30.87 104.73 80.52 5.40 4.15

4. Overall Annual Costs communication network in support of cost per new vehicle would range from (a) Total Annual Costs vehicles-to-SCMS communication (i.e., $135 to $301 (lower bound for 2021 and Communication), and (4) fuel economy upper bound for 2024). The lower and The annual costs represent the total impact due to the increased weight from upper bounds represent the two annual capital investment and fuel the in-vehicle equipment in (1) and (3). technology implementation approaches economy impact from all V2V-equipped Table VII–14 presents the total annual (one-radio and two-radios) that the vehicles per year. The costs comprise costs and cost per vehicle. The total agency believes can meet the proposed four major categories: (1) Vehicle annual costs would range from $2.2 (the rule and the security and privacy technology (i.e., DSRC radios and app), lower bound for 2021) to $5.0 billion specifications. (2) SCMS, (3) equipment and (not shown, upper bound for 2024). The

TABLE VII–14—TOTAL ANNUAL COSTS AND COST PER VEHICLE [2014 $]

Annual cost Annual cost per Calendar (million $) vehicle Year year Low High Low High

1 ...... 2021 $2,192 $2,864 $135.38 $176.89 5 ...... 2025 3,701 4,803 222.02 288.13 10 ...... 2030 3,649 4,692 210.94 271.22 15 ...... 2035 3,717 4,757 206.52 264.26 20 ...... 2040 3,831 4,844 203.01 256.71 25 ...... 2045 3,796 4,764 201.14 252.49 30 ...... 2050 3,858 4,818 198.97 248.50 35 ...... 2055 3,832 4,766 197.65 245.80 40 ...... 2060 3,804 4,717 196.20 243.27

(b) Total Annual Costs by Cost Category total annual SCMS costs would range the two-radio technology approach and Table VII–15 to Table VII–18 lists the from $39 to $161 million. This is 3.21 pounds for the one-radio approach. total annual costs separately for the four equivalent to $2 to $8 per vehicle. Due to the insignificant weight cost categories. As shown, the majority The communication costs included difference between these two of costs came from vehicle technology the costs for equipment and approaches, the estimated fuel economy costs. The annual vehicle technology communication network that are needed impacts are identical for these costs ranged from $2.0 to $4.9 billion (in in support of the vehicle-to-SCMS approaches when factoring rounding 2023, not shown) and the per vehicle communication. The annual errors. Therefore, the fuel economy cost ranged from $124 to $298. communication costs would range up to impact as shown applies to both The SCMS costs included the costs for $494 million. The communication cost approaches. The annual fuel economy the establishment, operation, and per vehicle would be up to $26 per impact would range from $3 to 135 maintenance of the system that covered vehicle. million. This equates to up to $7 per the expenditure on human resources, The fuel economy impact was based vehicle. equipment, facilities, energy, etc. The on the added weight of 3.38 pounds for

TABLE VII–15—TOTAL ANNUAL VEHICLE TECHNOLOGY COSTS [2014 $ and vehicles in millions]

Total costs Cost per Year Calendar year (million $) vehicle Low High Low High

1 ...... 2021 $2,001 $2,822 $123.59 $174.29 5 ...... 2025 3,297 4,646 197.79 278.68 10 ...... 2030 3,160 4,447 182.63 257.06 15 ...... 2035 3,135 4,413 174.17 245.17 20 ...... 2040 3,178 4,473 168.39 237.03

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00129 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 3982 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules

TABLE VII–15—TOTAL ANNUAL VEHICLE TECHNOLOGY COSTS—Continued [2014 $ and vehicles in millions]

Total costs Cost per Year Calendar year (million $) vehicle Low High Low High

25 ...... 2045 3,096 4,359 164.09 230.98 30 ...... 2050 3,115 4,385 160.67 226.16 35 ...... 2055 3,061 4,308 157.85 222.19 40 ...... 2060 3,015 4,243 155.47 218.85

TABLE VII–16—TOTAL ANNUAL SCMS COSTS * [2014 $ and vehicles in millions]

Total costs Cost per Year Calendar year (million $) vehicle

1 ...... 2021 $39 $2.42 5 ...... 2025 47 2.80 10 ...... 2030 59 3.44 15 ...... 2035 86 4.77 20 ...... 2040 100 5.29 25 ...... 2045 122 6.48 30 ...... 2050 138 7.13 35 ...... 2055 153 7.89 40 ...... 2060 161 8.29 * Not impacted by technology approach.

TABLE VII–17—TOTAL ANNUAL COMMUNICATION COSTS [2014 $ and vehicles in millions]

Total costs Cost per Year Calendar year (million $) vehicle Low High Low High

1 ...... 2021 $0 $1,486 $0.00 $9.18 5 ...... 2025 85 3,324 5.15 19.94 10 ...... 2030 135 3,799 7.81 21.96 15 ...... 2035 185 4,229 10.24 23.49 20 ...... 2040 178 4,597 9.42 24.36 25 ...... 2045 178 4,709 9.42 24.96 30 ...... 2050 178 4,873 9.16 25.13 35 ...... 2055 178 4,917 9.16 25.36 40 ...... 2060 178 4,939 9.16 25.47

TABLE VII–18—TOTAL ANNUAL FUEL ECONOMY IMPACT * COSTS [2014 $ and vehicles in millions]

Fuel consumption Fuel costs Cost per Year Calendar year (million (million $) vehicle gallons)

1 ...... 2021 1.10 $3.08 $0.19 5 ...... 2025 8.34 24.94 1.50 10 ...... 2030 16.01 50.27 2.91 15 ...... 2035 21.76 73.55 4.09 20 ...... 2040 25.64 93.84 4.97 25 ...... 2045 27.83 105.75 5.60 30 ...... 2050 29.21 117.13 6.04 35 ...... 2055 30.10 127.02 6.55 40 ...... 2060 30.51 135.16 6.97 * Cost equal for both two technology implementation approaches due to insignificant weight difference.

5. Overall Model Year (MY) Costs economy impact. The PRIA assumes vehicle owners when their vehicles that vehicle technology, SCMS, and were purchased. Thus, these three costs The primary difference between the communication costs would be paid by are identical between the annual and annual and MY costs is the fuel

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00130 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules 3983

MY costs. In annual costs, the fuel Table VII–19 and Table VII–20 shows and the higher bound represents the economy impact measures the the MY costs at a 3 percent and 7 cost for the two-radio approach. additional fuel costs for all V2V- percent discount rate, respectively. At a At a 7 percent discount rate, the MY equipped MY vehicles in a specific 3 percent discount rate, the MY costs costs would range from $2.21 (lower calendar year. For estimating the MY would range from $2.22 (lower bound at bound at Year 1) to $5.01 billion (upper costs, the fuel economy impact Year 1) to $5.03 billion (upper bound at bound at Year 4, not shown). The MY measures the incremental lifetime fuel Year 4, not shown). The cost per vehicle cost per vehicle would range from impact for a specific MY vehicles and would range from $137.21 to $304.06. were discounted at a 3 and 7 percent The lower bound of the costs represents $136.73 to $303.14. rate to reflect their present value. the MY costs for the one-radio approach

TABLE VII–19—TOTAL MY COSTS AND COST PER VEHICLE AT 3 PERCENT

Total MY costs MY cost per Model (million $) vehicle Year year Low High Low High

1 ...... 2021 $2,221 $2,894 $137.21 $178.72 5 ...... 2025 3,740 4,842 224.36 290.46 10 ...... 2030 3,671 4,714 212.21 272.49 15 ...... 2035 3,726 4,765 206.98 264.72 20 ...... 2040 3,829 4,842 202.92 256.61 25 ...... 2045 3,787 4,756 200.68 252.03 30 ...... 2050 3,846 4,806 198.33 247.86

TABLE VII–20—TOTAL MY COSTS AND COST PER VEHICLE AT 7 PERCENT

Total MY costs MY cost per Calendar (million $) vehicle Year year Low High Low High

1 ...... 2021 $2,214 $2,886 $136.73 $178.25 5 ...... 2025 3,725 4,827 223.45 289.56 10 ...... 2030 3,654 4,697 211.22 271.51 15 ...... 2035 3,706 4,746 205.92 263.66 20 ...... 2040 3,808 4,821 201.78 255.47 25 ...... 2045 3,764 4,733 199.49 250.83 30 ...... 2050 3,821 4,782 197.09 246.61

The agency seeks comment on all 1. Health Insurance Costs Relating to exposure to radiofrequency fields via aspects of the cost estimates developed EHS cell phone use and that attempts to for this proposal. This includes all cost replicate and confirm the few studies assumptions, estimated component Many commenters (mostly individual citizens) commented on the potential that did show a connection have costs, communication costs including failed.353 Furthermore, V2V devices other potential options the agency did relationship of DSRC radio technology and electromagnetic field exposure would operate at distances significantly not evaluate, and views on potential further than the distance between a SCMS costs. Please provide any hypersensitivity, raising concerns regarding the potential for a V2V portable cellular phone to its operator, supporting data for the comments. If where the device is generally carried on necessary, the agency has processes and mandate to increase electromagnetic beyond today’s levels. The agency takes a person or pressed directly to the ear. procedures for submitting confidential Therefore, the EHS effects are expected business information. these concerns very seriously. The agency since has conducted a literature to be lower for V2V than cell phones; C. Non-Quantified Costs review and other research (on-going) to the agency does not quantify the health The agency identified four major non- better understand electromagnetic costs relating to EHS. Nevertheless, the quantified costs that could be related to radiation and its relationship to the agency acknowledges that research is the deployment of V2V devices. These symptoms of EHS. As we understand still ongoing and, as technology evolves; include the potential health costs due to that the expertise of our sister agencies wireless communications will most a potential increase in electromagnetic such as the Federal Communications likely continue to increase. We will hypersensitivity (EHS, i.e., human Commission (FCC) and the Food and continue to monitor the progress of this radiation exposure to wireless Drug Administration (FDA), among issue and closely follow the efforts of communications discussed in Section others, have been involved with the Radiofrequency Interagency Work IV.E) potential loss of perceived privacy, electromagnetic fields, in parallel with Group (RFIAWG) which may yield any the opportunity costs of alternative uses the pervasiveness of cellular phone for the spectrum, and possibly increased deployment in the United States and 353 Radiation-Emitting Products, ‘‘Current litigation costs. The agency requests globally. Research Results,’’ http://www.fda.gov/Radiation- EmittingProducts/RadiationEmittingProducts comment on these costs, particularly The FDA found that most studies andProcedures/HomeBusinessandEntertainment/ whether there exist ways to quantify any conducted to date show no connection CellPhones/ucm116335.htm, last accessed: June 3, of these costs. between certain health problems and 2015.

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00131 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 3984 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules

potential future guidance for wireless regarding privacy; (ii) determine the technology, band, and uses at issue, device deployment and usage. risks and effects of the proposed data such sharing can work well or can lead transactions; and (iii) examine and to harmful interference among those 2. Perceived Privacy Loss evaluate protections and alternative devices. Recognizing the scarcity of One intangible outcome of the processes for handling data to mitigate spectrum, in December 2015 and proposed rule is a perceived potential potential privacy risks. January 2016, the DOT, FCC, and the for loss of privacy. Individuals may Department of Commerce sent joint perceive the V2V system as eroding 3. Opportunity Costs of Spectrum for letters to members of the U.S. Senate their personal privacy and view this as Other Uses Committee on Commerce, Science, and a considerable negative consequence. (a) Overview Transportation, stating a shared Also, several surveys showed that Our analysis shows that this rule will ‘‘commitment to finding the best individual attitudes towards generate significant net benefits due to method to develop, successfully test, information security seems inconsistent improved safety, decreased loss of life, and deploy advanced automotive safety with their behavior on protection of reduced property damage, and other systems while working to meet existing 354 355 their information. Acquisti, et al. impacts. While requiring this and future spectrum demands,’’ and stated that identifying the consequence technology has costs, the analysis here announcing an interagency, multi- of a privacy incident is difficult enough, shows that the benefits of this rule well phased testing regime that will be used to ‘‘provide reliable, real-world data on and quantifying these consequences is justify those costs. 356 remarkably complex. Furthermore, As discussed in greater detail the performance of unlicensed devices that are designed to avoid interfering there are few studies on the economic elsewhere in this notice, the FCC with DSRC operation in the 5.9 GHz costs for privacy and even less for designated the 5.9 GHz band (i.e., 5850– band.’’ 357 The results of this test will quantifying the economic costs for 5925 MHz) for ITS radio services and inform FCC on potential sharing perceived privacy loss. Given the great adopted open license to both public solutions, if any, between proposed uncertainties for valuing the perceived safety and non-public safety use of this Unlicensed National Information loss of privacy, this analysis does not band with the priority for public safety Infrastructure (U–NII) devices and DSRC quantify this cost. communications in 2003. Within the 5.9 operations in the 5.850–5.925 GHz (U– To ease the privacy concerns and GHz band, the FCC has designated NII–4) band. mitigate possible privacy loss, the Channel 172 (i.e., 5.855–5.865 GHz, a 10 agency is committed to regulating V2V The results of the interagency tests MHz band) exclusively for ‘‘vehicle-to- will also be utilized to inform NHTSA’s communications in a manner that both vehicle communication for crash protects individuals and promotes this proceeding as it progresses towards avoidance and mitigation, and safety of aproceeding prior to any final important safety technology. NHTSA life and property applications.’’ has worked closely with experts and our rulemaking on V2V. As noted in the Given the FCC’s decision about how joint DOT-FCC-Commerce letter that industry research partners (CAMP and to allocate Channel 172, this rule results the VIIC) to build privacy protections responds to a Congressional letter dated in the use of that particular radio September 9, 2015, it is ‘‘imperative—to into the design and deployment of V2V spectrum for vehicle-to-vehicle communications that help guard against ensure the future automotive safety and communication even though that efficiency of the traveling public—that risks to individual privacy. resource could potentially have The agency has conducted a thorough all three phases of the FCC test plan be alternative uses for society, including completed before reaching any privacy impact assessment as required alternative safety applications. The FCC, by the Consolidated Appropriations Act, conclusions as to whether [non-DSRC] not NHTSA or DOT, has the authority unlicensed devices can safely operate in 2005, Public Law 108–447. This Act to determine the commercial use of requires that Federal agencies conduct the 5.9 GHz band.’’ without interfering spectrum. However, NHTSA with DSRC operation. privacy impact assessments (PIAs) of understands the scarcity of spectrum proposed regulatory activities involving DOT believes that any estimate of the and in the interests of providing a opportunity cost of this NPRM should collections or systems of information in complete analysis of the costs and electronic form with the potential to be made in the context of the FCC’s benefits of this rule seeks comment on existing policies and authorities. Put impact individual privacy. A PIA the potential costs associated with the documents the flow of information and another way, in identifying and valuing lost opportunity to exploit the spectrum other opportunities that might be information requirements within a at issue for other uses. system by detailing how and why precluded or degraded by this NPRM, The FCC, as part of its own ongoing DOT is considering those opportunities information is transmitted, collected, rulemaking proceeding, is considering stored and shared to: (1) Ensure consistent with the FCC’s designation of whether to allow ‘‘Unlicensed National spectrum. However, in assessing the compliance with applicable legal, Information Infrastructure’’ (UNII) regulatory, and policy requirements benefits in the context of the current devices (that provide short-range, high- FCC designation on which this rule speed, unlicensed wireless connections 354 Acquisti, Alessandro (2004), Privacy Attitudes focuses, we invite and will consider and Privacy Behavior, Losses, Gains, and for, among other applications, Wi-Fi- comments on opportunity costs Hyperbolic Discounting (Preliminary draft). enabled radio local area networks, associated with broader uses of 355 Acquisti, Alessandro (2002). Protecting cordless telephones, and fixed outdoor spectrum beyond the current FCC privacy with economics: Economic incentives for broadband transceivers used by wireless designation. preventing technologies in ubiquitous computing Internet service providers) to operate in environments. In workshop on Socially-informed In addition, we provide a further Design of Privacy-enhancing Solutions, 4th the same frequencies of the spectrum as discussion of other potential benefits of International Conference on Ubiquitous V2V. DSRC beyond the two safety Computing—UBICOMP’02. Opening any spectrum band to applications quantified in the economic 356 Acquisti, A., Friedman, A., Telang, R., ‘‘Is sharing could result in many more there a Cost to Privacy Breaches? An Event Study’’, analysis for this NPRM. Those Twenty Seventh International Conference on devices transmitting and receiving Information System, Milwaukee 2006 (pre- information on the same or similar 357 See letter in NHTSA Docket No. NHTSA– proceeding draft version). frequencies. Depending on the 2016–0126.

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00132 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules 3985

additional benefits include potential Section VII.D discusses this benefit at property damage. Adjusting the societal safety, congestion, environmental, UAS length. DOT also wishes to present a harm estimate to reflect the increase in and Smart City benefits. broader discussion of the benefits not traffic fatalities and CPI in 2015, we (b) Benefits of DSRC measured in the Primary Regulatory arrive at a value of $966 billion. Impact Analysis and seek comment on Recognizing previous research has We first provide a further explanation the resulting estimate. To arrive at this indicated that V2V could potentially of the potential additional safety estimate, we have taken existing avoid or mitigate 80% of unimpaired benefits of DSRC beyond the two research that quantified motor vehicle crashes, we have conservatively intersection safety applications quantified in the economic analysis for crashes as costing society over $242 calculated scenarios where V2V is this NPRM. billion in economic impacts in 2010 and phased in linearly, reaching maximum The primary benefit of the proposed caused societal harm of over $836 crash reduction benefits of 5, 10, and rule is improved automobile safety. billion through fatalities, injuries and 15% by 2035.

TABLE VII–21—SUMMARY OF ESTIMATED PRESENT VALUE OF BENEFITS OF V2V COMMUNICATION FOR THIS NPRM

Percentage of 2018 PV at 3% 2018 PV at 7% Societal Harm crashes discount rate discount rate ($M) prevented ($M) ($M)

$966,000 ...... 5.0 $603,620 $288,480 $966,000 ...... 10.0 1,207,230 576,950 $966,000 ...... 15.0 1,810,850 865,430

A more conservative approach to V2V communication, multiplied by the sensitivity analysis using values of $5– calculating total benefit of the rule economic value of a life. A number of $13.4M. Table VII–22 below presents could be considering a function of the values have been used for the economic different estimates for the 2018 value of number of lives that would be saved by value of a life; we compute our the benefit of the rule through 2050.

TABLE VII—22 SUMMARY OF ESTIMATED PRESENT VALUE OF BENEFITS OF V2V COMMUNICATION FOR THIS NPRM

Percentage of 2018 PV at 3% 2018 PV at 7% Value of a life fatalities Fatalities discount rate discount rate ($M) prevented prevented ($M) ($M)

$5.4 ...... 1.0 350.92 $38,636 $23,965 $13.4 ...... 1.0 350.92 95,874 59,468 $5.4 ...... 5.0 1754.6 193,181 119,824 $13.4 ...... 5.0 1754.6 479,373 297,341 $5.4 ...... 10.0 3509.2 386,360 239,648 $13.4 ...... 10.0 3509.2 958,747 594,683

(c) Other Benefits of DSRC published documentation from the more currently authorized by the FCC for the Communication advanced application development ITS band are not within the scope of efforts, including concepts of DOT’s or NHTSA’s authority. Comments The benefits shown above offset the operations, system requirements, design on the value of these uses will, however, costs, including opportunity costs, of documents, algorithms, functional be accepted. Such comments should this proposed rule. Moreover, the descriptions, characterization test consider that the interagency spectrum beneficial uses of spectrum for vehicle- results, field test evaluation results and sharing tests are not yet complete, and to-vehicle communications could well estimation of benefits associated with it will be impossible to fully measure increase in the future. Over the last five these prototypes. In total, the USDOT such benefits until the feasibility of years, the USDOT has sponsored the has identified fifty-three connected sharing is determined. If such sharing is Connected Vehicle Program under vehicle applications that will depend on possible, those benefits will likely Intelligent Transportation Systems effective vehicle communication. These decrease opportunity costs associated Research. This program has identified fifty-three applications include thirteen with mandating V2V communications. more than fifty potential connected safety applications that address vehicle vehicle applications concepts, many of Nothing in this rulemaking would occupant and pedestrian safety through preclude the FCC, in conjunction with which have already been prototyped communication with other vehicles as and demonstrated. As a part of this DOT and NTIA, from authorizing well as roadside infrastructure. They appropriate sharing at some future date. process, the component application also include fifteen applications that development programs have also address environmental quality and The chart below is a generic conducted assessments to measure resource consumption, and many more calculation of the spectrum opportunity safety, mobility, and environmental that address congestion, mobility, and cost, based on preclusion of alternative impacts. Field demonstrations have data gathering. uses for the spectrum. This estimate been supplemented by estimation of might overstate the value of opportunity difficult-to-observe impacts and (d) Opportunity Costs of Precluding cost if sharing is determined to be potential future impacts from broader Alternative Uses possible. We use estimated Wi-Fi values application deployment using a range of Decisions regarding whether to allow from 2013 and earlier reports to estimate analytical methods. The USDOT has additional uses of spectrum than those the economic value of one MHz of

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00133 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 3986 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules

spectrum. To do this, we begin by same value for each year in the future. between $1.9B and $3.4B based on extracting data from the largest and There are two assumptions implicit in whether a 7 or a 3 percent discount rate most recent study of spectrum values this approach: (1) The spectrum is used, respectively.360 from TAS, making several adjustments continues to generate value into the We seek comment on whether these based on our analysis.358 To calculate a future and (2) the value of the spectrum per-MHz figures are reasonable, net present value as of 2016, we treat does not change from year to year (i.e., including comment on the detailed the annual economic value of the the growth rate is zero).359 spectrum beginning in 2018 and until The estimated present value of each analysis in footnote 3, as well as any 2050, meaning that it will generate the additional MHz up to 2050 ranges alternative methodologies.

TABLE VII–23—SUMMARY OF ESTIMATED PRESENT VALUE OF SPECTRUM

PV to 2050, 2018 implementation, PV to 2050, 2018 Value Billions of 3% discount implementation, Approach (billions of $) MHz $/MHz rate 7% discount (billions of rate $/MHz) (billions of $/MHz)

Estimated Value of Wi-Fi ...... 110 638 0.2 3.4 1.9

Other ways to estimate the may have very different characteristics facto or de jure used exclusively for the opportunity cost of spectrum may be from the 5.9 GHz band and their value specific safety applications envisioned feasible, including using auction values may exceed the value of the 5.9 GHz. by this rule, i.e., those based on for spectrum licenses. A method like The cost of delivering information transmission of the Basic Safety this would require estimates of the ratio over spectrum varies and is a function Message. In particular, we propose to between auction value and annual of the range in which it operates. Higher require BSM transmissions on a single consumer surplus. A method like that frequency spectrums like 5.9 GHz 10 MHz channel. Multiplying this 10 would generate far higher values than broadcast over much shorter distances MHz by the per-MHz values derived the table above because it uses licensed than lower frequency spectrums and above yields an opportunity cost of $19– rather than unlicensed spectrum as a thus require the interaction of $34 billion. We seek comment on the benchmark—making it yield an estimate interoperable devices over these short best framework to appropriately that cannot be directly used to assess distances to transmit and receive consider the opportunity costs of this the value of unlicensed spectrum. Other messages in order for applications to proposed rule across the band, taking considerations when using the estimates activate. into account varying assumptions about above to value the spectrum in question Existing market values do not reflect spectrum usage. DOT expects to include include: the progressive increase of the economic an estimate of the opportunity cost of The value of spectrum is highly value of spectrum over time (i.e., time- spectrum as part of its RIA in a final situational and the historic spectrum dependent value). value might not be a valid indication of The above estimates yield per-MHz rule. the spectrum of the future. Spectrum figures for the gross opportunity cost 4. Increased Litigation Costs value differs with respect to variables that would result if spectrum in these including, but not limited to, bands were monopolized. However, the The agency recognizes the possibility frequencies, size of the block or actual opportunity cost associated with of higher litigation costs due to the segment, international harmonization, spectrum that would result from cooperative nature of the V2V geographic location, the timing of the mandating V2V in the way prescribed in environment. However, the agency release of new batches of spectrum, and this NPRM is represented by foregone reiterates that driving tasks are drivers’ the extent to which use is shared or alternative uses of that spectrum, which responsibilities. The at-fault driver in a exclusive. Frequencies might be the would be more limited. crash will bear the economic burden most significant factor to determine the It is possible that all spectrum within and this will not be altered in the V2V value since different frequencies have the relevant 75 MHz will ultimately be environment. Furthermore, V2V different characteristics that make used for vehicle-to-vehicle technology is expected to help avoid useful for different applications. The communications given the substantial crashes and thus reduce the overall most useful bands of frequencies may be safety benefits of that technology. It is, burden imposed on legal systems and auctioned out and developed early. The however, likely that not all spectrum traffic courts. spectrum values for these frequencies within the relevant 75 MHz will be de

358 Assessment of the Economic Value of tablet suppliers. In practice, consumers pay above 359 Other researchers including Bazelon and Unlicensed Spectrum in the United States, Final manufacturing costs for marketing, brand, and other McHenry (2015) use a similar approach. Bazelon Report, February 2014, Telecom Advisory Services, amenities, making this an overestimate. As a rough and McHentry (2015) paper is available here: http:// LLC http://www.wififorward.org/wp-content/ adjustment, we cut this number in half to $17.44B. www.brattle.com/system/publications/pdfs/000/ uploads/2014/01/Value-of-Unlicensed-Spectrum-to- Adding all spectrum values from Table C of the 005/168/original/Mobile_Broadband_Spectrum_-_ the-US-Economy-Full-Report.pdf (last accessed Dec TAS report except for RFID retail yields a total A_Valuable_Resource_for_the_American_ 8, 2016). We first remove RFID retail because it is value for unlicensed Wi-Fi spectrum of $110 Economy_Bazelon_McHenry_051115.pdf (last a very different technology from Wi-Fi and it billion. Based on the CEA report, there are a total accessed Dec 8, 2016). operates at very low frequency bands (13.56, 4.33, of 638 MHz of spectrum available for unlicensed 360 We use 3 and 7 percent discount rates to be and 902–928 MHz (i.e., all operate at less than 1 Wi-Fi use. This includes 83 MHz in the 2.4 GHz consistent with OMB guidelines, available here GHz). Second, Table C includes $34.885B of band and 555 MHz in the 5.1–5.8 GHz band. (Step 7, p. 11): https://www.whitehouse.gov/sites/ producer surplus associated with Wi-Fi only tablets Dividing the TAS estimate of Wi-Fi value by the default/files/omb/inforeg/regpol/circular-a- estimated as the difference between the retail price total bandwidth gives an estimate of $172.4 million 4_regulatory-impact-analysis-a-primer.pdf (last and manufacturing costs for a weighted average of per each MHz of spectrum. accessed Dec 8, 2016).

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00134 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules 3987

D. Estimated Benefits assumptions. The agency applied the this proposed rule, as shown in Table same assumptions for adoption and VII–24 and Table VII–25. 1. Assumptions and Overview vehicle fleet penetration rates as for In order to estimate the benefits of estimating both the costs and benefits of this rule, the agency made several key

TABLE VII–24—V2V TECHNOLOGY ADOPTION RATES IN PERCENT

Model year 2021 2022 2023 2024 2025 2026 2027 2028

DSRC %...... 50 75 100 100 100 100 100 100 Applications % * ...... 0 5 10 25 40 65 90 100 * As percent of DSRC-equipped vehicles.

TABLE VII–25—V2V TECHNOLOGY FLEET PENETRATION

With DSRC radios With apps Year Calendar year Number of Number of vehicles Percent vehicles Percent (million) (million)

1 ...... 2021 8.1 3.3 0.0 0.0 5 ...... 2025 68.13 27.4 6.3 5.2 10 ...... 2030 144.3 55.8 87.2 33.7 15 ...... 2035 208.4 77.6 163.7 61.0 20 ...... 2040 253.0 90.8 226.1 81.2 25 ...... 2045 276.6 96.2 265.3 92.3 30 ...... 2050 291.3 98.6 286.9 96.8 35 ...... 2055 300.6 99.7 298.1 98.9 40 ...... 2060 305.2 100.0 304.6 99.8

The agency estimated the potential implementation: The size of the crash these crashes might involve complex benefits of the proposed rule based population, the safety application interactions among vehicles. Crashes upon a scenario where two safety effectiveness, and vehicle involving pedestrians and pedal-cyclists applications, IMA and LTA, are communication rates. The undiscounted were also excluded since these crashes voluntarily adopted by industry annual benefits thus are the product of might need the communication between following a DSRC-mandate. The agency these three factors and can be expressed vehicles and persons. Crashes involving focused on these potential safety mathematically by the following generic motorcycles were excluded because the applications because we have sufficient formula: agency has not conducted any V2V data and because they can be effectively Bi = P * E * Ci research on motorcycles. Finally, enabled only by V2V. IMA warns Where, crashes involving at least one heavy vehicle 361 are excluded since the drivers of vehicles approaching from a Bi = Annual benefits (or MY benefits) of the lateral direction at an intersection, proposed rule at year i, agency is only evaluating light vehicle while LTA warns drivers of vehicles P = Target population (crashes, fatalities, crashes at this time. approaching from the opposite direction injuries, or PDOVs), Figure VII–2 depicts how the agency when attempting a left turn at an E = Effectiveness of apps (i.e., IMA or LTA), determined the potential target intersection. The agency notes that this and population for both the IMA and LTA may not be the scenario that actually Ci = communication rate at year i. safety warning applications. In addition, occurs following a DSRC-mandate; (a) Target Population (P) the figure also includes the corresponding monetized values at each manufacturers may choose to offer other The target population (P) includes safety applications that use V2V ‘‘stage’’ of filtering for the potential crashes, fatalities, injuries, and PDOVs. target population. As indicated, the end technology beyond these two and may As described in Section II.A, the Safety offer those technologies or IMA and result is an estimated 1.06 million Need, this proposed rule is estimated to crashes that could be addressed by the LTA in a time frame different from what affect potentially 3.4 million light- is considered for purposes of analysis. IMA and LTA safety warning vehicle-to-light-vehicle crashes. This applications, making up approximately In addition, manufacturers may also potential population excludes other offer various other technologies that use 19 percent of the total police-reported crashes scenarios. More specifically, crashes. These crashes resulted in 2,372 DSRC, such as V2I or V2P technologies. single-vehicle crashes were excluded These other technologies may offer fatalities and 0.69 million MAIS 1–5 based on the V2V’s inherent cooperative injuries and damaged 1.29 million benefits of a different amount than those operation, with two vehicles calculated for IMA and LTA and they vehicles. Together, these crashes cost communicating with each to potentially society $121 billion, annually. may accrue over a different timeframe. issue a warning before a crash. Crashes The agency requests comment on these Separately, IMA crashes resulted in with four or more vehicles were not 1,824 fatalities and 0.47 million MAIS assumptions. included because the agency does not Overall, three major factors influence have data to estimate how effective the 361 Heavy vehicles include trucks and buses with the potential benefits of a V2V safety warning applications would be as a GVWR greater than 10,000 pounds.

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00135 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 3988 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules

1–5 injuries and damaged 0.97 million to IMA, LTA has a smaller number of (MAIS 1–5) and damaged 0.32 million vehicles. The IMA crashes cost society target crashes. LTA crashes resulted in vehicles. The IMA crashes cost society $84 billion, annually. When compared 548 fatalities and 0.22 million injuries $36 billion, annually.

The target populations used for this the crashes. The vehicle contributing respond to. To be able to estimate the analysis were retrieved from the 2010– factor identifies whether vehicle’s effectiveness of advanced crash 2013 FARS and GES. FARS is a census component failure or defect contributed avoidance technology such as V2V, of fatalities that occurred in fatal crashes to the crashes. Crashes where NHTSA developed a methodology that on public roadways. FARS was used to incapacitated or drowsy drivers were uses available data and computer derive the incidence of fatal target involved and where vehicle mechanical simulation,362 extending current crashes and associated fatalities. GES is failures such as brake systems, tires, estimation capabilities and enabling a sampling system of all police-reported steering, and transmissions were cited V2V technology to be ‘‘exposed’’ to crashes. GES was used to derive the as contributing factors were excluded. more conflict situations to make up for MAIS 1+ injuries in non-fatal target (b) Effectiveness (E) and potential lack of crashes in the real- crashes and PDOVs. The agency utilized world crash databases. The multiple years of crash data to limit The agency applied effectiveness rates methodology and simulation tool allows variations of crashes and provide the for IMA and LTA. The effectiveness rate the agency to better comprehend the estimates are derived using the Safety best possible estimate for projecting crash avoidance potential and the Impact Methodology (SIM) tool potential benefits. performance criteria of the V2V developed by the Department of technology prior to the technology’s The variables used to define the target Transportation’s Volpe Center, actual deployment. Extensive details on crashes include vehicle forms specifically for estimating the how the agency estimates effectiveness submitted, vehicle body type, crash effectiveness of V2V technology. In of potential V2V safety applications can type, the first harmful event, relation to order to obtain a crash warning using be found in Chapter 4 of the PRIA and roadway, roadway alignment, roadway V2V technology, two V2V-equipped Chapter XII.B.1 of the V2V Readiness condition, rollover type, jackknife vehicles need to interact during a Report. status, driver contributing factor, and potential crash situation—if a V2V- Table VII–26 shows the effectiveness vehicle contributing factor. Of these equipped vehicle interacts with a non- of IMA and LTA used for the benefit variables, the driver contributing and V2V-equipped vehicle in a potential vehicle contributing factors were used crash situation, no warning is to be 362 to refine the target population. The For an overview of this methodology, see expected, because the non-equipped ‘‘Implementation of the Safety Impact Methodology driver contribution factor specifies vehicle would produce no BSM for the Tool’’ DRAFT located in Docket NHTSA–2016– whether driver’s alertness contributed to equipped vehicle to recognize and 0126.

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00136 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 EP12JA17.018 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules 3989

estimates in this proposal. As shown, (c) Communication Rate (Ci) LDW displayed in the NCAP data. Based IMA is estimated to prevent 43–56 on broad collection of implementation The communication rate (Ci) used the percent of intersection related crashes generic benefit formula above, information such as, the ITS study, and LTA would prevent 37–63 percent represents the potential probability of a NCAP data, agency meetings with of crashes where a left turn is being crash in which the vehicles involved are manufacturers, announcements on V2V attempted across oncoming traffic. both DSRC-equipped light vehicles implementation from vehicle industry, utilizing the safety applications IMA and the cost consideration; the agency TABLE VII–26—EFFECTIVENESS OF and LTA. To derive this probability, the established the a safety application IMA AND LTA SAFETY APPLICATIONS agency first developed a projection of adoption trend of 0% for the first MY the number of vehicles that would be vehicles that have DSRC radios, 5%, Low High 10%, 25%, 40%, 65%, 90%, and 100% Apps (%) (%) equipped by leveraging the technology adoption rates used for estimating the for each following MY vehicles, IMA ...... 43 56 proposed rule costs. As discussed in the respectively. LTA ...... 37 63 estimated cost section, the proposed The agency believes that this adoption rule would require that all applicable rate is reasonable. We note that the These estimates are adjusted slightly vehicles are equipped allowing for a pattern is similar to those shown in the from the effectiveness estimates used in market-driven adoption for safety NCAP data; with slow initial rate the V2V Readiness Report to reflect the applications. The proposed requirement spanning approximately two years and latest crash data available to the agency. for DSRC radio adoption schedule is a then increasing year over year at a rate There are no changes in methodology three year phase-in: 50 percent of the that would reach full adoption in the for developing the effectiveness estimate first MY vehicles, 75 percent of the eighth year of the implementation of the from that used in the V2V Readiness second MY vehicles and 100 percent of DSRC technology. Under this adoption Report. In the Readiness Report, the the third MY vehicles. For benefits scenario, the benefits estimates assume agency estimated values of 41–55 estimation, the agency applied these percent for IMA and 36–62 percent for proposed, required adoption rates to IMA and LTA would not be deployed in LTA, differences of only one to two estimated, future vehicle sales yielding the first year. In the second year, with percent at either end of the ranges. The the potential vehicles that could be the required 75 percent DSRC differences originate in the minor equipped with DSRC devices in the installation rate and the five percent adjustment in the injury probability overall vehicle fleet. safety application adoption among the curves for IMA and overall the newer The agency believes a similar, market- DSRC-equipped vehicles, five percent of crash data yielded a different crash driven approach could take hold for the total new vehicles (= 0.05 * 0.75) are scenario distribution. In order to V2V technology once the equipment expected to have the two safety account for potential uncertainty in becomes widely available and applications. In the third year, 10 these effectiveness rates, the agency consumers recognize the potential percent of the new vehicles (= 0.1 * included lower effectiveness rates in the benefits. 1.00) would have the apps, and so on so uncertainty analysis for this rule. The The agency believes that IMA and forth. Overall, the benefits (and costs) of agency requests additional information LTA could be adopted as standard the proposed rule were estimated based concerning the potential effectiveness of equipment on a schedule similar to the on this specific technology adoption these two applications. ‘‘combined’’ schedules for the FCW and scenario, as shown in Table VII–27.

TABLE VII–27—V2V TECHNOLOGY ADOPTION SCENARIO FOR COST AND BENEFIT ESTIMATES

1 2 3 4 5 6 7 8 Year (2021) (2022) (2023) (2024) (2025) (2026) (2027) (2028) (MY) (%) (%) (%) (%) (%) (%) (%) (%)

DSRC ...... 50 75 100 100 100 100 100 100 Apps* ...... 0 5 10 25 40 65 90 100 Apps Actual ** ...... 0 4 10 25 40 65 90 100 * IMA and LTA of DSRC-equipped new vehicles. ** of all new vehicles.

Table VII–28 shows the in the first three years as measured by example, the contributable rate for LTA communication rates from 2021 to 2060 those rates for IMA. The rate would with vehicles equipped with the apps is by vehicle type (i.e., PCs, LTVs, and PCs reach over 50 percent (51.41%) in 2034, about 0.02 percent, 50 percent of the and LTVs combined) separately for IMA the 14th year of the implementation of overall communication rate. However, and LTA. As expected, the the proposed rule. In 2039, 5 years later, the ratio would increase over time and communication rates would be the rate would reach 75 percent. In narrow the difference between these two relatively small in the first few years 2044, the communication rate would rates. In 2034, the rate for LTA would and accelerate faster when time reach over 90 percent. be 41.36 percent, 80.5 percent of the For LTA, the communication rates progresses. overall communicating rate. The overall communication with would be smaller than the general vehicles that had the apps would be rare communication rates. In 2022, for

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00137 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 3990 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules

TABLE VII–28—LIGHT VEHICLE FLEET COMMUNICATION RATES

IMA LTA Calendar Year year PCs LTVs Combined PCs LTVs Combined (%) (%) (%) (%) (%) (%)

1 ...... 2021 0.00 0.00 0.00 0.00 0.00 0.00 2 ...... 2022 0.02 0.02 0.04 0.01 0.01 0.02 3 ...... 2023 0.13 0.13 0.26 0.07 0.07 0.14 4 ...... 2024 0.52 0.50 1.02 0.28 0.27 0.55 5 ...... 2025 1.32 1.26 2.58 0.73 0.70 1.43 6 ...... 2026 2.77 2.64 5.41 1.61 1.54 3.15 7 ...... 2027 4.94 4.71 9.65 3.06 2.92 5.98 8 ...... 2028 7.55 7.19 14.74 4.96 4.72 9.68 9 ...... 2029 10.40 9.88 20.28 7.17 6.81 13.98 10 ...... 2030 13.45 12.76 26.21 9.63 9.14 18.77 11 ...... 2031 16.63 15.77 32.40 12.33 11.69 24.02 12 ...... 2032 19.90 18.84 38.74 15.20 14.39 29.59 13 ...... 2033 23.19 21.92 45.11 18.20 17.20 35.40 14 ...... 2034 26.46 24.95 51.41 21.29 20.07 41.36 15 ...... 2035 29.65 27.87 57.52 24.41 22.95 47.36 16 ...... 2036 32.69 30.62 63.31 27.50 25.75 53.25 17 ...... 2037 35.53 33.16 68.69 30.48 28.45 58.93 18 ...... 2038 38.12 35.46 73.58 33.31 30.98 64.29 19 ...... 2039 40.40 37.47 77.87 35.92 33.32 69.24 20 ...... 2040 42.36 39.21 81.57 38.29 35.45 73.74 21 ...... 2041 43.99 40.69 84.68 40.38 37.36 77.74 22 ...... 2042 45.18 42.03 87.21 42.06 39.12 81.18 23 ...... 2043 46.11 43.17 89.28 43.46 40.69 84.15 24 ...... 2044 46.81 44.17 90.98 44.59 42.07 86.66 25 ...... 2045 47.33 45.04 92.37 45.47 43.27 88.74 26 ...... 2046 47.72 45.83 93.55 46.16 44.33 90.49 27 ...... 2047 48.04 46.56 94.60 46.71 45.28 91.99 28 ...... 2048 48.29 47.25 95.54 47.14 46.13 93.27 29 ...... 2049 48.49 47.90 96.39 47.49 46.91 94.40 30 ...... 2050 48.65 48.50 97.15 47.77 47.61 95.38 31 ...... 2051 48.75 49.02 97.77 47.97 48.24 96.21 32 ...... 2052 48.81 49.50 98.31 48.14 48.82 96.96 33 ...... 2053 48.82 49.93 98.75 48.25 49.34 97.59 34 ...... 2054 48.81 50.31 99.12 48.33 49.81 98.14 35 ...... 2055 48.78 50.65 99.43 48.37 50.23 98.60 36 ...... 2056 48.73 50.96 99.69 48.39 50.60 98.99 37 ...... 2057 48.65 51.22 99.87 48.37 50.93 99.30 38 ...... 2058 48.54 51.41 99.95 48.33 51.19 99.52 39 ...... 2059 48.43 51.56 99.99 48.29 51.41 99.70 40 ...... 2060 48.33 51.67 100.00 48.25 51.57 99.82

(d) Adoption Rate of IMA and LTA specifically about these apps’ deployment. To fill this gap and development and deployment. The establish a potential trend, the agency Since the agency is not mandating any stakeholders interviewed included examined the adoption patterns of the applications, we next made an chipset manufacturers, mobile device three crash avoiding warning systems assumption concerning at what rate manufacturers, infrastructure industrial reported as part of regular data IMA and LTA could be adopted equipment makers, vehicle original submissions associated with the voluntarily by industry. We contracted equipment manufacturers (OEMs), and agency’s New Car Assessment Program with the Intelligent Transportation academia. Based on the interview (NCAP). The crash avoiding warning Society of America (ITS America, or results, ITS America concluded that systems are blind spot detection (BSD), ITS) to conduct a study to better about 91 apps (including both V2V and forward collision warning (FCW), and understand the utilization of DSRC V2I) would likely to be deployed within Lane Departure Warning (LDW). We among stakeholders and to investigate 5 years of a DSRC mandate. IMA and note that only FCW and LDW are potential safety application deployment LTA were rated among the highest currently reported on NHTSA’s Safer and product development.363 As part of priority apps among all the Car technologies as being the effort, ITS identified an array of V2V interviewees. ‘‘Recommended Technologies,’’ while and vehicle-to-infrastructure (V2I) apps BSD is reported to NHTSA for research and interviewed 42 stakeholders The ITS study confirmed many aspects of the agency’s proposed purposes but not, at this time, presented to the public. 363 Impact of Light Vehicle Rule on Consumer/ requirements and assumptions Aftermarket Adoption—Dedicated Short Range regarding potential V2V deployment Table VII–29 lists the adoption rates Communications Market Study, Intelligent including the proposed implementation for these systems that were offered as Transportation Society of America, FHWA–JPO– timing. However, the study was not able standard equipment and the combined 17–487, available at http://ntl.bts.gov/lib/60000/ 60500/60535/FHWA-JPO-17-487_Final_.pdf (last to predict clearly a safety application adoption rates for the technologies accessed Dec 12, 2016). adoption trend after an initial offered as standard or optional. As

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00138 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules 3991

shown, the rate of the standard and the pace of the offering these model resulting in an estimated full equipment is relatively low, although it features increased faster. These warning deployment spanning ten years. This increases gradually. In contrast, the rate technologies are projected to reach the projected rate is absent any sort of for the optional equipment (based on full combined deployment around 2021 formal regulation beyond the inclusion the combined rates) was much higher based on a curve linear regression in the agency’s NCAP ratings program.

TABLE VII–29—REPORTED ADOPTION RATES BY VEHICLE MANUFACTURERS [Percent]

BSD FCW LDW Year Standard Combined * Standard Combined * Standard Combined *

2011 ...... 0.3 11.9 0.0 11.4 0.0 2.5 2012 ...... 1.0 30.0 0.0 11.4 0.0 5.9 2013 ...... 1.3 30.4 0.8 21.0 0.0 17.4 2014 ...... 0.1 27.0 2.6 22.1 0.2 15.8 2015 ...... 0.6 45.7 5.6 57.3 2.5 52.7 * standard equipment and optional equipment combined.

The agency believes a similar, market- year, 10 percent of the new vehicles (= • equivalent to 13 to 18 percent of driven approach could take hold for 0.1 * 1.00) would have the apps, and so multiple light-vehicle crashes V2V technology once the equipment on so forth. Overall, the benefits (and • Save 987 to 1,366 lives becomes widely available and costs) of the proposed rule were • Reduce 305,000 to 418,000 MAIS 1– consumers recognize the potential estimated based on this specific 5 injuries,365 and benefits. The agency believes that IMA technology adoption scenario, as shown • Eliminate 537,000 to 746,000 and LTA could be adopted as standard in Table VII–27. However, in order to property damage only vehicles (PDOVs) equipment on a schedule similar to the test the significant uncertainty in this ‘‘combined’’ schedules for the FCW and assumption, we included adoption rate (2) Annual Benefits LDW displayed in the NCAP data. as one of the variables in our The annual benefits are summarized Based on broad collection of uncertainty analysis. every five years from 2021 to 2060 in implementation information such as, The agency, though, requests Table VII–30. As shown, the proposed the ITS study, NCAP data, agency comment on these assumption. Do rule would not yield benefits in Year 1 meetings with manufacturers, commenters have more concrete data due to the zero percent safety announcements on V2V implementation concerning the potential or likely application adoption rates for new from vehicle industry, and the cost adoption rate of these applications? Are vehicles in that year. However, the consideration; the agency established there any other technologies that have agency estimates that five years after a the a safety application adoption trend been voluntarily introduced into the final rule is issued, Year 5 (2025), of 0% for the first MY vehicles that have fleet that the agency should consider 10,094 to 13,763 annual vehicle crashes DSRC radios, 5%, 10%, 25%, 40%, when projecting the potential adoption would potentially be prevented, saving 65%, 90%, and 100% for each following rate of IMA and LTA? 23 to 31 lives and preventing 6,946 to MY vehicles, respectively. The agency 9,197 MAIS 1–5 injuries. Moreover, the notes that the pattern is similar to those 2. Injury and Property Damage Benefits agency estimates this proposed rule has shown in the NCAP data; with slow (a) Annual Injury and Property Damage the potential to prevent 12,496 to 16,949 initial rate spanning approximately two Benefits damaged vehicles. years and then increasing year over year As the fleet penetration increases, the at a rate that would reach full adoption (1) Maximum Annual Benefits proposed rule could prevent 107,120 to in the eighth year of the implementation 147,615 crashes, save 244 to 332 lives, The maximum annual benefits of the DSRC technology. Under this and reduce 73,983 to 99,254 MAIS 1–5 represent the crashes, fatalities, injuries, adoption scenario, IMA and LTA would injuries by Year 10, a more than ten-fold and property damage vehicles (PDOVs) not be deployed in the first year. In the increase from Year 5. that can be reduced annually after the second year, with the required 75 After 20 years, the agency estimates full adoption of DSRC and safety related percent DSRC installation rate and the about 80 percent of the maximum applications.364 Once fully deployed, five percent safety application adoption benefits will be achievable. The yields the agency estimates the proposed rule among the DSRC-equipped vehicles, an estimated to 349,914 to 487,561 would: five percent of the total new vehicles (= crashes prevented, 789 to 1,089 lives 0.05 * 0.75) are expected to have the • Prevent 439,000 to 615,000 crashes save, and the reduction of 242,589 to two safety applications. In the third annually 329,909 MAIS 1–5 injuries.

364 Would occur 43 years after the first 365 MAIS (Maximum Abbreviated Injury Scale) AIS ranks individual injuries by body region on a implementation. represents the maximum injury severity of an scale of 1 to 6: 1=minor, 2=moderate, 3=serious, occupant at an Abbreviated Injury Scale (AIS) level. 4=severe, 5=critical, and 6=maximum (untreatable).

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00139 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 3992 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules

TABLE VII–30—SUMMARY OF ANNUAL BENEFITS OF THE PROPOSED RULE [Undiscounted]

Crashes Fatalities MAIS 1–5 injuries PDOVs Year Calendar year Low High Low High Low High Low High

1 ...... 2021 0 0 0 0 0 0 0 0 5 ...... 2025 10,094 13,763 23 31 6,946 9,197 12,496 16,949 10 ...... 2030 107,120 147,615 244 332 73,983 99,254 131,946 180,693 15 ...... 2035 241,740 335,287 547 751 167,329 226,278 296,835 408,920 20 ...... 2040 349,914 487,561 789 1,087 242,589 329,909 428,697 593,093 25 ...... 2045 401,894 561,737 904 1,249 278,926 380,771 491,628 682,127 30 ...... 2050 424,901 594,569 955 1,321 295,009 403,284 519,483 721,535 35 ...... 2055 435,932 610,326 980 1,355 302,723 414,094 532,831 740,437 40 ...... 2060 439,138 615,028 987 1,365 304,986 417,366 536,657 745,996

(b) Lifetime Injury and Property Damage The ‘‘free-rider approach’’ is based on (1) Injury and Property Damage Benefits Benefits by Vehicle Model Year the notion that the lifetime benefits of by Model Year and Approach a specific MY vehicle should The lifetime benefits for a MY vehicle correspond to the investment up to that Table VII–31 and Table VII–32 show (also MY Benefits), as described earlier, specific MY of vehicles and that benefits the MY specific injury and property represent the total benefits that would should be credited to the later MY damage benefits (i.e., the lifetime be accrued through the life of a vehicle. vehicles. For example, if benefits are benefits for a specific MY vehicle) for The MY benefits represent the total from a crash that involved a MY 2021 the ‘‘free rider approach’’ for the 3 and benefits that would be accrued though vehicle and a MY 2030 vehicle, under 7 percent discount, respectively. In the life of a vehicle. The lifetime this approach, all benefits would be parallel, Table VII–33 and Table VII–34 benefits can occur at any time during credited to the MY 2030 vehicle. The show the benefits for the ‘‘no free-rider’’ the in-use life of a vehicle and are MY 2021 vehicle would not receive any approach also at a 3 and 7 percent required to be discounted to reflect their benefits because the benefits would not discount rate, respectively. present values (2014 dollars). The be realized until the investment on the MY 2030 vehicles is made. In contrast, The analysis estimates the lifetime discounting procedures for future benefits only for MYs 2021 to 2050 benefits and costs in regulatory analyses the ‘‘no free-rider’’ approach is based on the notion that benefits should be vehicles. For 2050 MY vehicles, its are based on the guidelines published in lifetime benefits would be realized from OMB Circular A–4 and OMB Circular shared among all vehicles since the future investment will continue because year 2040 to year 2086. As described in A–94 Revised. of the proposed rule. With the same case the annual benefit section, the annual The agency’s analysis for determining above, the no free-rider approach allows benefits would be stabilized at the lifetime benefits uses two approaches. both MY 2021 and MY 2030 vehicles to maximum level around year 2062. One approach is a so-called ‘‘free rider’’ share a portion of the benefits. Furthermore, after MY 2050, vehicle approach and the other is the ‘‘no free- Additional details on the methodology sales were assumed to at the MY 2050 rider’’ approach, where the primary and derivation of benefits of these two level. Therefore, the lifetime benefits for difference is the treatment on the approaches can be found in Chapter V vehicles newer than MY 2050 would be distribution of benefits from crashes of the PRIA prepared in support of this stabilized at the MY 2050 level. involving different MY vehicles. proposal.

TABLE VII–31—MY BENEFITS FOR LIGHT VEHICLES FREE-RIDER APPROACH AT 3 PERCENT DISCOUNT

Crash prevented Fatalities eliminated MAIS 1–5 injuries PDOVs Year Model year Low High Low High Low High Low High

1 ...... 2021 0 0 0 0 0 0 0 0 2 ...... 2022 271 369 1 1 187 246 336 455 3 ...... 2023 1,821 2,484 4 6 1,254 1,660 2,255 3,059 4 ...... 2024 8,138 11,116 19 25 5,604 7,436 10,066 13,675 5 ...... 2025 20,094 27,510 46 62 13,847 18,427 24,828 33,799 6 ...... 2026 45,766 62,828 104 142 31,567 42,151 56,477 77,072 7 ...... 2027 86,774 119,428 198 269 59,905 80,243 106,948 146,292 8 ...... 2028 125,283 172,790 285 389 86,552 116,237 154,257 211,408 9 ...... 2029 151,801 209,713 345 471 104,932 141,211 186,755 256,340 10 ...... 2030 175,685 243,053 398 545 121,501 163,794 215,991 296,855 11 ...... 2031 196,823 272,641 446 611 136,178 183,866 241,830 332,755 12 ...... 2032 215,458 298,792 488 669 149,129 201,633 264,580 364,439 13 ...... 2033 231,828 321,830 524 720 160,518 217,309 284,539 392,308 14 ...... 2034 247,041 343,282 558 767 171,108 231,922 303,068 418,229 15 ...... 2035 260,349 362,101 588 809 180,382 244,762 319,252 440,931 16 ...... 2036 271,907 378,496 614 845 188,445 255,966 333,289 460,676 17 ...... 2037 282,112 393,009 636 877 195,570 265,900 345,664 478,129 18 ...... 2038 290,458 404,930 655 903 201,406 274,078 355,763 492,430 19 ...... 2039 297,903 415,591 671 926 206,617 281,402 364,761 505,202

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00140 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules 3993

TABLE VII–31—MY BENEFITS FOR LIGHT VEHICLES FREE-RIDER APPROACH AT 3 PERCENT DISCOUNT—Continued

Crash prevented Fatalities eliminated MAIS 1–5 injuries PDOVs Year Model year Low High Low High Low High Low High

20 ...... 2040 305,087 425,875 687 948 211,645 288,466 373,446 517,525 21 ...... 2041 312,804 436,885 704 972 217,039 296,015 382,788 530,741 22 ...... 2042 305,604 427,030 688 950 212,077 289,414 373,891 518,632 23 ...... 2043 308,426 431,146 694 959 214,065 292,270 377,270 523,513 24 ...... 2044 310,949 434,815 699 967 215,841 294,812 380,294 527,871 25 ...... 2045 313,325 438,253 705 974 217,510 297,187 383,150 531,965 26 ...... 2046 315,443 441,309 709 981 218,996 299,295 385,700 535,611 27 ...... 2047 317,611 444,417 714 987 220,514 301,432 388,318 539,332 28 ...... 2048 319,665 447,353 719 994 221,951 303,447 390,802 542,853 29 ...... 2049 321,616 450,138 723 1,000 223,315 305,356 393,165 546,196 30 ...... 2050 323,726 453,138 728 1,006 224,788 307,409 395,724 549,803

TABLE VII–32—MY BENEFITS FOR LIGHT VEHICLES FREE-RIDER APPROACH AT 7 PERCENT DISCOUNT

Crash prevented Fatalities eliminated MAIS 1–5 injuries PDOVs Year Model year Low High Low High Low High Low High

1 ...... 2021 0 0 0 0 0 0 0 0 2 ...... 2022 256 348 1 1 176 232 317 429 3 ...... 2023 1,703 2,322 4 5 1,172 1,552 2,109 2,860 4 ...... 2024 7,517 10,264 17 23 5,175 6,865 9,300 12,630 5 ...... 2025 18,321 25,071 42 57 12,623 16,789 22,643 30,811 6 ...... 2026 41,157 56,470 94 128 28,383 37,874 50,801 69,294 7 ...... 2027 77,149 106,128 176 239 53,251 71,286 95,110 130,038 8 ...... 2028 110,525 152,362 251 343 76,343 102,466 136,116 186,464 9 ...... 2029 133,399 184,211 303 414 92,198 124,008 164,150 225,223 10 ...... 2030 154,035 213,015 349 478 106,513 143,518 189,411 260,228 11 ...... 2031 172,397 238,716 391 535 119,263 160,954 211,857 291,412 12 ...... 2032 188,544 261,378 427 585 130,486 176,350 231,570 318,868 13 ...... 2033 202,920 281,609 459 630 140,486 190,116 249,097 343,341 14 ...... 2034 216,257 300,416 489 672 149,771 202,927 265,341 366,065 15 ...... 2035 227,911 316,898 515 708 157,892 214,173 279,513 385,947 16 ...... 2036 238,068 331,308 537 740 164,978 224,022 291,846 403,300 17 ...... 2037 247,120 344,183 558 768 171,299 232,835 302,824 418,783 18 ...... 2038 254,424 354,622 574 791 176,407 239,999 311,659 431,301 19 ...... 2039 260,956 363,981 588 811 180,980 246,431 319,551 442,510 20 ...... 2040 267,247 372,995 602 831 185,384 252,625 327,152 453,305 21 ...... 2041 273,843 382,418 617 851 189,997 259,091 335,132 464,608 22 ...... 2042 267,553 373,820 602 832 185,665 253,336 327,356 454,035 23 ...... 2043 270,054 377,472 608 839 187,427 255,872 330,347 458,363 24 ...... 2044 272,178 380,572 612 846 188,924 258,023 332,888 462,038 25 ...... 2045 274,288 383,630 617 853 190,407 260,137 335,424 465,677 26 ...... 2046 276,078 386,219 621 858 191,664 261,926 337,576 468,762 27 ...... 2047 278,074 389,079 625 864 193,061 263,891 339,986 472,186 28 ...... 2048 279,772 391,511 629 870 194,250 265,562 342,038 475,099 29 ...... 2049 281,380 393,809 633 875 195,374 267,140 343,983 477,855 30 ...... 2050 283,192 396,388 637 880 196,640 268,906 346,180 480,956

TABLE VII–33—MY BENEFITS FOR LIGHT VEHICLES NO FREE-RIDER APPROACH AT 3 PERCENT DISCOUNT

Crash prevented Fatalities eliminated MAIS 1–5 injuries PDOVs Year Model year Low High Low High Low High Low High

1 ...... 2021 0 0 0 0 0 0 0 0 2 ...... 2022 4,006 5,506 9 12 2,764 3,697 4,941 6,750 3 ...... 2023 12,297 16,917 28 38 8,488 11,363 15,159 20,727 4 ...... 2024 34,161 47,041 78 106 23,588 31,616 42,093 57,606 5 ...... 2025 59,813 82,461 136 186 41,316 55,459 73,659 100,913 6 ...... 2026 104,216 143,863 237 323 72,020 96,827 128,262 175,926 7 ...... 2027 153,676 212,415 349 477 106,247 143,074 189,014 259,566 8 ...... 2028 180,917 250,375 410 562 125,133 168,761 222,387 305,740 9 ...... 2029 190,032 263,281 430 590 131,488 177,573 233,465 321,299 10 ...... 2030 199,389 276,526 451 619 138,010 186,614 244,840 337,269 11 ...... 2031 207,808 288,476 470 645 143,885 194,784 255,061 351,656 12 ...... 2032 215,391 299,268 487 669 149,181 202,173 264,254 364,628 13 ...... 2033 222,098 308,843 502 690 153,870 208,741 272,371 376,118 14 ...... 2034 228,851 318,485 517 711 158,591 215,353 280,546 387,688

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00141 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 3994 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules

TABLE VII–33—MY BENEFITS FOR LIGHT VEHICLES NO FREE-RIDER APPROACH AT 3 PERCENT DISCOUNT—Continued

Crash prevented Fatalities eliminated MAIS 1–5 injuries PDOVs Year Model year Low High Low High Low High Low High

15 ...... 2035 234,712 326,883 530 729 162,695 221,125 287,627 397,746 16 ...... 2036 239,796 334,194 541 745 166,258 226,159 293,758 406,483 17 ...... 2037 244,444 340,890 551 760 169,518 230,774 299,356 414,478 18 ...... 2038 248,150 346,265 559 771 172,124 234,492 303,807 420,872 19 ...... 2039 251,493 351,122 566 782 174,475 237,855 307,817 426,644 20 ...... 2040 254,958 356,134 574 792 176,909 241,317 311,982 432,615 21 ...... 2041 258,973 361,900 583 805 179,722 245,284 316,828 439,511 22 ...... 2042 251,474 351,552 566 782 174,540 238,321 307,596 426,854 23 ...... 2043 252,797 353,515 569 786 175,478 239,695 309,167 429,160 24 ...... 2044 254,138 355,482 572 790 176,425 241,064 310,767 431,486 25 ...... 2045 255,409 357,336 574 794 177,320 242,350 312,289 433,684 26 ...... 2046 256,606 359,072 577 798 178,162 243,551 313,725 435,749 27 ...... 2047 257,844 360,856 580 802 179,030 244,781 315,217 437,879 28 ...... 2048 258,876 362,342 582 805 179,754 245,805 316,460 439,653 29 ...... 2049 259,929 363,853 584 808 180,492 246,844 317,732 441,462 30 ...... 2050 261,241 365,723 587 812 181,408 248,125 319,322 443,708

TABLE VII–34—MY BENEFITS FOR LIGHT VEHICLES NO FREE-RIDER APPROACH AT 7 PERCENT DISCOUNT

Crash prevented Fatalities eliminated MAIS 1–5 injuries PDOVs Year Model year Low High Low High Low High Low High

1 ...... 2021 0 0 0 0 0 0 0 0 2 ...... 2022 3,026 4,154 7 9 2,087 2,787 3,735 5,096 3 ...... 2023 9,423 12,946 21 29 6,501 8,689 11,624 15,874 4 ...... 2024 26,555 36,520 60 82 18,328 24,527 32,742 44,755 5 ...... 2025 46,855 64,517 107 145 32,352 43,361 57,736 79,010 6 ...... 2026 82,119 113,231 187 255 56,727 76,161 101,122 138,557 7 ...... 2027 121,940 168,381 277 378 84,277 113,350 150,052 205,873 8 ...... 2028 144,104 199,249 327 447 99,640 134,231 177,213 243,433 9 ...... 2029 152,069 210,514 345 472 105,191 141,918 186,899 257,022 10 ...... 2030 160,196 222,006 363 497 110,854 149,758 196,784 270,886 11 ...... 2031 167,621 232,533 379 521 116,033 156,950 205,804 283,568 12 ...... 2032 174,185 241,865 394 541 120,615 163,337 213,764 294,792 13 ...... 2033 180,128 250,340 407 559 124,769 169,145 220,962 304,969 14 ...... 2034 186,049 258,785 420 578 128,907 174,934 228,133 315,108 15 ...... 2035 191,219 266,186 432 594 132,525 180,018 234,382 323,976 16 ...... 2036 195,680 272,596 441 608 135,651 184,430 239,763 331,640 17 ...... 2037 199,807 278,538 450 621 138,545 188,523 244,737 338,737 18 ...... 2038 202,975 283,135 457 631 140,773 191,705 248,540 344,204 19 ...... 2039 205,888 287,369 464 640 142,823 194,636 252,034 349,234 20 ...... 2040 208,845 291,652 470 649 144,901 197,597 255,587 354,333 21 ...... 2041 212,188 296,460 478 660 147,244 200,908 259,617 360,079 22 ...... 2042 205,999 287,930 464 640 142,969 195,173 251,993 349,638 23 ...... 2043 207,175 289,675 466 644 143,803 196,394 253,389 351,688 24 ...... 2044 208,251 291,263 468 647 144,564 197,502 254,669 353,558 25 ...... 2045 209,421 292,967 471 651 145,388 198,684 256,071 355,582 26 ...... 2046 210,280 294,224 473 654 145,994 199,557 257,098 357,069 27 ...... 2047 211,429 295,876 475 657 146,799 200,694 258,483 359,043 28 ...... 2048 212,258 297,073 477 660 147,381 201,521 259,481 360,471 29 ...... 2049 213,224 298,458 479 663 148,057 202,472 260,648 362,129 30 ...... 2050 214,216 299,875 481 666 148,751 203,445 261,848 363,829

(2) Summary of Injury and Property we summed the annual discounted used in the PRIA. At a three percent Damage Benefits by Model Year benefits of that MY vehicles over their discount rate, the 5th applicable MY operational lifespan to derive the MY vehicles (MY 2025) would prevent Under both approaches, the MY benefits. These benefits were discounted 20,094 to 82,481 crashes, save 46 to 186 benefits were derived by dividing the at a 3 percent and 7 percent discount lives, and reduce 13,847 to 55459 MAIS annual benefits among all involved MY rate to represent their present value. 1–5 injuries. At this discount, the MY vehicles according to their survived Table VII–35 and Table VII–36 presents 2025 would also eliminate 24,828 to volume and vehicle miles traveled. the discounted MY benefits from MY 100,913 PDOVs. The 30th MY vehicles Afterwards, the annual benefits for that 2021 to MY 2050 vehicles for every five (MY 2050) would prevent 261,241 to specific MY vehicles were discounted MYs. As shown, the first MY vehicles 453,138 crashes, save 587 to 1,006 lives, by multiplying them with an (i.e., MY 2021) would not accrue reduce 181,408 to 307,409 injuries, and appropriate discounting factor. Finally, benefits due to the adoption scenario eliminate up to 549,803 PDOVs.

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00142 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules 3995

At a seven percent discount rate, MY injuries and eliminate 22,643 to 79,010 268,906 MAIS 1–5 injuries, and 2025 vehicles would prevent 18,321 to PDOVs. The MY 2050 vehicles would eliminate up to 480,956 PDOVs. 65,517 crashes, save 42 to 145 lives, prevent 214,216 to 396,388 crashes, save reduce 12,623 to 43,361 MAIS 1–5 481 to 880 lives, reduce 148,741 to

TABLE VII–35—SUMMARY OF MY INJURY AND PROPERTY DAMAGE BENEFITS (AT 3% DISCOUNT)

Crashes Fatalities MAIS 1–5 Injuries PDOVs Year Model year Low High Low High Low High Low High

1 ...... 2021 0 0 0 0 0 0 0 0 5 ...... 2025 20,094 82,461 46 186 13,847 55,459 24,828 100,913 10 ...... 2030 175,685 276,526 398 619 121,501 186,614 215,991 337,269 15 ...... 2035 234,712 362,101 530 809 162,695 244,762 287,627 440,931 20 ...... 2040 254,958 425,875 574 948 176,909 288,466 311,982 517,525 25 ...... 2045 255,409 438,253 574 974 177,320 297,187 312,289 531,965 30 ...... 2050 261,241 453,138 587 1,006 181,408 307,409 319,322 549,803

TABLE VII–36—SUMMARY OF MY INJURY AND PROPERTY DAMAGE BENEFITS (AT 7% DISCOUNT)

Crashes Fatalities MAIS 1–5 Injuries PDOVs Year Model year Low High Low High Low High Low High

1 ...... 2021 0 0 0 0 0 0 0 0 5 ...... 2025 18,321 64,517 42 145 12,623 43,361 22,643 79,010 10 ...... 2030 154,035 222,006 349 497 106,513 149,758 189,411 270,886 15 ...... 2035 191,219 316,898 432 708 132,525 214,173 234,382 385,947 20 ...... 2040 208,845 372,995 470 831 144,901 252,625 255,587 453,305 25 ...... 2045 209,421 383,630 471 853 145,388 260,137 256,071 465,677 30 ...... 2050 214,216 396,388 481 880 148,751 268,906 261,848 480,956

Note that the range of benefits is due done by comparing the comprehensive fatal equivalents.367 As shown, the to the use of a range of effectiveness cost of preventing nonfatal injuries to comprehensive cost of preventing a rates and the two MY benefit estimating that of preventing a fatality. fatality is currently valued at $9.7 approaches. The two benefit Comprehensive costs include economic million. A MAIS 5 injury, for example, approaches, labeled as ‘‘free-rider’’ and costs and the value of quality life is 0.6136 fatal equivalents. Thus, ‘‘no free-rider’’ approaches, deployed a (QALYs). Economic costs reflect the monetized benefits can be derived by different treatment on the distribution of tangible costs of reducing fatalities and multiplying $9.7 million by the derived benefits from crashes involving different injuries which includes savings from fatal equivalents. MY vehicles. medical care, emergency services, insurance administration, workplace Table VII–37 also shows the unit costs 3. Monetized Benefits costs, legal costs, congestion and for congestion and property damage. The agency developed the monetized property damage, as well as lost These two costs are considered to be benefits by applying the comprehensive productivity. The QALY captures the part of the comprehensive costs. The cost for a fatality to the total equivalent intangible value of lost quality-of-life congestion and property damage costs lives saved (i.e., fatal equivalents) in that results from potential fatalities and are provided now for later use when accordance with Department of injuries. calculating the net costs of the proposed Transportation 2015 guidance.366. The Table VII–37 shows the rule. The net costs are defined as the guidance requires the identified comprehensive values and the relative total vehicle costs minus the savings nonfatal MAIS injuries and PDOVs to be fatality ratios for MAIS injuries and from reducing property damage and expressed in terms of fatalities. This is PDOVs that were used to derived the crash related congestion.

TABLE VII–37—UNIT CONGESTION, PROPERTY DAMAGE, AND COMPREHENSIVE COST [2014 $]

Property Comprehensive Relative Injury category Congestion damage cost fatality ratio

PDOVs ...... $2,280 $3,908 $6,591 $0.0007 MAIS 0 ...... 1,535 2,923 4,753 0.0005 MAIS 1 ...... 1,545 8,641 47,144 0.0049 MAIS 2 ...... 1,572 9,239 449,239 0.0463 MAIS 3 ...... 1,615 17,400 1,065,032 0.1097

366 ‘‘Guidance on the Treatment of the Economic DOT%202013%20Signed%20VSL%20Memo.pdf E., & Lawrence, B. A. (2015, May). The economic Value of a Statistical Life (VSL) in U.S. Department (last accessed Dec 8, 2016). and societal impact of motor vehicle crashes, 2010. of Transportation Analyses’’ February 28, 2013, 367 Revise to 2014 $ from the unit costs published (Revised) (Report No. DOT HS 812 013). https://www.transportation.gov/sites/dot.dev/files/ in this report, Blincoe, L. J., Miller, T. R., Zaloshnja, Washington, DC: National Highway Traffic Safety docs/ Administration.

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00143 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 3996 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules

TABLE VII–37—UNIT CONGESTION, PROPERTY DAMAGE, AND COMPREHENSIVE COST—Continued [2014 $]

Property Comprehensive Relative Injury category Congestion damage cost fatality ratio

MAIS 4 ...... 1,638 17,727 2,612,382 0.2690 MAIS 5 ...... 1,657 16,385 5,958,375 0.6136 Fatality ...... 6,200 12,172 9,710,659 1.0000

(a) Monetized Annual Benefits $176 to $237 million, are from the (b) Maximum Monetized Annual Benefit estimated reduction of property damage Table VII–38 provides the and congestion. By the year 2060, with The proposed rule would save a undiscounted annual fatal equivalents, V2V fully deployed, the proposed rule maximum of $54.7 to $74.0 billion monetized benefits, and property is estimated to save approximately 5,631 annually after the full adoption of DSRC damage and congestion savings of the to 7,613 fatal equivalents annually. radios and the two safety apps. Of these proposed rule from the year 2021 to Finally, the total associated monetized amounts, $7.7 to $10.6 billion are the 2060. As shown, by Year 5 the proposed annual savings would range from $54.7 potential savings from reducing crash rule is estimated to save 129 to 169 fatal to $73.9 billion. Of these savings, $7.7 related congestion and vehicle property equivalents totaling approximately $1.3 to $10.6 billion is estimated to be damage. to $1.6 billion annually. Approximately property damage and congestion 12 percent of the monetized savings, savings.

TABLE VII–38—ANNUAL MONETIZED BENEFITS [Undiscounted, 2014 $ in millions]

Fatal Total monetized Property damage and Calendar equivalents benefits congestion Year year Low High Low High Low High

1 ...... 2021 0.00 0.00 $0.00 $0.00 $0.00 $0.00 2 ...... 2022 1.98 2.57 19.18 24.99 2.69 3.60 3 ...... 2023 12.98 16.97 126.05 164.75 17.67 23.75 4 ...... 2024 50.94 66.58 494.62 646.51 69.35 93.20 5 ...... 2025 129.38 169.32 1,256.34 1,644.21 176.14 237.00 6 ...... 2026 273.40 358.63 2,654.86 3,482.52 372.24 501.88 7 ...... 2027 492.69 648.24 4,784.30 6,294.87 670.88 906.96 8 ...... 2028 760.14 1,003.08 7,381.47 9,740.54 1,035.15 1,403.08 9 ...... 2029 1,055.03 1,395.74 10,245.07 13,553.52 1,436.84 1,951.93 10 ...... 2030 1,373.29 1,820.47 13,335.53 17,677.94 1,870.39 2,545.51 11 ...... 2031 1,708.97 2,269.74 16,595.21 22,040.63 2,327.71 3,173.24 12 ...... 2032 2,055.46 2,734.45 19,959.89 26,553.31 2,799.80 3,822.44 13 ...... 2033 2,406.57 3,206.42 23,369.32 31,136.42 3,278.19 4,481.66 14 ...... 2034 2,756.78 3,678.26 26,770.14 35,718.29 3,755.42 5,140.59 15 ...... 2035 3,099.49 4,141.07 30,098.04 40,212.46 4,222.44 5,786.78 16 ...... 2036 3,427.08 4,584.47 33,279.20 44,518.16 4,668.90 6,405.77 17 ...... 2037 3,734.36 5,001.37 36,263.04 48,566.54 5,087.70 6,987.66 18 ...... 2038 4,016.39 5,384.96 39,001.73 52,291.53 5,472.13 7,522.96 19 ...... 2039 4,267.25 5,727.35 41,437.81 55,616.35 5,814.11 8,000.63 20 ...... 2040 4,486.82 6,028.11 43,569.99 58,536.92 6,113.46 8,420.10 21 ...... 2041 4,674.40 6,286.06 45,391.52 61,041.76 6,369.24 8,779.76 22 ...... 2042 4,829.59 6,500.30 46,898.45 63,122.18 6,580.86 9,078.39 23 ...... 2043 4,958.71 6,679.27 48,152.35 64,860.05 6,756.97 9,327.77 24 ...... 2044 5,065.75 6,827.92 49,191.70 66,303.56 6,902.96 9,534.88 25 ...... 2045 5,153.64 6,950.12 50,045.25 67,490.21 7,022.85 9,705.13 26 ...... 2046 5,228.04 7,053.49 50,767.72 68,493.96 7,124.33 9,849.14 27 ...... 2047 5,293.45 7,144.11 51,402.88 69,373.99 7,213.54 9,975.43 28 ...... 2048 5,351.13 7,223.76 51,963.02 70,147.39 7,292.20 10,086.44 29 ...... 2049 5,402.91 7,295.12 52,465.83 70,840.43 7,362.81 10,185.94 30 ...... 2050 5,448.79 7,358.22 52,911.30 71,453.12 7,425.36 10,273.91 31 ...... 2051 5,486.64 7,410.41 53,278.83 71,959.96 7,476.97 10,346.67 32 ...... 2052 5,519.98 7,456.51 53,602.60 72,407.63 7,522.44 10,410.92 33 ...... 2053 5,547.41 7,494.52 53,868.95 72,776.73 7,559.85 10,463.88 34 ...... 2054 5,570.75 7,526.96 54,095.66 73,091.76 7,591.69 10,509.08 35 ...... 2055 5,590.30 7,554.13 54,285.50 73,355.51 7,618.36 10,546.93 36 ...... 2056 5,606.76 7,577.01 54,445.28 73,577.69 7,640.80 10,578.80 37 ...... 2057 5,618.70 7,593.79 54,561.30 73,740.69 7,657.10 10,602.17 38 ...... 2058 5,625.16 7,603.20 54,623.95 73,832.03 7,665.92 10,615.22 39 ...... 2059 5,629.36 7,609.56 54,664.73 73,893.77 7,671.66 10,624.03 40 ...... 2060 5,631.45 7,612.92 54,685.04 73,926.44 7,674.53 10,628.67

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00144 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules 3997

(c) Monetized Benefits by Vehicle high app effectiveness, respectively. vehicles and $4.6 to $7.8 billion for Model Year Table VII–39 and Table VII–40 show the 2050 MY vehicles. monetized MY benefits at a 3 percent At a seven percent discount rate, the The range of the monetized benefits and 7 percent discount rate, MY 2022 vehicles would save 3 to 51 by vehicle model year (i.e., the lifetime respectively. fatal equivalents and $31.8 to $497.0 benefits of a MY vehicles) represents the As shown, at a three percent discount million over their lifespan. MY 2050 estimates from both the ‘‘free-rider’’ and rate, MY 2022 vehicles would save 3 to vehicles would save a total 2,747 to ‘‘no free-rider’’ approaches. The lower 68 fatal equivalent and $33.8 to $659.0 4,906 fatal equivalents and $26.7 to bound of the range represents the low million over their lifespan. MY 2050 $47.6 billion. Of these monetized estimate from the ‘‘free-rider’’ approach vehicles would save a total 3,350 to savings, the property damage and and upper bound represents the high 5,608 fatal equivalents and $32.5 to congestion savings are estimated to be estimate of ‘‘no free-rider’’ approach. $54.5 billion. The property damage and $4.5 to $71.6 million for MY 2022 For each approach, the low and high congestion savings would range from vehicles and $3.7 to $6.8 billion for estimates correspond to the low and $4.7 to $94.9 million for MY 2022 2050 MY vehicles.

TABLE VII–39—MONETIZED MY BENEFITS AT 3 PERCENT DISCOUNT [2014 $ in millions]

Fatal Total monetized Property damage and Year Model year equivalents benefits congestion Low High Low High Low High

1 ...... 2021 0.00 0.00 $0.00 $0.00 $0.00 $0.00 2 ...... 2022 3.48 67.86 33.79 658.99 4.74 94.91 3 ...... 2023 23.35 208.55 226.72 2,025.12 31.79 291.65 4 ...... 2024 104.31 580.04 1,012.92 5,632.53 142.02 811.11 5 ...... 2025 257.57 1,017.05 2,501.20 9,876.22 350.72 1,422.05 6 ...... 2026 586.69 1,774.90 5,697.12 17,235.41 798.94 2,481.38 7 ...... 2027 1,112.42 2,621.45 10,802.30 25,455.98 1,515.02 3,664.44 8 ...... 2028 1,606.16 3,090.78 15,596.91 30,013.55 2,187.63 4,320.00 9 ...... 2029 1,946.18 3,250.93 18,898.69 31,568.66 2,650.90 4,543.36 10 ...... 2030 2,252.45 3,415.26 21,872.79 33,164.45 3,068.24 4,772.57 11 ...... 2031 2,523.52 3,563.63 24,505.02 34,605.22 3,437.64 4,979.46 12 ...... 2032 2,761.74 3,697.69 26,818.31 35,906.98 3,762.58 5,166.34 13 ...... 2033 2,847.78 3,975.69 27,653.77 38,606.57 3,879.91 5,555.21 14 ...... 2034 2,934.41 4,241.63 28,495.06 41,189.00 3,998.06 5,926.26 15 ...... 2035 3,009.61 4,475.08 29,225.26 43,456.01 4,100.63 6,251.90 16 ...... 2036 3,074.84 4,678.59 29,858.67 45,432.21 4,189.61 6,535.69 17 ...... 2037 3,134.46 4,858.86 30,437.71 47,182.69 4,270.96 6,787.01 18 ...... 2038 3,182.03 5,007.07 30,899.56 48,621.96 4,335.86 6,993.56 19 ...... 2039 3,224.93 5,139.68 31,316.16 49,909.68 4,394.41 7,178.33 20 ...... 2040 3,269.38 5,267.60 31,747.87 51,151.88 4,455.07 7,356.56 21 ...... 2041 3,320.90 5,404.46 32,248.10 52,480.81 4,525.34 7,547.30 22 ...... 2042 3,224.76 5,283.11 31,314.49 51,302.48 4,394.39 7,377.52 23 ...... 2043 3,241.75 5,334.51 31,479.52 51,801.61 4,417.60 7,449.02 24 ...... 2044 3,258.96 5,380.31 31,646.62 52,246.36 4,441.10 7,512.74 25 ...... 2045 3,275.27 5,423.17 31,805.05 52,662.57 4,463.36 7,572.40 26 ...... 2046 3,290.63 5,461.25 31,954.16 53,032.36 4,484.32 7,625.42 27 ...... 2047 3,306.52 5,499.93 32,108.44 53,407.94 4,505.99 7,679.31 28 ...... 2048 3,319.75 5,536.44 32,236.99 53,762.45 4,524.05 7,730.18 29 ...... 2049 3,333.27 5,571.05 32,368.22 54,098.58 4,542.49 7,778.42 30 ...... 2050 3,350.10 5,608.31 32,531.65 54,460.39 4,565.44 7,830.37

TABLE VII–40—MONETIZED MY BENEFITS AT 7 PERCENT DISCOUNT [2014 $ in millions]

Fatal equivalents Total monetized benefits Property damage and Year Model year congestion Low High Low High Low High

1 ...... 2021 0.00 0.00 $0.00 $0.00 $0.00 $0.00 2 ...... 2022 3.28 51.18 31.80 497.03 4.46 71.59 3 ...... 2023 21.83 159.55 212.00 1,549.29 29.72 223.15 4 ...... 2024 96.35 450.18 935.65 4,371.50 131.19 629.59 5 ...... 2025 234.85 795.52 2,280.53 7,725.00 319.78 1,112.43 6 ...... 2026 527.59 1,396.62 5,123.26 13,562.13 718.45 1,952.75 7 ...... 2027 989.03 2,077.54 9,604.09 20,174.30 1,346.94 2,904.40 8 ...... 2028 1,416.94 2,459.15 13,759.41 23,879.93 1,929.87 3,437.45 9 ...... 2029 1,710.25 2,598.90 16,607.61 25,236.98 2,329.50 3,632.38 10 ...... 2030 1,974.86 2,741.45 19,177.23 26,621.24 2,690.07 3,831.23 11 ...... 2031 2,149.18 2,947.24 20,869.91 28,619.59 2,927.85 4,119.15 12 ...... 2032 2,233.37 3,227.88 21,687.48 31,344.84 3,042.66 4,510.89

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00145 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 3998 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules

TABLE VII–40—MONETIZED MY BENEFITS AT 7 PERCENT DISCOUNT—Continued [2014 $ in millions]

Fatal equivalents Total monetized benefits Property damage and Year Model year congestion Low High Low High Low High

13 ...... 2033 2,309.61 3,478.57 22,427.83 33,779.21 3,146.63 4,860.73 14 ...... 2034 2,385.57 3,711.72 23,165.40 36,043.23 3,250.21 5,186.03 15 ...... 2035 2,451.89 3,916.19 23,809.50 38,028.75 3,340.68 5,471.24 16 ...... 2036 2,509.12 4,095.07 24,365.23 39,765.77 3,418.75 5,720.68 17 ...... 2037 2,562.08 4,254.99 24,879.46 41,318.79 3,490.99 5,943.64 18 ...... 2038 2,602.73 4,384.79 25,274.25 42,579.22 3,546.47 6,124.52 19 ...... 2039 2,640.12 4,501.23 25,637.28 43,709.92 3,597.49 6,286.75 20 ...... 2040 2,678.06 4,613.37 26,005.75 44,798.85 3,649.27 6,442.98 21 ...... 2041 2,720.95 4,730.53 26,422.20 45,936.55 3,707.77 6,606.25 22 ...... 2042 2,641.60 4,624.69 25,651.68 44,908.74 3,599.70 6,458.14 23 ...... 2043 2,656.70 4,670.32 25,798.30 45,351.86 3,620.32 6,521.61 24 ...... 2044 2,670.51 4,709.04 25,932.43 45,727.85 3,639.18 6,575.46 25 ...... 2045 2,685.53 4,747.17 26,078.29 46,098.16 3,659.68 6,628.54 26 ...... 2046 2,696.56 4,779.45 26,185.33 46,411.61 3,674.73 6,673.47 27 ...... 2047 2,711.29 4,815.03 26,328.44 46,757.14 3,694.84 6,723.04 28 ...... 2048 2,721.94 4,845.29 26,431.78 47,050.95 3,709.36 6,765.20 29 ...... 2049 2,734.33 4,873.87 26,552.13 47,328.48 3,726.26 6,805.02 30 ...... 2050 2,747.06 4,905.91 26,675.71 47,639.58 3,743.62 6,849.69

The agency seeks comment on all (a) The Effect for Enhancing Vehicle- effectiveness to the existing in-vehicle aspects of the monetized benefits Resident Safety Systems systems, or if they enable the developed for this proposal. More For vehicles equipped with current installation of these apps in vehicles specifically, the assumptions used for on-board sensors, V2V can offer a that do not voluntarily have these the benefits calculations which are the fundamentally different, but systems. This later effect would occur basis the estimates. Please provide any complementary, source of information due to the significant marginal cost reduction for these apps that would supporting data for the comments. If that can significantly enhance the result from V2V. However, we do not necessary, the agency has processes and reliability and accuracy of the have sufficient data to determine the procedures for submitting confidential information available. Instead of relying marginal effectiveness of V2V for these business information. on each vehicle to sense its apps and the added installation rates. surroundings on its own, V2V enables 4. Non-Quantified Benefits Therefore, we did not quantify this type surrounding vehicles to help each other of benefits. As discussed above, the agency has by reporting safety information to each only quantified potential benefits of this other. V2V communication can also (c) Potential Impact of Next Generation rule derived from the assumed adoption detect threat vehicles that are not in the V2V Apps of IMA and LTA. Although this sensors’ field of view, and can use a The agency believes that the V2V assumption allows the agency to V2V signal to validate a return from a apps will be evolved as did the vehicle- provide a reasonable quantification of vehicle-based sensor. This added resident systems. The next generation the potential benefits of this rulemaking, capability can potentially lead to V2V apps, we envision, can also it does not account for many other improved warning timing and a actively assist drivers to avoid crashes potential benefits of V2V. The non- reduction in the number of false as did the vehicle-resident crash quantified benefits of the proposed rule warnings, thereby adding confidence to avoidance systems (such as advance can come from several sources: (1) The the overall safety system, and increasing brake assist). Furthermore, the new apps effects of enhancing vehicle-resident consumer satisfaction and acceptance. might be applicable to motorcycle safety systems, (2) the incremental The vehicle-resident FCW, LCM/BSW crashes. V2V could increase the benefits over the current vehicle- systems can be improved by BSMs. adoption of these apps to lower resident safety systems, (3) the potential However, the agency could not quantify incremental cost. impact of the next generation V2V apps the benefit due to lack of the that would actively assist drivers to measurement of how BSM can improve (d) The Impact of Enabling V2P and V2I avoid crashes rather than simply issuing the vehicle-resident systems. Apps warnings, (4) the impact of enabling The V2V also is the foundation for the wide range deployment of V2P and V2I (b) Incremental Benefits of the V2V deployment V2P and V2I apps. For V2P, apps, and (5) the effects of adding V2V Apps pedestrians can carry devices (such as sensor input to other sensors utilized for Due to the sensing advantage of the mobile phones) with a V2V chip that automation. The agency does not V2V apps, the agency believes that these can send out a safety signal to V2V quantify the potential impacts of these apps also have some incremental devices in the vehicles and vice versa. sources primarily due to lack of data benefits over the vehicle-resident Both the driver and the pedestrian could (e.g., effectiveness of the apps, version of the systems. For example, be warned if a possible conflict arises. incremental effective rate of the V2V V2V-based FCW and LCM might Specifically, V2P can protect apps over the vehicle-resident systems, perform better than the vehicle-resident pedestrians in crosswalk and improve etc.) that can be used to discern these systems. However, benefits from these mobility. However, there are many benefits. apps could accrue if they add a marginal issues to be resolved concerning V2P

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00146 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules 3999

apps. The agency is developing a (e) The Effects of Paving the Way for determines the year that the total research plan that will investigate issues Automation investment of the proposed rule will be relating to V2P communication, safety We believe that V2X technology may paid back through the total realized applications, and human factors, and be necessary to realize the full potential benefits of the proposed rule. The total among other things. of vehicle automation (e.g., self-driving investment of the proposed rule for a The same communications technology vehicles), as such communication year is the cumulative annual costs from that supports V2V apps could also would provide a vehicle with the the first year of implementation up to enable a broader set of safety and highest level of awareness of its that year. Similarly, the total realized mobility applications when combined surroundings, which is likely necessary benefits would be the cumulative with compatible roadway infrastructure. in situations where the driver cedes all monetized annual benefits from the first The potential V2I apps have been control of safety-critical functions and year of implementation up to that year. identified included: Red Light Violation relies on the vehicle to monitor roadway All annual costs and monetized benefits Warning, Curve Speed Warning, Stop and driving conditions. used in this analysis are discounted Sign Gap Assist, Reduced Speed Zone back to 2021, the projected first year of Warning, Spot Weather Information E. Breakeven Analysis implementation of the proposed rule. In Warning, Stop Sign Violation Warning, The agency conducted a breakeven determining the potential breakeven Railroad Crossing Violation Warning, analysis of the proposed rule’s point, the agency needed to develop the and Oversize Vehicle Warning.368 These estimated costs and benefits. The undiscounted annual net benefits V2I apps can mitigate congestion and analysis is used to determine when the yielding the values shown in Table VII– facilitate green transportation choices, cumulative estimated benefits will 41. As shown, undiscounted, the thus reducing the energy consumptions recoup the investment made up to that proposed rule would accrue a positive and environmental impacts. year. In essence, this analysis annual benefit around 2026 and 2027.

TABLE VII–41—ANNUAL NET BENEFITS [Undiscounted, 2014$ in millions]

Total monetized benefits Annual costs Annual net benefits Year Calendar year Low High Low High Low High

1 ...... 2021 $0 $0 $2,192 $2,864 ¥$2,864 ¥$2,192 2 ...... 2022 19 25 3,011 3,926 ¥3,907 ¥2,986 3 ...... 2023 126 165 3,832 4,946 ¥4,820 ¥3,668 4 ...... 2024 495 647 3,741 4,981 ¥4,486 ¥3,095 5 ...... 2025 1,256 1,644 3,701 4,803 ¥3,547 ¥2,057 6 ...... 2026 2,655 3,483 3,655 4,735 ¥2,080 ¥173 7 ...... 2027 4,784 6,295 3,640 4,705 79 2,655 8 ...... 2028 7,381 9,741 3,634 4,690 2,692 6,106 9 ...... 2029 10,245 13,554 3,622 4,668 5,577 9,931 10 ...... 2030 13,336 17,678 3,649 4,692 8,643 14,029 11 ...... 2031 16,595 22,041 3,659 4,699 11,896 18,381 12 ...... 2032 19,960 26,553 3,662 4,699 15,261 22,891 13 ...... 2033 23,369 31,136 3,665 4,699 18,670 27,471 14 ...... 2034 26,770 35,718 3,682 4,719 22,051 32,036 15 ...... 2035 30,098 40,212 3,717 4,757 25,341 36,495 16 ...... 2036 33,279 44,518 3,713 4,731 28,548 40,805 17 ...... 2037 36,263 48,567 3,734 4,726 31,537 44,833 18 ...... 2038 39,002 52,292 3,749 4,736 34,266 48,543 19 ...... 2039 41,438 55,616 3,769 4,858 36,580 51,847 20 ...... 2040 43,570 58,537 3,831 4,844 38,726 54,706 21 ...... 2041 45,392 61,042 3,856 4,872 40,519 57,186 22 ...... 2042 46,898 63,122 3,737 4,715 42,183 59,385 23 ...... 2043 48,152 64,860 3,744 4,719 43,434 61,116 24 ...... 2044 49,192 66,304 3,752 4,723 44,469 62,552 25 ...... 2045 50,045 67,490 3,796 4,764 45,281 63,695 26 ...... 2046 50,768 68,494 3,770 4,736 46,032 64,724 27 ...... 2047 51,403 69,374 3,780 4,745 46,658 65,594 28 ...... 2048 51,963 70,147 3,789 4,752 47,211 66,359 29 ...... 2049 52,466 70,840 3,797 4,759 47,707 67,043 30 ...... 2050 52,911 71,453 3,858 4,818 48,093 67,595 31 ...... 2051 53,279 71,960 3,822 4,761 48,518 68,138 32 ...... 2052 53,603 72,408 3,813 4,732 48,870 68,594 33 ...... 2053 53,869 72,777 3,805 4,719 49,150 68,972 34 ...... 2054 54,096 73,092 3,797 4,810 49,285 69,295 35 ...... 2055 54,285 73,356 3,832 4,766 49,520 69,523 36 ...... 2056 54,445 73,578 3,782 4,711 49,734 69,795 37 ...... 2057 54,561 73,741 3,775 4,700 49,862 69,966 38 ...... 2058 54,624 73,832 3,768 4,688 49,936 70,064 39 ...... 2059 54,665 73,894 3,761 4,677 49,987 70,133 40 ...... 2060 54,685 73,926 3,804 4,717 49,968 70,122

368 The Connected Vehicle Core System systems_engineering.htm (last accessed Jan. 9, Architecture, See www.its.dot.gov/research/ 2014).

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00147 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 4000 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules

Table VII–42 and Table VII–43 show breakeven year at a 3 and 7 percent rate, discount rate and 2030 to 2032 for a 7 the discounted cumulative annual respectively. As shown, the proposed percent discount rate. benefits, cumulative annual costs, rule would be expected to break even cumulative annual net benefits, and between 2029 and 2031 for a 3 percent

TABLE VII–42—BREAKEVEN ANALYSIS [at 3 Percent, 2014 $ in millions]

Cumulative Total cumulative Cumulative Breakeven Calendar monetized benefits annual costs net benefits year Year year Low High Low High Low High Low High

1 ...... 2021 $0 $0 $2,160 $2,822 ¥$2,822 ¥$2,160 (*) (*) 2 ...... 2022 18 24 5,040 6,578 ¥6,559 ¥5,016 (*) (*) 3 ...... 2023 135 177 8,600 11,172 ¥11,036 ¥8,423 (*) (*) 4 ...... 2024 581 760 11,973 15,663 ¥15,081 ¥11,213 (*) (*) 5 ...... 2025 1,681 2,199 15,213 19,868 ¥18,186 ¥13,014 (*) (*) 6 ...... 2026 3,938 5,160 18,320 23,892 ¥19,954 ¥13,161 (*) (*) 7 ...... 2027 7,886 10,354 21,324 27,775 ¥19,889 ¥10,970 (*) (*) 8 ...... 2028 13,800 18,158 24,236 31,533 ¥17,732 ¥6,078 (*) (*) 9 ...... 2029 21,769 28,700 27,053 35,164 ¥13,395 1,647 (*) 2029 10 ...... 2030 31,840 42,050 29,809 38,707 ¥6,867 12,241 (*) 2030 11 ...... 2031 44,007 58,211 32,492 42,152 1,855 25,719 2031 2031 12 ...... 2032 58,215 77,111 35,099 45,497 12,718 42,013 2032 2032 13 ...... 2033 74,365 98,630 37,632 48,744 25,621 60,998 2033 2033 14 ...... 2034 92,328 122,597 40,102 51,911 40,417 82,494 2034 2034 15 ...... 2035 111,934 148,791 42,524 55,009 56,925 106,267 2035 2035 16 ...... 2036 132,980 176,944 44,872 58,001 74,979 132,072 2036 2036 17 ...... 2037 155,245 206,764 47,165 60,903 94,342 159,599 2037 2037 18 ...... 2038 178,494 237,935 49,400 63,726 114,768 188,536 2038 2038 19 ...... 2039 202,478 270,126 51,581 66,537 135,941 218,545 2039 2039 20 ...... 2040 226,960 303,018 53,734 69,259 157,701 249,284 2040 2040 21 ...... 2041 251,726 336,322 55,837 71,918 179,808 280,485 2041 2041 22 ...... 2042 276,568 369,758 57,817 74,415 202,153 311,941 2042 2042 23 ...... 2043 301,328 403,109 59,742 76,841 224,486 343,367 2043 2043 24 ...... 2044 325,889 436,214 61,616 79,200 246,690 374,599 2044 2044 25 ...... 2045 350,146 468,927 63,455 81,509 268,637 405,472 2045 2045 26 ...... 2046 374,038 501,160 65,229 83,738 290,300 435,931 2046 2046 27 ...... 2047 397,524 532,857 66,956 85,906 311,618 465,901 2047 2047 28 ...... 2048 420,574 563,975 68,637 88,014 332,561 495,337 2048 2048 29 ...... 2049 443,171 594,486 70,273 90,063 353,108 524,213 2049 2049 30 ...... 2050 465,294 624,360 71,886 92,078 373,216 552,474 2050 2050 31 ...... 2051 486,919 653,569 73,437 94,010 392,909 580,132 2051 2051 32 ...... 2052 508,044 682,104 74,940 95,875 412,169 607,165 2052 2052 33 ...... 2053 528,654 709,949 76,396 97,681 430,974 633,553 2053 2053 34 ...... 2054 548,751 737,102 77,806 99,468 449,283 659,296 2054 2054 35 ...... 2055 568,332 763,562 79,189 101,187 467,145 684,373 2055 2055 36 ...... 2056 587,399 789,329 80,513 102,837 484,562 708,816 2056 2056 37 ...... 2057 605,949 814,401 81,797 104,435 501,515 732,604 2057 2057 38 ...... 2058 623,981 838,772 83,040 105,982 517,999 755,732 2058 2058 39 ...... 2059 641,501 862,455 84,246 107,481 534,020 778,210 2059 2059 40 ...... 2060 658,513 885,454 85,429 108,949 549,565 800,025 2060 2060 * Not breakeven.

TABLE VII–43—BREAKEVEN ANALYSIS [at 7 Percent, 2014 $ in Millions]

Cumulative monetized Total cumulative annual Cumulative net Breakeven Calendar benefits costs benefits year Year year Low High Low High Low High Low High

1 ...... 2021 $0 $0 $2,119 $2,768 ¥$2,768 ¥$2,119 (*) (*) 2 ...... 2022 17 23 4,840 6,316 ¥6,299 ¥4,817 (*) (*) 3 ...... 2023 124 162 8,076 10,492 ¥10,369 ¥7,914 (*) (*) 4 ...... 2024 514 672 11,028 14,423 ¥13,909 ¥10,356 (*) (*) 5 ...... 2025 1,441 1,884 13,757 17,965 ¥16,524 ¥11,873 (*) (*) 6 ...... 2026 3,271 4,285 16,277 21,228 ¥17,958 ¥11,992 (*) (*) 7 ...... 2027 6,353 8,340 18,622 24,260 ¥17,907 ¥10,282 (*) (*) 8 ...... 2028 10,796 14,204 20,810 27,083 ¥16,287 ¥6,606 (*) (*) 9 ...... 2029 16,560 21,829 22,847 29,709 ¥13,149 ¥1,018 (*) (*) 10 ...... 2030 23,572 31,124 24,766 32,176 ¥8,604 6,358 (*) 2030 11 ...... 2031 31,727 41,955 26,564 34,485 ¥2,759 15,391 (*) 2031 12 ...... 2032 40,894 54,151 28,246 36,643 4,251 25,905 2032 2032

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00148 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules 4001

TABLE VII–43—BREAKEVEN ANALYSIS—Continued [at 7 Percent, 2014 $ in Millions]

Cumulative monetized Total cumulative annual Cumulative net Breakeven Calendar benefits costs benefits year Year year Low High Low High Low High Low High

13 ...... 2033 50,925 67,515 29,819 38,660 12,264 37,695 2033 2033 14 ...... 2034 61,665 81,845 31,297 40,554 21,111 50,548 2034 2034 15 ...... 2035 72,949 96,920 32,690 42,337 30,612 64,230 2035 2035 16 ...... 2036 84,610 112,520 33,991 43,995 40,615 78,528 2036 2036 17 ...... 2037 96,486 128,425 35,214 45,542 50,943 93,211 2037 2037 18 ...... 2038 108,420 144,426 36,361 46,992 61,429 108,065 2038 2038 19 ...... 2039 120,271 160,333 37,439 48,381 71,891 122,893 2039 2039 20 ...... 2040 131,918 175,980 38,463 49,676 82,242 137,516 2040 2040 21 ...... 2041 143,257 191,228 39,427 50,893 92,364 151,801 2041 2041 22 ...... 2042 154,207 205,967 40,299 51,994 102,214 165,668 2042 2042 23 ...... 2043 164,714 220,119 41,116 53,023 111,691 179,003 2043 2043 24 ...... 2044 174,744 233,639 41,881 53,986 120,758 191,757 2044 2044 25 ...... 2045 184,283 246,502 42,605 54,894 129,388 203,898 2045 2045 26 ...... 2046 193,325 258,701 43,276 55,738 137,587 215,425 2046 2046 27 ...... 2047 201,883 270,252 43,905 56,528 145,355 226,346 2047 2047 28 ...... 2048 209,969 281,167 44,495 57,267 152,701 236,672 2048 2048 29 ...... 2049 217,597 291,467 45,047 57,959 159,638 246,420 2049 2049 30 ...... 2050 224,788 301,177 45,571 58,614 166,174 255,606 2050 2050 31 ...... 2051 231,554 310,316 46,057 59,219 172,336 264,260 2051 2051 32 ...... 2052 237,917 318,911 46,509 59,780 178,136 272,402 2052 2052 33 ...... 2053 243,891 326,982 46,931 60,304 183,587 280,051 2053 2053 34 ...... 2054 249,501 334,562 47,325 60,803 188,698 287,236 2054 2054 35 ...... 2055 254,761 341,670 47,697 61,264 193,497 293,973 2055 2055 36 ...... 2056 259,688 348,329 48,039 61,691 197,997 300,290 2056 2056 37 ...... 2057 264,304 354,567 48,358 62,088 202,216 306,209 2057 2057 38 ...... 2058 268,625 360,407 48,656 62,459 206,166 311,751 2058 2058 39 ...... 2059 272,665 365,868 48,934 62,805 209,860 316,934 2059 2059 40 ...... 2060 276,443 370,976 49,197 63,131 213,313 321,779 2060 2060 * Not breakeven.

Table VII–44 summarizes the equivalent. For this analysis, the agency MY. The net cost defined in this breakeven year for the proposed rule defines the net cost as the difference analysis is the difference between the based on the estimated costs and between a given MY cost and the MY costs and the savings from reducing monetized benefits. congestion benefits and PDO savings property damage and congestion. As (i.e., the lifetime savings of these two described in Section VII.D.3, fatal TABLE VII–44—SUMMARY OF THE categories for a given vehicle MY). equivalents are derived by translating BREAKEVEN YEAR OF THE PRO- For each discount rate, the range of the MAIS 1–5 injuries saved and the POSED RULE fatal equivalents covers those from the PDOVs prevented into fatalities using two benefits estimating approaches the calculated relative fatality ratios Discount rate Year discussed previously Section VII.D: found in Table VII–37. Free-rider and no free-rider. The low At 3 Percent ...... 2029 to 2031. Table VII–45 and Table VII–46 At 7 Percent ...... 2030 to 2032. fatal equivalent numbers represent the present the factors used when determine low benefit estimates from the free-rider cost-effectiveness, the net cost per fatal F. Cost Effectiveness and Positive Net approach and the high estimates equivalent discounted at 3 percent and Benefits Analysis represent the higher benefit estimates 7 percent, respectively, and when the from the no free-rider approach. agency estimates the proposed rule 1. Cost Effectiveness Additionally, the cost-related low and would become cost-effective. As shown The cost-effectiveness analysis high values represent the two potential in the tables, the agency estimates the identifies the model year the agency cost estimates that result from utilizing proposed rule would become cost estimates the net cost per fatal a one-radio or two-radio approach to effective in MY 2024 to MY 2026 equivalent is no greater than the $9.7 DSRC implementation approach.369 regardless of the discount rate. Note that million comprehensive cost of a fatality, The agency utilizes the net cost per the negative MY net cost shown in the indicating the point at which cost of the equivalent life saved to determine the tables means that the MY benefits propose rule is lower than a fatal cost-effectiveness for a given vehicle outweigh its costs.

369 The one-DSRC radio consists of one DSRC Cellular/Satellite) vehicle-to-SCMS communication. The two DSRC radios in vehicle are paring with radio in vehicle paring with a hybrid (WiFi/ DSRC vehicle-to-SCMS communication.

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00149 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 4002 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules

TABLE VII–45—COST-EFFECTIVENESS ANALYSIS [at 3 Percent, 2014 $ in millions]

Fatal MY net Net cost per fatal Cost- Year Model equivalents costs equivalent effective Low High Low High Low High Low High

1 ...... 2021 0.00 0.00 $2,221.39 $2,893.52 $2,221.39 $2,893.52 * * 2 ...... 2022 3.48 67.86 2,958.11 3,963.34 43.59 1,138.99 * * 3 ...... 2023 23.35 208.55 3,592.36 4,965.74 17.23 212.68 * * 4 ...... 2024 104.31 580.04 2,975.53 4,884.16 5.13 46.82 2024 * 5 ...... 2025 257.57 1,017.05 2,317.96 4,491.28 2.28 17.44 2025 * 6 ...... 2026 586.69 1,774.90 1,208.85 3,970.64 0.68 6.77 2026 2026 7 ...... 2027 1,112.42 2,621.45 7.03 3,221.61 0.00 2.90 2027 2027 8 ...... 2028 1,606.16 3,090.78 ¥657.77 2,530.40 ¥0.21 1.58 2028 2028 9 ...... 2029 1,946.18 3,250.93 ¥896.40 2,042.34 ¥0.28 1.05 2029 2029 10 ...... 2030 2,252.45 3,415.26 ¥1,101.36 1,645.84 ¥0.32 0.73 2030 2030 11 ...... 2031 2,523.52 3,563.63 ¥1,301.00 1,280.31 ¥0.37 0.51 2031 2031 12 ...... 2032 2,761.74 3,697.69 ¥1,487.91 952.38 ¥0.40 0.34 2032 2032 13 ...... 2033 2,847.78 3,975.69 ¥1,876.58 833.11 ¥0.47 0.29 2033 2033 14 ...... 2034 2,934.41 4,241.63 ¥2,233.79 731.05 ¥0.53 0.25 2034 2034 15 ...... 2035 3,009.61 4,475.08 ¥2,526.26 664.36 ¥0.56 0.22 2035 2035 16 ...... 2036 3,074.84 4,678.59 ¥2,816.23 547.13 ¥0.60 0.18 2036 2036 17 ...... 2037 3,134.46 4,858.86 ¥3,048.91 459.30 ¥0.63 0.15 2037 2037 18 ...... 2038 3,182.03 5,007.07 ¥3,242.04 402.76 ¥0.65 0.13 2038 2038 19 ...... 2039 3,224.93 5,139.68 ¥3,409.01 463.44 ¥0.66 0.14 2039 2039 20 ...... 2040 3,269.38 5,267.60 ¥3,527.55 387.12 ¥0.67 0.12 2040 2040 21 ...... 2041 3,320.90 5,404.46 ¥3,692.67 345.44 ¥0.68 0.10 2041 2041 22 ...... 2042 3,224.76 5,283.11 ¥3,646.00 315.00 ¥0.69 0.10 2042 2042 23 ...... 2043 3,241.75 5,334.51 ¥3,711.27 294.44 ¥0.70 0.09 2043 2043 24 ...... 2044 3,258.96 5,380.31 ¥3,768.41 274.41 ¥0.70 0.08 2044 2044 25 ...... 2045 3,275.27 5,423.17 ¥3,785.48 292.50 ¥0.70 0.09 2045 2045 26 ...... 2046 3,290.63 5,461.25 ¥3,865.08 242.56 ¥0.71 0.07 2046 2046 27 ...... 2047 3,306.52 5,499.93 ¥3,909.53 228.66 ¥0.71 0.07 2047 2047 28 ...... 2048 3,319.75 5,536.44 ¥3,952.52 216.58 ¥0.71 0.07 2048 2048 29 ...... 2049 3,333.27 5,571.05 ¥3,992.64 204.60 ¥0.72 0.06 2049 2049 30 ...... 2050 3,350.10 5,608.31 ¥3,984.67 240.58 ¥0.71 0.07 2050 2050 * The proposed rule would not be cost effective for the MY vehicles since the net cost per fatal equivalent is greater than $9.7M in 2014 dollars.

TABLE VII–46—COST-EFFECTIVENESS ANALYSIS [at 7 Percent, 2014 $ in millions]

Fatal MY net Net cost per fatal Cost- Year Model year equivalents costs equivalent effective Low High Low High Low High Low High

1 ...... 2021 0.00 0.00 $2,213.68 $2,885.80 $2,213.68 $2,885.80 * * 2 ...... 2022 3.28 51.18 2,969.81 3,952.00 58.02 1,206.56 * * 3 ...... 2023 21.83 159.55 3,645.47 4,952.42 22.85 226.83 * * 4 ...... 2024 96.35 450.18 3,141.76 4,879.71 6.98 50.64 2024 * 5 ...... 2025 234.85 795.52 2,612.54 4,507.19 3.28 19.19 2025 * 6 ...... 2026 527.59 1,396.62 1,722.09 4,035.73 1.23 7.65 2026 2026 7 ...... 2027 989.03 2,077.54 751.28 3,373.91 0.36 3.41 2027 2027 8 ...... 2028 1,416.94 2,459.15 208.58 2,771.96 0.08 1.96 2028 2028 9 ...... 2029 1,710.25 2,598.90 ¥2.00 2,347.17 0.00 1.37 2029 2029 10 ...... 2030 1,974.86 2,741.45 ¥177.05 2,006.97 ¥0.06 1.02 2030 2030 11 ...... 2031 2,149.18 2,947.24 ¥458.15 1,772.63 ¥0.16 0.82 2031 2031 12 ...... 2032 2,233.37 3,227.88 ¥850.33 1,654.44 ¥0.26 0.74 2032 2032 13 ...... 2033 2,309.61 3,478.57 ¥1,200.35 1,548.14 ¥0.35 0.67 2033 2033 14 ...... 2034 2,385.57 3,711.72 ¥1,512.27 1,460.19 ¥0.41 0.61 2034 2034 15 ...... 2035 2,451.89 3,916.19 ¥1,764.75 1,405.16 ¥0.45 0.57 2035 2035 16 ...... 2036 2,509.12 4,095.07 ¥2,020.80 1,298.41 ¥0.49 0.52 2036 2036 17 ...... 2037 2,562.08 4,254.99 ¥2,225.59 1,219.23 ¥0.52 0.48 2037 2037 18 ...... 2038 2,602.73 4,384.79 ¥2,393.47 1,171.68 ¥0.55 0.45 2038 2038 19 ...... 2039 2,640.12 4,501.23 ¥2,538.36 1,239.43 ¥0.56 0.47 2039 2039 20 ...... 2040 2,678.06 4,613.37 ¥2,635.41 1,171.48 ¥0.57 0.44 2040 2040 21 ...... 2041 2,720.95 4,730.53 ¥2,773.58 1,141.05 ¥0.59 0.42 2041 2041 22 ...... 2042 2,641.60 4,624.69 ¥2,748.24 1,088.07 ¥0.59 0.41 2042 2042 23 ...... 2043 2,656.70 4,670.32 ¥2,805.80 1,069.77 ¥0.60 0.40 2043 2043 24 ...... 2044 2,670.51 4,709.04 ¥2,853.41 1,054.05 ¥0.61 0.39 2044 2044 25 ...... 2045 2,685.53 4,747.17 ¥2,864.22 1,073.57 ¥0.60 0.40 2045 2045 26 ...... 2046 2,696.56 4,779.45 ¥2,936.06 1,029.21 ¥0.61 0.38 2046 2046

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00150 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules 4003

TABLE VII–46—COST-EFFECTIVENESS ANALYSIS—Continued [at 7 Percent, 2014 $ in millions]

Fatal MY net Net cost per fatal Cost- Year Model year equivalents costs equivalent effective Low High Low High Low High Low High

27 ...... 2047 2,711.29 4,815.03 ¥2,976.53 1,016.55 ¥0.62 0.37 2047 2047 28 ...... 2048 2,721.94 4,845.29 ¥3,011.12 1,007.69 ¥0.62 0.37 2048 2048 29 ...... 2049 2,734.33 4,873.87 ¥3,043.14 996.93 ¥0.62 0.36 2049 2049 30 ...... 2050 2,747.06 4,905.91 ¥3,028.20 1,038.18 ¥0.62 0.38 2050 2050 * The proposed rule would not be cost effective for the MY vehicles since the net cost per fatal equivalent is greater than $9.7M in 2014 dollars.

2. Lifetime Net Benefits for a Specified corresponding MY costs. Table VII–47 net benefits. (Due to rounding errors, Model Year and Table VII–48 show the MY net discrepancy existed between the The lifetime net benefits for a benefits at a 3 and 7 percent discount monetized MY benefits that were specified MY vehicle (i.e., MY net rate, respectively. As shown, for both deriving directly by multiplying $9.7 benefits) is the difference between the discount rates, MY 2024 to MY 2026 million by fatal equivalents and those monetized MY benefits and the vehicles would accrue positive lifetime reported in the tables below.)

TABLE VII–47—MY NET BENEFITS [at 3 Percent, 2014 $ in millions]

Monetized MY benefits MY costs MY net benefits Year Model year Low High Low High Low High

1 ...... 2021 $0.00 $0.00 $2,221.39 $2,893.52 ¥$2,893.52 ¥$2,221.39 2 ...... 2022 33.79 658.99 3,053.02 3,968.08 ¥3,934.29 ¥2,394.03 3 ...... 2023 226.72 2,025.12 3,884.01 4,997.52 ¥4,770.80 ¥1,858.89 4 ...... 2024 1,012.92 5,632.53 3,786.63 5,026.18 ¥4,013.26 1,845.90 5 ...... 2025 2,501.20 9,876.22 3,740.01 4,842.01 ¥2,340.81 6,136.21 6 ...... 2026 5,697.12 17,235.41 3,690.23 4,769.58 927.54 13,545.18 7 ...... 2027 10,802.30 25,455.98 3,671.47 4,736.63 6,065.67 21,784.52 8 ...... 2028 15,596.91 30,013.55 3,662.23 4,718.02 10,878.89 26,351.32 9 ...... 2029 18,898.69 31,568.66 3,646.96 4,693.24 14,205.45 27,921.70 10 ...... 2030 21,872.79 33,164.45 3,671.21 4,714.08 17,158.71 29,493.24 11 ...... 2031 24,505.02 34,605.22 3,678.46 4,717.95 19,787.07 30,926.76 12 ...... 2032 26,818.31 35,906.98 3,678.43 4,714.96 22,103.36 32,228.55 13 ...... 2033 27,653.77 38,606.57 3,678.63 4,713.02 22,940.75 34,927.94 14 ...... 2034 28,495.06 41,189.00 3,692.47 4,729.11 23,765.95 37,496.53 15 ...... 2035 29,225.26 43,456.01 3,725.64 4,764.99 24,460.27 39,730.37 16 ...... 2036 29,858.67 45,432.21 3,719.46 4,736.74 25,121.92 41,712.75 17 ...... 2037 30,437.71 47,182.69 3,738.10 4,730.26 25,707.44 43,444.60 18 ...... 2038 30,899.56 48,621.96 3,751.52 4,738.62 26,160.94 44,870.43 19 ...... 2039 31,316.16 49,909.68 3,769.32 4,857.85 26,458.31 46,140.36 20 ...... 2040 31,747.87 51,151.88 3,829.01 4,842.19 26,905.68 47,322.87 21 ...... 2041 32,248.10 52,480.81 3,854.63 4,870.78 27,377.32 48,626.18 22 ...... 2042 31,314.49 51,302.48 3,731.52 4,709.39 26,605.10 47,570.96 23 ...... 2043 31,479.52 51,801.61 3,737.75 4,712.04 26,767.49 48,063.86 24 ...... 2044 31,646.62 52,246.36 3,744.33 4,715.51 26,931.12 48,502.03 25 ...... 2045 31,805.05 52,662.57 3,786.93 4,755.86 27,049.18 48,875.65 26 ...... 2046 31,954.16 53,032.36 3,760.35 4,726.88 27,227.28 49,272.01 27 ...... 2047 32,108.44 53,407.94 3,769.78 4,734.65 27,373.79 49,638.16 28 ...... 2048 32,236.99 53,762.45 3,777.66 4,740.64 27,496.35 49,984.79 29 ...... 2049 32,368.22 54,098.58 3,785.78 4,747.09 27,621.14 50,312.80 30 ...... 2050 32,531.65 54,460.39 3,845.70 4,806.01 27,725.64 50,614.69

TABLE VII–48 MY NET BENEFITS [at 7 Percent, 2014 $ in millions]

Monetized MY benefits Vehicle costs MY net benefits Year Model year Low High Low High Low High

1 ...... 2021 $0.00 $0.00 $2,213.68 $2,885.80 ¥$2,885.80 ¥$2,213.68 2 ...... 2022 31.80 497.03 3,041.41 3,956.46 ¥3,924.66 ¥2,544.37 3 ...... 2023 212.00 1,549.29 3,868.62 4,982.14 ¥4,770.14 ¥2,319.34 4 ...... 2024 935.65 4,371.50 3,771.35 5,010.90 ¥4,075.25 600.15 5 ...... 2025 2,280.53 7,725.00 3,724.97 4,826.97 ¥2,546.44 4,000.03

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00151 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 4004 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules

TABLE VII–48 MY NET BENEFITS—Continued [at 7 Percent, 2014 $ in millions]

Monetized MY benefits Vehicle costs MY net benefits Year Model year Low High Low High Low High

6 ...... 2026 5,123.26 13,562.13 3,674.84 4,754.19 369.08 9,887.29 7 ...... 2027 9,604.09 20,174.30 3,655.69 4,720.85 4,883.24 16,518.61 8 ...... 2028 13,759.41 23,879.93 3,646.03 4,701.83 9,057.59 20,233.89 9 ...... 2029 16,607.61 25,236.98 3,630.38 4,676.66 11,930.95 21,606.59 10 ...... 2030 19,177.23 26,621.24 3,654.18 4,697.04 14,480.18 22,967.06 11 ...... 2031 20,869.91 28,619.59 3,661.00 4,700.48 16,169.42 24,958.59 12 ...... 2032 21,687.48 31,344.84 3,660.57 4,697.09 16,990.38 27,684.27 13 ...... 2033 22,427.83 33,779.21 3,660.38 4,694.77 17,733.06 30,118.83 14 ...... 2034 23,165.40 36,043.23 3,673.77 4,710.41 18,455.00 32,369.46 15 ...... 2035 23,809.50 38,028.75 3,706.49 4,745.84 19,063.67 34,322.26 16 ...... 2036 24,365.23 39,765.77 3,699.88 4,717.16 19,648.07 36,065.89 17 ...... 2037 24,879.46 41,318.79 3,718.05 4,710.22 20,169.24 37,600.74 18 ...... 2038 25,274.25 42,579.22 3,731.05 4,718.15 20,556.11 38,848.18 19 ...... 2039 25,637.28 43,709.92 3,748.39 4,836.91 20,800.36 39,961.54 20 ...... 2040 26,005.75 44,798.85 3,807.57 4,820.75 21,185.00 40,991.28 21 ...... 2041 26,422.20 45,936.55 3,832.67 4,848.82 21,573.37 42,103.88 22 ...... 2042 25,651.68 44,908.74 3,709.90 4,687.77 20,963.91 41,198.84 23 ...... 2043 25,798.30 45,351.86 3,715.80 4,690.09 21,108.20 41,636.06 24 ...... 2044 25,932.43 45,727.85 3,722.05 4,693.23 21,239.19 42,005.80 25 ...... 2045 26,078.29 46,098.16 3,764.31 4,733.25 21,345.04 42,333.85 26 ...... 2046 26,185.33 46,411.61 3,737.41 4,703.94 21,481.39 42,674.20 27 ...... 2047 26,328.44 46,757.14 3,746.51 4,711.38 21,617.06 43,010.63 28 ...... 2048 26,431.78 47,050.95 3,754.07 4,717.05 21,714.73 43,296.87 29 ...... 2049 26,552.13 47,328.48 3,761.88 4,723.19 21,828.94 43,566.60 30 ...... 2050 26,675.71 47,639.58 3,821.49 4,781.80 21,893.91 43,818.10

3. Summary effectiveness and net benefits analyses agency actions beyond the baseline and Table VII–49 summarizes the MY showed that the proposed rule would the proposal. vehicles that would be cost-effective. become cost-effective and would accrue Alternative 1 shares the same three- positive net benefits between MY 2024 year phase-in schedule (50%–75%– TABLE VII–49—SUMMARY OF THE MY and MY 2027 with 90 percent certainty. 100%) for V2V equipment as the WOULD BE COST-EFFECTIVE AND This indicates that it is very likely to proposed rule but delays the same phase become cost-effectiveness at most one HAVE POSITIVE NET BENEFITS in rate by one year delay for safety MY later than estimated in the primary application implementation (0%–50%– Discount rate Cost-effective Net benefits analysis, and that even under the most 75%–100%). Alternative 2 370 assumes conservative scenario, this would occur that a V2V implementation would be At 3 Percent ..... 2024 to 2026 ... 2024 to 2026. two to three model years later than the At 7 Percent ..... 2024 to 2026 ... 2024 to 2026. both slower and most likely stay flat initial estimate of 2024–2026. thereafter versus the mandatory G. Uncertainty Analysis H. Estimated Costs and Benefits of V2V implementation of the proposed rule, never reaching all or even a significant In order to account for the inherent Alternatives percentage of the fleet. The agency uncertainty in the assumptions In the interest of ensuring the believes this results from the cost of underlying this cost-benefit analysis, the agency’s proposed approach to installing V2V on any particular vehicle agency also conducted extensive regulating V2V technology is both fully is not dependent on adoption by others, uncertainty analysis to illustrate the informed and backed by a while the benefits are. With these variation in the rule’s benefits and costs comprehensive regulatory analysis, the considerations, the agency assumes that associated with different assumptions agency considered two potential a 5 percent DSRC adoption for MY 2021 about the future number of accidents alternative approaches for V2V vehicles and a 5 percent increase for the that could be prevented, the assumed deployment. The first alternative subsequent years until plateauing at 25 adoption rates and estimated (Alternative 1) explores the concept percent in MY 2025 and indefinitely effectiveness of the two safety going beyond this proposal’s mandate This assumption is broadly based upon applications, and our assumptions about for only the V2V communications adoption rates of other advanced the costs of providing V2V equipment (radio), by also including a technologies in the absence of a communications capability. This mandate for two safety warning mandate. Alternative 2 has the same analysis showed that the proposed rule applications: Intersection movement safety application implementation would reach its breakeven year between assist (IMA) and left turn across path schedule as the proposed rule as 2030 and 2032 with 90 percent (LTA). Alternative 2 is an ‘‘if-equipped’’ implementation would be voluntary for certainty, with even the most approach that would provide both regulatory options. Table VII–50 conservative scenario showing that the requirements for V2V communication as breakeven year would be five to six specified in this proposed rule but only years later than the previously estimated 370 The agency believes that V2V would not occur applicable if the equipment is used in in the absence of any government action and has, years (2029–2032). Considering these the vehicle fleet. These two alternatives therefore, not estimated a ‘‘no action’’ alternative. same sources of uncertainty in the cost- represent a significant range of potential We request comment on this assumption.

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00152 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules 4005

and Table VII–51 summarize the DSRC for the proposed rule and these two and safety application adoptions rates alternatives.

TABLE VII–50—DSRC ADOPTION RATES IN PERCENT

Model year Regulation alternatives 2021 2022 2023 2024 2025 2026 2027 2028+

The Proposed Rule Man- dating DSRC...... 50 75 100 100 100 100 100 100 Alternative 1 Mandating DSRC and Apps...... 50 75 100 100 100 100 100 100 Alternative 2 If-Equipped 5 10 15 20 25 25 25 25

TABLE VII–51—APP ADOPTION RATES * IN PERCENT [of DSRC-equipped vehicles]

Model year Regulation alternatives 2021 2022 2023 2024 2025 2026 2027 2028+

The Proposed Rule Man- dating DSRC...... 0 5 10 25 40 65 90 100 Alternative 1 Mandating DSRC and Apps...... 50 75 100 100 100 100 100 100 Alternative 2 If-Equipped 0 5 10 15 20 25 25 25

Because of the aggressive app Alternative 2 would accrue up to 6 benefits is expected to be between MY adoption, Alternative 1 would be percent of the maximum annual benefits 2024 and MY 2026, also two years expected to accrue more annual benefits of the proposed rule due to lower DSRC earlier than the proposed rule. In than the proposed rule before the entire and app adoption rates. This alternative contrast, Alternative 2 would breakeven on-road fleet has been equipped with also has relatively lower annual costs between 2037 and 2055, eight to twenty- V2V (i.e., reaching the maximum than that of the proposed rule, since far three years behind the proposed rule. benefits). Alternative 1 would also reach fewer vehicles would be installed with The first MY vehicles that would be the same maximum annual benefits as DSRC. The annual cost of this cost-effective under Alternative 2 is the proposed rule, but would do so four alternative would range from $254 expected to be between MY 2026 and years earlier. This alternative would million to $1.3 billion, with an average MY 2031, two to five years later than the achieve these benefits without annual cost about 26 percent of the cost proposed rule. The first MY vehicles significant cost increase, since the of the proposed rule. that would accrue positive net benefits incremental cost of adding two apps Alternative 1 would breakeven over the DSRC radios is very small (less between 2027 and 2030 (combining 3 is between MY 2026 and MY 2033, two than 0.1 percent of the vehicle and 7 percent discount rates), two years to seven years later than the proposed technology cost). The annual costs of ahead of the proposed rule. The first MY rule. Table VII–52 and Table VII–53 this alternative would range from $2.2 vehicles that would be cost-effective compares these visually at three and to $5.0 billion. and that would accrue positive net seven percent discount rates.

TABLE VII–52—COMPARISON OF BREAKEVEN AND COST-EFFECTIVE MEASURES—3 PERCENT DISCOUNT

Alternative 1 Cost-benefit measures mandating The proposed Alternative 2 (3 percent discount) DSRC radios rule mandating if-equipped and apps DSRC only

Breakeven (CY) ...... 2027 to 2029 .... 2029 to 2031 .... 2037 to 2045. Cost-Effectiveness (MY) ...... 2022 to 2024 .... 2024 to 2026 .... 2026 to 2030. Positive Net Benefits (MY) ...... 2022 to 2024 .... 2024 to 2026 .... 2026 to 2031.

TABLE VII–53—COMPARISON OF BREAKEVEN AND COST-EFFECTIVE MEASURES—7 PERCENT DISCOUNT

Alternative 1 Cost-benefit measures mandating The proposed Alternative 2 (7 percent discount) DSRC radios rule mandating if-equipped and apps DSRC only

Breakeven (CY) ...... 2027 to 2030 .... 2030 to 2032 .... 2039 to 2055. Cost-Effectiveness (MY) ...... 2022 to 2024 .... 2024 to 2026 .... 2027 to 2031. Positive Net Benefits (MY) ...... 2022 to 2024 .... 2024 to 2026 .... 2027 to 2033.

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00153 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 4006 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules

Although mandating safety of lead time. New light vehicles staggered fashion approximately three to applications like IMA and LTA along manufactured for sale in the U.S. would four years after a major redesign. with the V2V communication capability not be required to comply until that For these reasons, the agency is (i.e., DSRC) would result in significant time. NHTSA believes that a lead time proposing a two year lead time after safety benefits sooner, the agency is not period is necessary to allow for the issuance of the final rule before proposing to mandate these applications development and production of manufacturers are required to begin as part of this proposal, because the automotive-grade V2V communications complying with the requirements. Two agency currently does not have devices by the automotive supplier years was chosen because it is sufficient data to proceed with a industry. While a quantity of DSRC approximately half the amount of time mandate at this time. As explained devices were developed for the Safety between average vehicle refreshes, above, further research for establishing Pilot Model Deployment in Ann Arbor, allowing OEMs to integrate V2V practicable and objective test MI, these were mostly prototype technology into their existing product procedures and performance aftermarket devices that were not cycles. This will minimize the cost requirements for the applications will designed to directly integrate into the burden on the OEMs by not requiring likely need to be conducted prior to vehicle’s controller area network. concurrent redesigns of all production mandate to avoid potential unintended Furthermore, the expected lifespan of lines at the same time. We seek consequences which could have broader these devices is only 3 to 5 years instead comment on whether this amount of negative effects, such as false warnings of the lifespan of a typical vehicle. lead time is necessary and appropriate. causing consumers to dismiss the Those devices, or ones based on their If commenters believe that additional technology, on the development and design, would therefore not be lead time is needed, or that less lead deployment of V2V-based applications. appropriate for meeting this proposed time is needed, we ask that they support Additional details on the analysis of standard. At the time of issuance of this their comments as best as possible with Alternative 1 and Alternative 2 can be NPRM, we have limited information specific information as to why. found in the PRIA accompanying this regarding the capability of automotive 2. Phase-In Period proposal rule. suppliers to produce the quantities of We request comment on the DSRC devices to equip all new light While the agency understands that alternative cost and benefits analysis vehicles sold in the U.S. annually design changes may be required in order including the approach for the (approximately 15 million 371). to integrate V2V communications alternative? Do commenters agree with However, the agency was able to devices into all light vehicles, since V2V the costs assumptions used for confirm, confidentially, with at least technology is a cooperative system, the developing and implementing safety one supplier while gathering potential benefits associated with V2V applications? Why or why not? Please information for this proposal that devices depend on a high penetration provide supporting data. Do request for quotations were being issued rate of equipped vehicles. As such, the commenters agree with our assessment by original equipment manufacturers for agency proposes an aggressive phase-in that mandating applications would V2V capable devices. In addition, the schedule after the conclusion of the lead result in accruing benefits sooner? Do ITSA market study commissioned by time period. In addition to the proposed commenters have estimates for the the agency indicated the industry would two years of lead time, NHTSA proposes potential costs that an earlier mandate need approximately 18 months to two a three year phase-in period. The three (like, consumer rejection of tech, years to ‘‘ramp-up’ V2V devices for year phase-in schedule, which starts opportunity cost, etc.) that are not mass production, considering the device immediately after the conclusion of the quantified or are not quantifiable but itself and the perceived integration as lead time, would be as follows: hold great importance? Do commenters original equipment are less complex • End of Year 1—50% of all new light have any information that could assist than other technologies such as ESC or vehicles must comply with the rule the agency in learning more about these powertrain components. • End of Year 2—75% of all new light and any other applications that may be Depending on when the final rule vehicles must comply with the rule useful in a potential agency decision to establishing DSRC FMVSS is issued, the • End of Year 3—100% of all new light mandate V2V-enabled safety agency concurs with the ITSA market vehicles must comply with the rule applications. study and its own regulatory experience This proposed schedule allows a total that automotive suppliers with need VIII. Proposed Implementation Timing of five years until all new vehicles some lead time to generate production- would be required to comply with the This section of the NPRM describes level devices in the quantities that final rule. This is consistent with a the proposed timing for implementing would be required annually by DOT-sponsored market study 372 the requirements for new vehicles and automotive OEMs. conducted by ITS America, in which aftermarket devices, and also describes Lead time also allows the automotive interviews were conducted with a wide our expectations of the availability of OEMs time to integrate V2V range of V2V stakeholders including: the national SCMS. communications devices into their • Automotive OEMs • A. New Vehicles product lines, as these devices are not Tier 1 Suppliers currently part of any production • Tier 2 Suppliers The agency proposes the following vehicles sold in the U.S. This will • Automotive Insurance Companies lead time and phase-in period for all minimize costs by allowing OEMs to • Component Manufacturers new light vehicles sold in the U.S. to incorporate the new technology into • System Integrators and Service comply with this proposed rule. product cycle planning. Many OEMs Providers 1. Lead Time conduct ‘‘refreshes’’ (i.e. minor cosmetic changes, new features, quality fixes, 372 Impact of Light Vehicle Rule on Consumer/ We are proposing two years of lead Aftermarket Adoption- Dedicated Short Range etc.) on their product lines in a time, with the two years starting on Communications Market Study, Intelligent Transportation Society of America, FHWA–JPO– Sept. 1 following issuance of a final rule 371 See the 2015 EIA Annual Energy Outlook, 17–487, available at http://ntl.bts.gov/lib/60000/ to this proposal. This approach would available at http://www.eia.gov/forecasts/aeo/ 60500/60535/FHWA-JPO-17-487_Final_.pdf. (last allow a minimum of two full calendars tables_ref.cfm. accessed Dec 12, 2016).

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00154 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules 4007

• Roadside Infrastructure Operators and there will be a market for these times are reasonable? If so, why? If not, Manufacturers aftermarket devices; however, it will be why? What type of adjustments, if any, The consensus from that research was driven by the totality of features offered should agency make? Do commenters that OEMs and suppliers will need by these devices that directly impact the agree with the agency’s perspective on approximately three to five years after consumers’ time spent in their vehicles, a ‘‘window of opportunity’’ for the final rule in order for all new as well as by device cost. aftermarket devices? If so, why? If not, vehicles to comply with the The agency believes aftermarket why? Please provide any supporting regulation.373 Therefore, the agency device suppliers would need to react to data for your response. a newly issued FMVSS to capitalize on believes that this comprehensive input IX. Public Participation from the industry provides a sufficient the large volume of light vehicles that justification for the lead time and phase- will not be equipped with V2V A. How do I prepare and submit in period. See Table VIII–1 for the full communications devices. The prevailing comments? view is the market for such aftermarket schedule. Your comments must be written and Finally, depending on the number of devices will exist only during the in English. To ensure that your product lines and the timing of their transition period between the issuance comments are correctly filed in the redesigns, it may be economically of the final rule and the turnover of the Docket, please include the Docket advantageous for some OEMs to comply entire fleet. NHTSA typically assumes Number NHTSA–2016–0126 in your with the regulation prior to the that the maximum life span of a light comments. Your comments must not be proposed schedule. These OEMs will be vehicle is 39 years. We would anticipate more than 15 pages long.375 NHTSA able to capitalize on arriving to market that the vast majority of the light vehicle established this limit to encourage you earlier than their competitors, and the fleet in the U.S. will be completely to write your primary comments in a customers of these OEMs will realize replaced in less than 20 years, and they concise fashion. However, you may safety, mobility, and environmental will be capable of V2V communications. attach necessary additional documents benefits earlier than others. As such, the This gives the aftermarket device to your comments, and there is no limit agency does not envision granting industry a relatively small window of on the length of the attachments. If you credits for early compliance with this time to sell aftermarket devices to light are submitting comments electronically schedule as there are sufficient vehicles without V2V communications as a PDF (Adobe) file, we ask that you incentives already in place for OEMs to capabilities installed by the OEMs. Additionally, based on research from scan the documents submitted using the consider early compliance. the Safety Pilot Model Deployment and Optical Character Recognition (OCR) additional market research, we believe process,376 thus allowing the agency to TABLE VIII–1—PROPOSED LEAD TIME the aftermarket industry is capable of search and copy certain portions of your AND PHASE-IN SCHEDULE producing V2V communications devices submissions in order to better evaluate that can meet the proposed performance them. Please note that pursuant to the Percentage of Time period vehicles requirements and could be installed by Data Quality Act, in order for the a qualified installer, if needed. These substantive data to be relied upon and 1 year after final rule ...... 0 aftermarket devices do not need to be used by the agency, it must meet the 2 years after final rule ...... 0 connected to the vehicle controller area information quality standards set forth 3 years after final rule ...... 50 network vehicle bus; however, an in the OMB and Department of 4 years after final rule ...... 75 external GPS and V2V antenna will Transportation (DOT) Information 5 years after final rule ...... 100 need to be installed as well as a Dissemination Quality guidelines. connection to the in-vehicle power. Accordingly, we encourage you to B. Aftermarket Therefore, the agency expects that consult the guidelines in preparing your Based on market study research,374 specially-trained installers should be comments. OMB’s guidelines may be the agency believes that the aftermarket able to install these devices in a similar accessed at https:// device industry will move quickly manner to other devices such OnStar www.whitehouse.gov/omb/ (within one year) after the issuance of FMV, which is installed at major fedreg_reproducible (last accessed Dec. the final rule to develop and market electronics retailers as well as at car 7, 2016). DOT’s guidelines may be V2V communications devices that dealerships. Therefore, these devices accessed at http://www.dot.gov/ support safety applications as well as could deploy faster than OEM integrated regulations/dot-information- mobility, environmental, and other as they do not require an OEM to dissemination-quality-guidelines (last applications. While these aftermarket integrate them into their vehicle build accessed Dec. 7, 2016). devices will support V2V, they will also and testing processes. For these reasons, B. Tips for Preparing Your Comments enable more fee-based services such as the agency believes it is technically mobility applications and data and possible that these devices could be When submitting comments, please communications suites to be marketed available on the market within one to remember to: to device owners. While safety is two years after this proposed FMVSS is • Identify the rulemaking by docket important to consumers, the other finalized. number and other identifying applications offered by these devices Based on this, the agency anticipates information (subject heading, Federal may be potentially more attractive to the that aftermarket devices will be Register date and page number). available for purchase and installation consumer. The agency believes that • Explain why you agree or disagree, during the lead time period and prior to suggest alternatives, and substitute 373 the start of the first year of the phase- Vehicle to Vehicle Crash Avoidance Safety language for your requested changes. Technology Public Acceptance Final Report— in period (i.e. less than two years after FHWA–JPO–17–491 See Docket No. NHTSA–2016– the final rule is issued). 0126. The agency seeks comment on these 375 See 49 CFR 553.21. 374 ‘‘Impact of Light Vehicle Rule on Consumer/ 376 Optical character recognition (OCR) is the Aftermarket Adoption—Dedicated Short Range lead time projections for both OEM and process of converting an image of text, such as a Communications Market Study’’, ITS America aftermarket devices. Specifically, do scanned paper document or electronic fax file, into Research, 2015, pp 21. commenters believe the proposed lead computer-editable text.

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00155 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 4008 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules

• Describe any assumptions and the docket after the issuance of the Department of Transportation’s provide any technical information and/ NPRM affects their comments, they may Regulatory Policies and Procedures.378 or data that you used. submit comments after the closing date • The benefits and costs of this proposal If you estimate potential costs or concerning how NHTSA should are described above in Section VII of burdens, explain how you arrived at consider that information for the final this preamble. Because the proposed your estimate in sufficient detail to rule. If a comment is received too late rule would, if adopted, be economically allow for it to be reproduced. for us to practicably consider in significant under both the Department • Provide specific examples to developing a final rule, we will consider of Transportation’s procedures and illustrate your concerns, and suggest that comment as an informal suggestion OMB guidelines, the agency has alternatives. for future rulemaking action. • Explain your views as clearly as prepared a Preliminary Regulatory possible, avoiding the use of profanity F. How can I read the comments Impact Analysis (PRIA) and placed it in or personal threats. submitted by other people? the docket and on the agency’s Web site. Further, pursuant to Circular A–4, we • Make sure to submit your You may read the materials placed in comments by the comment period have prepared a formal probabilistic the docket for this document (e.g., the 379 deadline identified in the DATES section comments submitted in response to this uncertainty analysis for this proposal. above. document by other interested persons) The circular requires such an analysis at any time by going to http:// for complex rules where there are large, C. How can I be sure that my comments multiple uncertainties whose analysis were received? www.regulations.gov. Follow the online instructions for accessing the docket. raises technical challenges or where If you submit your comments by mail You may also read the materials at the effects cascade and where the impacts of and wish Docket Management to notify DOT Docket Management Facility by the rule exceed $1 billion. This proposal you upon its receipt of your comments, going to the street address given above meets these criteria on all counts. enclose a self-addressed, stamped under ADDRESSES. postcard in the envelope containing B. Regulatory Flexibility Act your comments. Upon receiving your X. Regulatory Notices and Analyses Pursuant to the Regulatory Flexibility comments, Docket Management will A. Executive Order 12866, Executive Act (5 U.S.C. 601 et seq.), as amended return the postcard by mail. Order 13563, and DOT Regulatory by the Small Business Regulatory If you submit your comments through Policies and Procedures Enforcement Fairness Act (SBREFA) of www.regulations.gov, you can find very 1996, whenever an agency is required to useful information about how to Executive Order 12866, ‘‘Regulatory publish a notice of rulemaking for any confirm that your comments were Planning and Review’’ (58 FR 51735, proposed or final rule, it must prepare successfully received and uploaded Oct. 4, 1993), as amended by Executive under the ‘‘Help’’ link on the top right Order 13563, ‘‘Improving Regulation and make available for public comment of the home page, under ‘‘FAQs.’’ and Regulatory Review’’ (76 FR 3821, a regulatory flexibility analysis that Jan. 21, 2011), provides for making describes the effect of the rule on small D. How do I submit confidential determinations whether a regulatory entities (i.e., small businesses, small business information? action is ‘‘significant’’ and therefore organizations, and small governmental If you wish to submit any information subject to OMB review and to the jurisdictions). The Small Business under a claim of confidentiality, you requirements of the Executive Order. Administration’s regulations at 13 CFR should submit three copies of your The Order defines a ‘‘significant part 121 define a small business, in part, complete submission, including the regulatory action’’ as one that is likely as a business entity ‘‘which operates information you claim to be confidential to result in a rule that may: primarily within the United States.’’ (13 business information, to the Chief • Have an annual effect on the CFR 121.105(a)). No regulatory Counsel, NHTSA, at the address given economy of $100 million or more or flexibility analysis is required if the above under FOR FURTHER INFORMATION adversely affect in a material way the head of an agency certifies the rule will CONTACT. When you send a comment economy, a sector of the economy, not have a significant economic impact containing confidential business productivity, competition, jobs, the on a substantial number of small information, you should include a cover environment, public health or safety, or entities. SBREFA amended the letter setting forth the information State, local, or Tribal governments or Regulatory Flexibility Act to require specified in our confidential business communities; Federal agencies to provide a statement 377 information regulation. • Create a serious inconsistency or of the factual basis for certifying that a In addition, you should submit a copy otherwise interfere with an action taken rule will not have a significant from which you have deleted the or planned by another agency; economic impact on a substantial claimed confidential business • Materially alter the budgetary number of small entities. information to the Docket by one of the impact of entitlements, grants, user fees, NHTSA has considered the effects of methods set forth above. or loan programs or the rights and this proposed rule under the Regulatory E. Will NHTSA consider late comments? obligations of recipients thereof; or Flexibility Act. I certify that this • NHTSA will consider all comments Raise novel legal or policy issues proposed rule will not have a significant received before midnight E.S.T. on the arising out of legal mandates, the economic impact on a substantial comment closing date indicated above President’s priorities, or the principles number of small entities. The following under DATES. To the extent practicable, set forth in the Executive Order. is NHTSA’s statement providing the we will also consider comments The rulemaking proposed in this received after that date. Additionally, if NPRM will be economically significant 378 DOT Order 2100.5, ‘‘Regulatory Policies and interested persons believe that any if adopted. Accordingly, OMB reviewed Procedures,’’ available at http://www.dot.gov/ it under Executive Order 12866. The regulations/rulemaking-requirements (last accessed information that NHTSA may place in Mar. 16, 2015). rule, if adopted, would also be 379 See Chapter 12 of the PRIA accompanying this 377 See 49 CFR part 512. significant within the meaning of the NPRM.

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00156 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules 4009

factual basis for the certification (5 relationship between the national action. The agency’s ability to announce U.S.C. 605(b)).380 government and the States, or on the its conclusion regarding the preemptive If adopted, the proposal would distribution of power and effect of one of its rules reduces the directly affect twenty large single stage responsibilities among the various likelihood that preemption will be an motor vehicle manufacturers.381 None of levels of government.’’ issue in any subsequent tort litigation. these would qualify as a small business, NHTSA rules can preempt in two To this end, the agency has examined however. Based on our preliminary ways. First, the National Traffic and the nature (e.g., the language and assessment, the proposal would also Motor Vehicle Safety Act contains an structure of the regulatory text) and affect 3 entities that fit the Small express preemption provision: When a objectives of today’s proposal and finds Business Administration’s criteria for a motor vehicle safety standard is in effect that this proposal, like many NHTSA small business (Panoz, Saleen, and under this chapter, a State or a political rules, would prescribe only a minimum Shelby). According to the Small subdivision of a State may prescribe or safety standard. As such, NHTSA does Business Administration’s small continue in effect a standard applicable not intend that this proposal preempt business size standards (see 13 CFR to the same aspect of performance of a state tort law that would effectively 121.201), a single stage automobile or motor vehicle or motor vehicle impose a higher standard on motor light truck manufacturer (NAICS code equipment only if the standard is vehicle manufacturers than that to be 336111, Automobile Manufacturing; identical to the standard prescribed established by today’s proposal. 336112, Light Truck and Utility Vehicle under this chapter. 49 U.S.C. Establishment of a higher standard by Manufacturing) must have 1,000 or 30103(b)(1). It is this statutory command means of State tort law would not fewer employees to qualify as a small by Congress that preempts any non- conflict with the minimum standard business. We believe that the identical State legislative and announced here. Without any conflict, rulemaking would not have a significant administrative law addressing the same there could not be any implied economic impact on these small vehicle aspect of performance. preemption of a State common law tort manufacturers because we believe that The express preemption provision cause of action. the market for the products of these described above is subject to a savings clause under which ‘‘[c]ompliance with D. Executive Order 12988 (Civil Justice several small manufacturers is highly Reform) inelastic, and purchasers of these a motor vehicle safety standard products are enticed by the desire to prescribed under this chapter does not With respect to the review of the have an unusual vehicle. Additionally, exempt a person from liability at promulgation of a new regulation, all vehicle models would incur a similar common law.’’ 49 U.S.C. 30103(e). section 3(b) of Executive Order 12988, cost to meet the proposed standard, so Pursuant to this provision, State ‘‘Civil Justice Reform’’ (61 FR 4729; Feb. raising the price to include the value of common law tort causes of action 7, 1996), requires that Executive V2V technology should not have much, against motor vehicle manufacturers agencies make every reasonable effort to if any, effect on sales of these vehicles, that might otherwise be preempted by ensure that the regulation: (1) Clearly and costs should be able to be passed on the express preemption provision are specifies the preemptive effect; (2) to consumers. Based on this analysis, generally preserved. However, the clearly specifies the effect on existing we do not believe that the proposed rule Supreme Court has recognized the Federal law or regulation; (3) provides would have a significant economic possibility, in some instances, of a clear legal standard for affected impact on these three small domestic implied preemption of such State conduct, while promoting simplification common law tort causes of action by vehicle manufacturers. Therefore, a and burden reduction; (4) clearly virtue of NHTSA’s rules, even if not regulatory flexibility analysis was not specifies the retroactive effect, if any; (5) expressly preempted. This second way prepared, but we welcome comments on specifies whether administrative that NHTSA rules can preempt is this issue for the final rule. proceedings are to be required before dependent upon there being an actual parties file suit in court; (6) adequately C. Executive Order 13132 (Federalism) conflict between an FMVSS and the defines key terms; and (7) addresses NHTSA has examined today’s higher standard that would effectively other important issues affecting clarity proposal pursuant to Executive Order be imposed on motor vehicle and general draftsmanship under any 13132 (64 FR 43255, August 10, 1999) manufacturers if someone obtained a guidelines issued by the Attorney and concluded that no additional State common law tort judgment against General. This document is consistent consultation with States, local the manufacturer, notwithstanding the with that requirement. governments or their representatives is manufacturer’s compliance with the Pursuant to this Order, NHTSA notes mandated beyond the rulemaking NHTSA standard. Because most NHTSA as follows. The issue of preemption is process. The agency has concluded that standards established by an FMVSS are discussed above. NHTSA notes further the rulemaking will not have sufficient minimum standards, a State common that there is no requirement that federalism implications to warrant law tort cause of action that seeks to individuals submit a petition for consultation with State and local impose a higher standard on motor reconsideration or pursue other vehicle manufacturers will generally not officials or the preparation of a administrative proceedings before they be preempted. However, if and when federalism summary impact statement. may file suit in court. such a conflict does exist—for example, The proposal will not have ‘‘substantial when the standard at issue is both a E. Protection of Children From direct effects on the States, on the minimum and a maximum standard— Environmental Health and Safety Risks the State common law tort cause of Executive Order 13045, ‘‘Protection of 380 See also Chapter 13 of the PRIA accompanying this NPRM. action is impliedly preempted. See Children from Environmental Health 381 BMW, Daimler (Mercedes), Fiat/Chrysler Geier v. American Honda Motor Co., and Safety Risks’’ (62 FR 19855, April (which also includes Ferrari and Maserati), Ford, 529 U.S. 861 (2000). 23, 1997), applies to any rule that: (1) Geely (Volvo), General Motors, Honda (which Pursuant to Executive Order 13132 Is determined to be ‘‘economically includes ), Hyundai, Kia, Lotus, Mazda, significant’’ as defined under Executive Mitsubishi, Nissan (which includes Infiniti), and 12988, NHTSA has considered , , Suzuki, Tata (Jaguar Land Rover), whether this proposal could or should Order 12866, and (2) concerns an Toyota, and Volkswagen/. preempt State common law causes of environmental, health, or safety risk that

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00157 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 4010 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules

the agency has reason to believe may technical performance of a product, alternative other than the least costly, have a disproportionate effect on process or material.’’ most cost-effective, or least burdensome children. If the regulatory action meets Examples of organizations generally alternative if the agency publishes with both criteria, the agency must evaluate regarded as voluntary consensus the final rule an explanation of why that the environmental health or safety standards bodies include ASTM alternative was not adopted. effects of the planned rule on children, International, SAE International (SAE), As noted above, NHTSA has prepared and explain why the planned regulation and the American National Standards a detailed economic assessment of this is preferable to other potentially Institute (ANSI). If NHTSA does not use proposal in the PRIA. In that effective and reasonably feasible available and potentially applicable assessment, the agency analyzes the alternatives considered by the agency. voluntary consensus standards, we are benefits and costs of requiring new light This notice is part of a rulemaking required by the Act to provide Congress, vehicles to be capable of V2V that is not expected to have a through OMB, an explanation of the communications. NHTSA’s preliminary disproportionate health or safety impact reasons for not using such standards. analysis indicates that this proposal on children. Consequently, no further This proposal would require new could result in private expenditures of analysis is required under Executive light vehicles to be capable of V2V between $2 and $5 billion annually. Order 13045. communications. Section III.D.10 above The PRIA also analyzes the benefits discusses how voluntary consensus and costs of a range of regulatory F. Paperwork Reduction Act standards by SAE, IEEE, and ISO alternatives. While the ‘‘No Action’’ interact with the agency’s proposed Under the Paperwork Reduction Act alternative would result in no costs, it requirements for V2V communication. of 1995 (PRA), a person is not required would also result in no benefits. For the In summary, the voluntary consensus to respond to a collection of information alternative that would include mandates standards provide information that by a Federal agency unless the for safety applications, NHTSA’s support both performance requirements collection displays a valid OMB control preliminary analysis indicates that the and design specifications, and are the costs would not be significantly number. There is no information bridge for connecting the requirements collection requirement associated with different from the proposal, but that to the specifications. In relation to this benefits would accrue faster, such that this proposal. The proposal would proposal, NHTSA’s job is to identify and require new vehicles to be capable of the alternative would be cost-effective define performance requirements and and achieve positive net benefits two V2V communications, which would verification tests that will indicate that require a new aspect of performance model years before the proposal would. V2V devices have been designed and The agency is proposing not to require where the vehicle broadcasts Basic implemented such that they will operate Safety Messages (BSMs) during applications at this time, however, due to provide V2V communications and to the need for significant additional operation, which other vehicles could security that will support crash then receive and interpret as research to establish performance avoidance applications. The voluntary requirements and test procedures for appropriate. BSMs include information consensus standards are building blocks about a vehicle’s current location, them, and without which unintended for those requirements, but as they are consequences such as high false positive heading, and speed, among other not at the vehicle-level, they cannot be things—information that safety rates could occur. incorporated wholesale into the FMVSS. Since the agency has estimated that applications on other vehicles could We seek comment on NHTSA’s interpret to determine whether a this proposal could result in approach to inclusion of relevant expenditures of over $1 billion warning to the driver is needed for the voluntary consensus standards in the driver to avoid a potential crash. The annually, NHTSA has performed a development of our proposed probabilistic uncertainty analysis to agency does not foresee any reporting requirements. requirements or PRA related impacts examine the degree of uncertainty in its directly attributable to the proposed H. Unfunded Mandates Reform Act cost and benefit estimates and included that analysis in Chapter 12 of the PRIA. performance requirements in this Section 202 of the Unfunded proposal. Mandates Reform Act of 1995 (UMRA) I. National Environmental Policy Act requires federal agencies to prepare a G. National Technology Transfer and NHTSA has analyzed this rulemaking written assessment of the costs, benefits, Advancement Act action for the purposes of the National and other effects of proposed or final Environmental Policy Act. The agency Section 12(d) of the National rules that include a Federal mandate has determined that implementation of Technology Transfer and Advancement likely to result in the expenditure by this proposed action will not have any Act (NTTAA) requires NHTSA to State, local, or tribal governments, in the significant impact on the quality of the evaluate and use existing voluntary aggregate, or by the private sector, of human environment. consensus standards in its regulatory more than $100 million annually activities unless doing so would be (adjusted for inflation with base year of J. Plain Language inconsistent with applicable law (e.g., 1995). Before promulgating a rule for Executive Order 12866 requires each the statutory provisions regarding which a written statement is needed, agency to write all rules in plain NHTSA’s vehicle safety authority) or section 205 of the UMRA generally language. Application of the principles otherwise impractical. Voluntary requires the agency to identify and of plain language includes consideration consensus standards are technical consider a reasonable number of of the following questions: standards developed or adopted by regulatory alternatives and adopt the • Have we organized the material to voluntary consensus standards bodies. least costly, most cost-effective, or least suit the public’s needs? Technical standards are defined by the burdensome alternative that achieves • Are the requirements in the rule NTTAA as ‘‘performance-based or the objectives of the rule. The clearly stated? design-specific technical specification provisions of section 205 do not apply • Does the rule contain technical and related management systems when they are inconsistent with language or jargon that isn’t clear? practices.’’ They pertain to ‘‘products applicable law. Moreover, section 205 • Would a different format (grouping and processes, such as size, strength, or allows the agency to adopt an and order of sections, use of headings,

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00158 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules 4011

paragraphing) make the rule easier to which in turn can reduce deaths and Roadside Equipment (RSE) means any understand? injuries on the roads. roadside equipment that prepares and • Would more (but shorter) sections S3 Application. This standard transmits messages to V2V devices and be better? applies to new passenger cars, receives messages from V2V devices for • Could we improve clarity by adding multipurpose passenger vehicles, the purpose of supporting V2I tables, lists, or diagrams? trucks, and buses with a gross vehicle applications or, potentially, security. • What else could we do to make the weight rating of 10,000 pounds (4,536 This is intended to include the DSRC rule easier to understand? kilograms) or less. radio, traffic signal controller where If you have any responses to these S4 Definitions. appropriate, interface to the backhaul questions, please include them in your Basic Safety Message (BSM) contains communications network necessary to comments on this proposal. safety data according to specific support the applications, and support such functions as data security, K. Regulatory Identifier Number (RIN) requirements and is used in a variety of applications to exchange safety data encryption, buffering, and message The Department of Transportation regarding vehicle status. BSM processing. assigns a regulation identifier number transmission of 10 times per second is Timestamp means the current time of (RIN) to each regulatory action listed in typical when congestion control is not an event that is recorded by a computer. the Unified Agenda of Federal active. BSM content, initialization time, Vehicle reference point means the Regulations. The Regulatory Information transmission requirements, and other theoretical point projected on the Service Center publishes the Unified characteristics must comply with the surface of the roadway that is in the Agenda in April and October of each requirements of S5, below. center of a rectangle oriented about the year. You may use the RIN contained in Channel busy ratio is a measure of the vehicle’s axis of symmetry front-to-back, the heading at the beginning of this amount of time a channel is designated encompassing the farthest forward and document to find this action in the as busy over the total observed time rearward points and side-to-side points on the vehicle, including original Unified Agenda. channel is available. equipment such as outside side view Coordinated Universal Time (UTC) is L. Privacy Act mirrors. the international standard of time that is S5 Requirements. Each vehicle to Anyone is able to search the kept by atomic clocks around the world electronic form of all comments which this standard applies must Denial of Service (DoS) attack is an transmit and receive messages received into any of our dockets by the attempt to make a machine or network name of the individual submitting the consistent with the requirements below. resource unavailable to its intended To obtain interoperable V2V comment (or signing the comment, if users, such as to temporarily or submitted on behalf of an association, communications for crash avoidance indefinitely interrupt or suspend such safety, DSRC devices must be capable business, labor union, etc.). You may as disrupting DSRC communications review DOT’s complete Privacy Act of: First, transmitting and receiving an DSRC device means a device uses Statement in the Federal Register established message (i.e. the BSM that Dedicated Short Range Communications published on April 11, 2000 (65 FR has specified content of information, but to transmit and receive a variety of 19477–78). also the measuring unit for each message traffic to and from other DSRC information element and the level of List of Subjects in 49 CFR Part 571 devices that include On-Board Units precision needed); Second, conforming Motor vehicles, Motor vehicle safety. (integrated into a vehicle), Aftermarket to DSRC transmission protocols that Safety Devices, and Road-Side Units. will support crash avoidance safety (i.e., Proposed Regulatory Text Event Flag is part of the Basic Safety how far, how often, on what frequency, In consideration of the foregoing, Message. An Event Flag conveys the etc.); Third, implementing a method for NHTSA proposes to amend 49 CFR part sender’s status with respect to safety- a device to add validation context to 571 as follows: related events such as Antilock Brake message transmissions such that a System activation, Stability Control receiver of that message can PART 571—FEDERAL MOTOR Activation, hard braking, and airbag authenticate certain information about VEHICLE SAFETY STANDARDS deployment. the sender of the message; Fourth, GNSS (Global Navigation Satellite incorporating a uniform method for ■ 1. The authority citation for part 571 System) means a satellite system that is dealing with possible occurrences of continues to read as follows: used to pinpoint the geographic location high volumes of DRSC messages (i.e., Authority: 49 U.S.C. 322, 30111, 30115, of a user’s receiver anywhere in the potentially reducing the frequency or 30117, and 30166; delegation of authority at world. range of messages in high congestion 49 CFR 1.95. Packet Error Rate refers to the unit of situations) and; Fifth, robustness to ■ 2. Add § 571.150 to subpart B to read data for radio transmission subject to incorrect or malicious incoming as follows: Forward Error Correction (FEC). The messages. number of error packets after FEC S5.1 Content. Each BSM must § 571.150 Standard No. 150; V2V divided by the total number of received contain the following elements, except communications. packets is the Packet Error Rate. as provided in S5.1.7.: S1 Scope. This standard specifies Reasonably Linkable refers to data S5.1.1 Message packaging. As part performance requirements for vehicle- elements in the BSM or other aspects of of each BSM, a DSRC device must to-vehicle communications capability. V2V transmissions capable of being transmit a Message ID, a Message Count, S2 Purpose. The purpose of this used to identify a specific individual on and a Temporary ID, as follows: standard is to ensure that new motor a persistent basis without unreasonable S5.1.1.1 The Message ID must be the vehicles are able to transmit and receive cost or effort, in real time or digit ‘‘2.’’ standardized, authenticated Basic Safety retrospectively, given available data S5.1.1.2 The Message Count must Messages (BSMs), in order to create an sources. This is intended to have the contain an integer between 0 and 127 information environment upon which a same meaning as ‘‘linkable as a practical that is 1 integer greater than the integer variety of safety applications can rely, matter’’ as used in this standard. used in the last BSM transmitted by the

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00159 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 4012 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules

same DSRC device. If the last BSM as a required BSM element at the where the average of the absolute value Message Count was 127, then the operational frequency of the BSM of the change of yaw rate over time is Message Count for the following BSM is transmission smaller than 0.5 deg/s2. 0. S5.1.5.1.1 Path History data frame S5.1.5.2.2 After a transition from the S5.1.1.3 The Temporary ID must be requires a history of a vehicles past original constant radius (R1) to the a randomly generated 4-digit number. GNSS locations as dictated by GNSS target constant radius (R2), the The DSRC device must randomly data elements including UTC time, subsystem shall repopulate the Path generate a new 4-digit number every latitude, longitude, heading, elevation Prediction data frame within four five minutes. However, if other sampled at a periodic time interval of seconds under the maximum allowable temporary identifiers, such as 100 ms and interpolated in-between by error bound defined above. pseudonym certificates, are used, the circular arcs, to represent the vehicle’s S5.1.5.2.3 Path Prediction Temporary ID should be changed every recent movement over a limited period trajectories will be transmitted as a time another identifier (such as a of time or distance. required BSM element at the operational pseudonym certificate) is changed. S5.1.5.1.2 Path History points frequency of the BSM transmission. S5.1.2 Time. As part of each BSM, a should be incorporated into the Path S5.1.5.3 Exterior lights. The DSRC device must transmit a data History data frame such that the subsystem shall set the individual light element indicating the time, expressed perpendicular distance between any indications in the data element to be in UTC, and within +/¥ 1 milliseconds point on the vehicle path and the line consistent with the vehicle status data of the actual UTC time. connecting two consecutive PH points that is available. If meaningful values S5.1.3 Location. As part of each shall be less than 1 m. are unavailable, or no light indications BSM, a DSRC device must transmit: S5.1.5.1.3 Minimum number of Path will be set to indicate the light is on, the S5.1.3.1 Longitudinal and lateral History points vehicles should report data element should not be transmitted. location within 1.5 meters of the actual the minimum number of points so that S5.1.5.3.1 The Exterior Lights data position at a Horizontal Dilution of the represented Path History distance element, if available, provides the status Precision (HDOP) smaller than 5 within (i.e., the distance between the first and of all exterior lights on the vehicle, the 1 sigma absolute error; and last Path History point) is at least 300 m including parking lights, headlights S5.1.3.2 Elevation location within 3 and no more than 310 m, unless initially (including low and high beam, and meters of the actual position at a there is less than 300 m of Path History. automatic light control), fog lights, Horizontal Dilution of Precision (HDOP) If the number of Path History points daytime running lights, turn signal smaller than 5 within the 1 sigma needed to meet both the error and (right and left), and hazard signals. absolute error. distance requirements stated above S5.1.5.4 Event flags. If a stated S5.1.4 Movement. As part of each exceeds the maximum allowable criterion is met as indicated for each BSM, a DSRC device must transmit number of points (23), the Path History Event Flag listed, the sender shall set speed, heading, acceleration, and yaw data frame shall be populated with only the Event Flag to 1. If, and only if, one rate, as follows: the 23 most recent points from the or more of the defined Event Flags are S5.1.4.1 Speed must be reported in computed set of points. set to 1, the subsystem shall transmit a increments of 0.02 m/s, within 1 km/h S5.1.5.1.3 Path History data frame BSM with the corresponding Event (0.28 m/s) of the vehicle’s actual speed. shall be populated with time-ordered Flags within 250 ms of the initial S5.1.4.2 Heading must be reported Path History points, with the first Path detection of the event at the sender. The accurately to within 2 degrees when the History point being the closest in time Event Flags data element shall be vehicle speed is greater than 12.5 m/s to the current UTC time, and older included in the BSM for as long as an ∼ ( 28 mph); and to within 3 degrees points following in the order in which event is active. when the vehicle speed is less than or they were determined. • ABS Activation: The system is equal to 12.5 m/s. Additionally, when S5.1.5.2 Path Prediction. activated for a period of time exceeding the vehicle speed is below 1.11 m/s Trajectories in the Path Prediction data 100 ms in length and is currently active. (∼2.5 mph), the DSRC device must latch frame are represented, at a first order of • Stability Control Activation: The the current heading and transmit the curvature approximation, as a circle system is activated for a period of time last heading information prior to the with a radius, R, and an origin located exceeding 100 ms in length and is speed dropping below 1.11 m/s. The at (0,R), where the x-axis is aligned with currently active. device is to unlatch the latched heading the transmitting vehicle’s perspective • Hard Braking: The vehicle has when the vehicle speed exceeds 1.39 m/ and normal to the vehicle’s vertical axis. decelerated or is decelerating at a rate of s (∼3.1 mph) and transmit a heading The radius, R, will be positive for greater than 0.4 g. within 3 degrees of its actual heading curvatures to the right when observed • Air Bag Deployment: At least one until the vehicle reaches a speed of 12.5 from the transmitting vehicle’s air bag has been deployed. m/s where the heading must be perspective, and radii exceeding a • Hazard Lights: The hazard lights are transmitted at 2 degrees accuracy of its maximum value of 32,767 are to be currently active. actual heading. interpreted as a ‘‘straight path’’ • Stop Line Violation: The vehicle S5.1.4.3 Acceleration. Horizontal prediction by receiving vehicles. anticipates that it will pass the line (longitudinal and lateral) acceleration S5.1.5.2.1 When a device is in without coming to a full stop before must be reported accurately to 0.3 m/s2, steady state conditions over a range reaching it. and vertical acceleration must be from 100 m to 2,500 m in magnitude, • Traction Control System Activation: reported accurately to 1 m/s2. the subsystem will populate the Path The system is activated for a period of S5.1.4.4 Yaw rate. Yaw rate must be Prediction data frame with a calculated time exceeding 100 ms in length and is reported accurately to 0.5 degrees/ radius that has less than 2% error from currently active. second. the actual radius. For the purposes of • Flat Tire: The vehicle has S5.1.5 Other event based this performance requirement, steady determined that at least one tire has run information. state conditions are defined as those flat. S5.1.5.1 Path History. The Path which occur when the vehicle is driving • Disabled Vehicle: The vehicle History data frame will be transmitted on a curve with a constant radius and considers itself to be disabled.

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00160 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules 4013

• Lights Changed: The status of the including but not limited to VIN, VIN S5.3.3 Transmission data rate. A external lights on the vehicle has string, vehicle license plate, vehicle DSRC device must transmit the BSM at changed recently. registration information, or owner code. a bit rate of 6 Mbps. • Wipers Changed: The status of the S5.2 Initialization time. A DSRC S5.3.4 Transmission staggering front or rear wipers on the vehicle has device must begin transmitting the BSM timing. A DSRC device must transmit changed recently. within 2 seconds after the V2V device the BSM every 100 ms +/1 a random • Emergency Response: The vehicle is power is initiated. value between 0 and 5 ms. a properly authorized public safety S5.3 Transmitting the BSM. A DSRC S5.4 Signing the BSM. [Reserved for vehicle, is engaged in a service call, and device must transmit the BSM with the message signature requirement if is currently moving. Lights and/or following power/range, on the following needed] sirens may not be evident. channel, and at the following data • S5.4.1 Rotating certificates. Hazardous Materials: The vehicle is rate(s) and times: [Reserved for rotating certificate S5.3.1 Transmission range. A DSRC known to be carrying hazardous requirement if needed] materials and is labeled as such. device must transmit the BSM in all S5.5 Congestion Mitigation. S5.1.6 Vehicle-based motion directions on the same plane as the indicators. As part of each BSM, a DSRC device (i.e., 360 degrees) and at least 10 A DSRC device must transmit the device must transmit transmission state degrees above the vehicle and 6 degrees BSM as follows under the following and steering wheel angle. below the vehicle (i.e., along the vertical circumstances: S5.1.6.1 Transmission state must be axis) such that it can be received at any S5.5.1 Calculate Tracking Error. reported as either ‘‘neutral,’’ ‘‘reverse,’’ point within at least 300 meters from This section specifies the set of steps or ‘‘forward’’ for any forward gear. the transmission antenna, with a Packet that calculate the tracking error in the S5.1.6.2 Steering wheel angle must Error Rate (PER) of less than 10 percent. congestion control algorithm for the be reported accurately to 5 degrees. S5.3.2 Transmission channel. A system. Note that the tracking error is S5.1.7 Vehicle size. Vehicle size DSRC device must transmit the BSM on communications-induced and must be reported accurately to 0.2 Channel 172, as allocated for ‘‘public independent of the positioning system meters of the vehicle’s length and safety applications involving safety of tracking error. The system performs the width. life and property’’ in 47 CFR part 90, following operations every 100 ms. S5.1.9 Prohibited elements of the subpart M. All non safety-critical • The system estimates the position BSM. No BSM may contain data linked communications will occur on the of the HV at the current time, defined or reasonably linkable to a specific remaining channels allocated for DSRC as HV local estimator, per defined private vehicle or its driver or owner, in subpart M. below.

1. First find Delta_time, the time since 3. If 50 ms <= Delta_time_ms <= 150 RefLat = e.g., REF_LATITUDE (rad) vehicle’s last known position. ms, then perform position extrapolation: RefLon = e.g., REF_LONGITUDE (rad) • _ (1) Delta_time_ms = T ¥ T Calculate the estimated distance RefHeading = e.g., REF HEADING traveled by the vehicle in (rad) 2. Do not perform position Delta_time_ms. Y = ACROSS_DISTANCE (m w.r.t. extrapolation in the following cases: • Ahead_distance_m = Speed_mps * REF LATLON) • If Delta_time_ms < 0, then there is Delta_time_ms/1000 X = AHEAD_DISTANCE (m w.r.t. REF a time-related error. • Across_distance_m = 0 LATLON) • If Delta_time_ms > 150 ms, then the 4. Use ConvertXYtoLatLon function to a = 6378137; # semi-major axis of vehicle has not received a position find the vehicle’s new position at time earth update for a very long time and its T′. ConvertXYtoLatLon(. . .) f = 0.003353; # flattening position is outdated. INPUT f1 = (f*(2-f))∧0.5; # eccentricity

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00161 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 EP12JA17.019 4014 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules

f2 = a*(1-f1∧2)/(1- (1/(f3*cos(RefLat)))*E + RefLon; After each transmission, use a ∧ ∧ ∧ f1 2*(sin(RefLat)) 2) (3/2); # 5. For all future calculations, use the Bernoulli trial with the channel quality radius of earth in meridian _ indicator P(k) to infer whether this ∧ ∧ ∧ calculated New Latitude and f3 = a/(1-f1 2*(sin(RefLat)) 2) (1/2); New_Longitude as vehicle’s position, previous transmission is successfully # radius of earth in prime vertical and current time. received by RVs. E = (cos(RefHeading)*Y + • The system makes an assumption of • Channel Quality Indicator (P): The sin(RefHeading)*X; system calculates P as an average of the N = (cos(RefHeading)*X ¥ the latest HV state information received PERs observed by the HV from all of the sin(RefHeading)*Y; by the RVs based on a Bernoulli trial OUTPUT corresponding to the quality of channel RVs within 100 m of the HV over an NEW_LATITUDE (rad) = (1/f2)*N + indicator as defined below: interval 5000 ms, and updated at the RefLat; Assumption of latest HV State end of each 1000 ms sub-interval. NEW_LONGITUDE (rad) = Information at RVs Let AVGPER be calculated as:

where Next, P is calculated by smoothening disturbance in the measurement as PERi is for RV ‘i’ and N(k) is the Vehicle AVGPER to filter out temporal noise or follows: Density within 100 m.

where 2. If, however, the outcome of this The state information is defined: (k) latest i is the weight factor 0.9, P is the channel Bernoulli trial is negative, treat the Let q be the HV’s assumed latest quality indicator for the current interval previous transmission by HV as a failure state information received by RVs and window. Note that, if P(k) exceeds 0.3, and do not update the latest HV state qPre-tx be the HV’s state information then it is set to 0.3. information as that received by RVs. contained in the message of its previous 3. Count the number of Bernoulli transmission (wheret is the time in msec 1. If the outcome of this Bernoulli trial trials with successive negative when the longitudinal position x(in is positive, assume that the previous outcomes. If this count is greater than 3, degrees), lateral positiony (in degrees), transmission by HV is successfully set the previous transmission as speed v(in m/s), and heading q(t)(in received by RVs. Update the latest successful and update the latest degrees) are measured. The HV’s information the RVs have about the HV information the RVs have about the HV assumed latest state information as the state information contained in as the state information contained in the received by RVs is updated after each previous transmission. previous transmission. transmission as follows:

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00162 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 EP12JA17.020 EP12JA17.034 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules 4015

where HV believes its current position is and e(k) = R(xˆ(k)) × (cos¥1(sin(xˆ(k)) × sin(x˜(k)) rand () is a uniform random number generator where the HV believes RVs think the HV + cos(xˆ(k)) × cos(x˜(k)) × cos(yˆ(k) ¥ y˜(k)))) and P(k) is the estimated channel quality is located at the current time. It is also where indicator. 2 2 2 known as the suspected, expected or R(xˆ(k)) = a × (1 ¥ f1 )/(1 ¥ f1 × sin • Using the latest HV state estimated tracking error between the HV (xˆ (k)))1.5 information assumption at RVs, the local estimator and the HV remote is the Meridian Radius of the Earth in meters system estimates the position of the HV estimator. xˆ(k)), at latitude, a = 6378137 is the mean 0.5 radius of earth in meters, fi = (f × (2 ¥ f)) at the current time, defined as HV Where: remote estimator, using the estimator is the Eccentricity, and f = 0.003353 is earth’s the tracking error is defined as the distance flattening. described above. This indicates where between HV local estimator position Here (xˆ(k), yˆ(k)) are the latitude and the HV believes the RVs ‘‘thinks’’ that (xˆ(k), (yˆ(k)) and output of the HV remote longitude from the HV Local Estimator, the HV is located at the current time. estimator position, ((x˜(k), (y˜(k)) using the converted to radians, and (x˜(k), y˜(k)) the • The system then calculates the great circle formula, i.e. latitude and longitude from the HV Remote tracking error e(k), between where the Estimator, converted to radians.

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00163 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 EP12JA17.021 4016 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules

S5.5.2 Transmission power must vary transmitted at maximum power (20 dBm, transmitted at a power based on a linear depending on the following: Pmax); function that proportionally reduces the S5.5.2.1 If there is an Event Flag or a S5.5.2.3 If the channel busy ratio is above transmission power based on the channel transmission decision is based on p(k), the 80% (Umax) and the transmission is based _ _ busy ratio value during the previous BSM must be transmitted at maximum power on Max Trans Time, then the BSM must be transmission (U(k-1)) and the previous despite the presence of any other conditions; transmitted at minimum power (10 dBm, S5.5.2.2 If the channel busy ratio is below Pmin); transmission power (P(k-1). Where the 50% (Umin) and the transmission is based on S5.5.2.4 If the channel busy ratio is transmitted power (P(k)) is defined by: Max_Trans_Time, then the BSM must be between (c) and (b), then the BSM must be

S5.6 Detecting misbehavior. A DSRC physical space based on the reported GPS equipment, the indicator must be present in device must detect misbehavior in the positions. the device itself. following ways: (b) Motion Validation: Attempts to validate S5.10 [Reserved for hardware protection S5.6.1 Internal self-diagnostics. A DSRC the reported position of a transmitting requirement]. device must be able to perform the following vehicle based on the previously-reported S5.11 Consumer Privacy Statement. self-diagnostic checks: velocity and heading values of the vehicle. S5.11.1 Owners information for the S5.6.1.1 If a DSRC device detects a (c) Content and Message Verification: device must include the statement set forth malfunctioning sensor which may cause Attempts to categorize BSMs as suspicious by in Appendix A below. misbehavior, the device must: checking the data validity of the BSM. S5.11.2 Manufacturers also must make (a) Either transmit the BSM with the (d) Denial of Service Detection: Attempts to the statement set forth in Appendix A easily affected elements set to ‘‘Unavailable’’ if disrupt, limit, or alter the functionality of accessible to the public, as by publishing it relevant standards allow the element to be set V2V device to meet the requirements through on an easily located Web site indexed by to ‘‘Unavailable’’; or exhaustions of storage, computation, or other make, model, and year. (b) Cease BSM transmission if relevant limited resources of the V2V device. S6 Test Conditions. standards do not allow the element to be set S5.6.3 [Reserved for requirements for S6.1 Ambient conditions. to ‘‘Unavailable.’’ sending misbehavior reports] S6.1.1 The ambient temperature is If either (a) or (b) is detected, [Reserved for S5.7 Indicating a malfunction. The DSRC between 0 °C (32 °F) and 40 °C (104 °F). requirement to report malfunctions if device must be able to indicate to its user the S6.1.2 The maximum wind speed is no needed] occurrence of one or more malfunctions that greater than 10 m/s (22 mph) for passenger S5.6.1.2 [Reserved for requirement to affect the performance of the device, its cars and 5 m/s (11 mph) for multipurpose report physical tampering] supporting equipment, or the inputs used to passenger vehicles, trucks, and buses. S5.6.2 Checking and reporting on the form, transmit, or receive a BSM, as follows: S6.2 Road test surface. plausibility of incoming BSMs. A DSRC device must perform a preliminary S5.7.1 Malfunctions could include, but S6.2.1 The tests are conducted on a dry, plausibility check on all incoming BSMs and are not limited to, the following: uniform, solid-paved surface. Surfaces with respond accordingly, as follows: (a) Device components not operating irregularities and undulations, such as dips S5.6.2.1 The preliminary plausibility properly; and large cracks, are unsuitable. check must identify as an implausible (b) Input sensor data falling outside S6.2.3 The test surface has a consistent message any BSM for which the components tolerance levels; slope between level and 1 percent. of the vehicle dynamic state (position, speed, (c) On-board memory failures; S6.3 Vehicle conditions. acceleration, and yaw rate) are outside the (d) GPS receiver failures; S6.3.2 Test weight. The vehicle may be following values: (e) An inability to transmit or receive tested at any weight consisting of the test (a) Speed greater than 70 m/s (252 km/h or BSMs; or driver and instrumentation only that fall 156 mph); (f) Any other failure that could prevent between its lightly loaded vehicle weight (b) Longitudinal acceleration of 0–100 km/ normal operation. (LLVW) and its gross vehicle weight rating h in fewer than 2.3 seconds (greater than 12 S5.7.2 The malfunction indication must (GVWR) without exceeding any of its gross m/s2); be clearly presented to device users in the axle weight ratings. (c) Longitudinal deceleration of 100–0 km/ form of a telltale lamp or message. S6.3.3 Tires. The vehicle is tested with h in fewer than 95 feet (greater than 12 m/ S5.7.3 Owners’ information for the device the tires installed on the vehicle at the time s2); (or vehicle, if the DSRC device is installed as of initial vehicle sale. The tires are inflated (d) Lateral acceleration of greater than 11 original equipment) must clearly describe the to the vehicle manufacturer’s recommended m/s2 (1.12 G); malfunction indication, potential causes, and cold tire inflation pressure(s) specified on the (e) Yaw rate of greater than when the device must be taken in for service vehicle’s placard or the tire inflation pressure 1.5 radian/s (as needed). label. Additionally, a BSM must be identified as S5.7.4 The malfunction indication must S7 Test Procedures. implausible if values within the BSM are not remain present and/or illuminated until the S7.1 Pre-test/Inspection. internally consistent given the formula V2 = malfunction no longer exists and the DSRC S7.1.1 Inflate the vehicles’ tires to the 2 ac/(Y′) . device is returned to proper operation. cold tire inflation pressure(s) provided on the S5.6.2.2 A DSRC device must be able to S5.8 [Reserved for requirement to vehicle’s placard or the tire inflation pressure perform the plausibility checks described in communicate with the SCMS if needed]. label. S5.6.2.1 on at least 5,500 BSMs per second. S5.9 Communicating about and obtaining S7.1.2 Vehicle dimensions. S5.6.2.3 [Reserved for requirement to software and security updates. A DSRC S7.1.2.1 Measure vehicle length report any failed plausibility check] device must be able to indicate clearly to including any equipment installed on the S5.6.2.4 A DSRC device must support the users that either device software or security vehicle when first sold. detection of other devices which are updates are available and that the user must S7.1.2.2 Measure vehicle width including suspected of misbehaving, and at a minimum consent to the update before it can occur. If any equipment installed on the vehicle when detect the following types of misbehavior: the DSRC device is included in a vehicle as first sold. (a) Proximity Plausibility: Instances are original equipment, the indicator must be S7.1.2.3 Measure vehicle height detected of two or more vehicles, either present in the vehicle. If the DSRC device is including any equipment installed on vehicle partially or wholly, occupying the same not included in the vehicle as original when first sold.

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00164 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 EP12JA17.022 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules 4017

S7.1.2.4 Measure the V2V System GNSS S7.3.1 Place the test vehicle on the test S7.4.5.7 Shift the transmission to ‘‘Drive’’ Receiver Antenna. track. and accelerate the vehicle to 15 mph S7.1.2.5 Measure the independent S7.3.2 Position a DSRC packet capture +/¥mph. instrumented vehicle sensor coordinates. device directly in front of the test vehicle S7.4.5.8 Proceed up an incline with a S7.2 Static Performance Test Procedure: with the following characteristics: minimum rise of ? ft. S7.2.1 Place the test vehicle on car wheel S7.3.2.1 The device is 1.5 m above the S7.4.5.9 Drive the test vehicle in a figure rollers and position the vehicle on the test test surface; eight at 18 mph. track. S7.3.2.2 The device is at a nominal S7.4.5.10 Bring the test vehicle to a stop S7.2.2 Two dimensional Range: Position distance of 300 m in front of the test vehicle. and shift the transmission to ‘‘Reverse’’. a DSRC packet capture device directly in S7.3.3 Configure the DSRC packet capture S7.4.5.11 Accelerate the test vehicle in front of the test vehicle with the following device to log BSMs over-the-air (OTA); the reverse direction. characteristics: devices must have a receive sensitivity of S7.4.5.12 Decelerate the vehicle to a stop S7.2.2.1 The device is 1.5 m above the ¥92 dBm. and shift the transmission to ‘‘Park’’. test surface; S7.3.4 Congestion Mitigation. S7.4.5.13 Cycle the ignition. S7.2.2.2 The device is at a nominal S7.3.4.1 Position a reference OBE device S7.4.5.14 Deactivate the test vehicle distance of 300 m in front of the test vehicle. (i.e. rack of OBE modules) on the test track starting system. S7.2.3 Upward elevation range: Position a within a 300 m range of the test vehicle. S7.4.5.15 Retrieve and process the log DSRC packet capture device at any point S7.3.4.2 Activate the DSRC packet files to determine compliance with S5. along the following line. capture device to log BSMs OTA. S7.4.6 Misbehavior Detection: S7.2.3.1 The line originates at a point that S7.3.4.3 Activate the test vehicle starting Plausibility. is directly 1.5 m above the vehicle reference system to initiate BSM transmission. S7.4.6.1 Configure a remote test vehicle point. S7.3.4.3.1 Run the vehicle for 15 minutes. (RV1) to offset its positional BSM data S7.2.3.2 The line rises at a +10 degree S7.3.4.3.2 After 5 minutes, activate the laterally into the left adjacent lane. angle from the test surface proceeding in the reference OBE device in S7.3.4.1 to simulate S7.4.6.2 Place RV1 on a two lane test direction directly in front of the test vehicle. a congested DSRC environment. track and position it in the right most lane. S7.2.3.3 The line terminates at a point S7.3.4.3.3 After another 5 minute period, S7.4.6.3 Activate the test vehicle starting that is directly above the point used in deactivate the reference OBE device in system to initiate BSM transmission. S7.2.2. S7.3.4.1. S7.4.6.4 Activate the DSRC packet S7.2.4 Downward elevation range: S7.3.4.3.4 After another 5 minute period, capture device to log BSMs OTA. Position a DSRC packet capture device at any deactivate the test vehicle starting system. S7.4.6.5 Drive the test vehicle [30 mph point along the following line. S7.3.4.4 Retrieve and process the log files +/¥1 mph] along the test track in the left to determine compliance with the correct S7.2.4.1 The line originates at a point that lane and proceed past RV1. congestion mitigation strategy in S5.5. is directly 1.5 m above the vehicle reference S7.4.6.6 Repeat S7.4.6.5 three (3) times. S7.3.5 Misbehavior Detection. point. S7.4.6.7 Retrieve and process the log files S7.3.5.1 Position a reference OBE device S7.2.4.2 The line falls at a ¥6 degree to determine compliance with S5.6. on the test track within a 300 m range of the S7.4.6.8 Drive the test vehicle past the angle from the test surface proceeding in the test vehicle. RSE at a constant [30 mph +/¥1 mph]. direction directly in front of the test vehicle. S7.3.5.2 Activate the DSRC packet S7.4.6.9 Bring the test vehicle to a stop. S7.2.4.3 The line terminates at any point capture device to log BSMs OTA. where it intersects the test surface. S7.3.5.3 Activate the test vehicle starting S7.4.6.10 [Reserved for requirement to S7.2.5 Configure the DSRC packet capture system to initiate BSM transmission. retrieve and process the log files to determine devices to log BSMs over-the-air (OTA); S7.3.5.4 Using the reference OBE device, if a Misbehavior Report was sent to the devices must have a receive sensitivity of SCMS]. ¥ transmit simulated misbehaving BSMs. 92 dBm. S7.3.5.4.1 After 10 mins, deactivate the S7.4.7 [Reserved for Misbehavior S7.2.6 Activate the DSRC packet capture reference OBE device. Detection Signature Failure testing devices to log BSMs OTA. S7.3.5.7 Retrieve and process the log files requirement]. S7.2.7 Activate the test vehicle starting to determine compliance with the S7.5 V2V Malfunction Detection. system to initiate BSM transmission. misbehavior detection requirement in S5.6. S7.5.1 Start-up Self test: S7.2.7.1 Run the vehicle for 110 mins. S7.4 Dynamic Performance Test S7.5.2 Position the test vehicle on the test S7.2.7.2 Rotate the vehicle 90 degrees in Procedure. platform. the clockwise direction every 15 minutes S7.4.1 Configure the test vehicle to send S7.5.3 Position a DSRC packet capture until the time in S7.2.7.1 expires. BSMs representing the best estimate of the device at a nominal distance of 300 m from S7.2.8 Deactivate the test vehicle and BSM data parameters. the test device. DSRC packet capture devices. S7.4.2 Configure the test vehicle to send S7.5.4 Create a malfunction on the test S7.2.9 Retrieve and process the log files ground truth data (position, speed, heading, vehicle. to determine compliance with S.5. acceleration, yaw rate, and time) from S7.5.5 Activate the DSRC packet capture S7.2.10 Positional Accuracy Test. independent sensors mounted on the test device to log BSMs over-the-air (OTA). S7.2.10.1 Using the transmission blocking vehicle via non-DSRC wireless link. S7.5.6 Activate the test vehicle starting water filled plastic blanket that will hold one S7.4.3 Configure the DSRC packet capture system to initiate BSM transmission. gallon of water with a water width of 1 inch, device to log BSMs over-the-air (OTA); S7.5.7 Retrieve and process the log files cover the test vehicle GPS antenna to prevent devices must have a receive sensitivity of to determine compliance with S5. it from receiving a valid GNSS signal. ¥92 dBm. S7.5.8 Cycle the test vehicle starting S7.2.10.2 Connect GPS signal generator to S7.4.4 Configure an RSE on the test track system. the test vehicle OBE. to receive the test vehicles’ ground truth data. S7.5.9 Deactivate the vehicle starting S7.2.10.3 Activate the test vehicle starting S7.4.5 Dynamic test maneuver. system. system to initiate BSM transmission. S7.4.5.1 Activate the test vehicle starting S7.5.10 Correct the system malfunction. S7.2.10.4 Activate the DSRC packet system to initiate BSM transmission. S7.5.11 Reactivate the test vehicle capture devices to log BSMs OTA. S7.4.5.2 Activate the DSRC packet starting system. S7.2.10.5 Using the GPS signal generator, capture device to log BSMs OTA. S7.5.12 Deactivate the test vehicle inject a known fake GPS signal into the OBE. S7.4.5.3 Put the test vehicle transmission starting system. S7.2.10.6 After 5 minutes, deactivate the in ‘‘Drive’’ and accelerate the vehicle to 30 S8 Phase-in schedule. test vehicle starting system and DSRC mph +/¥1 mph. S8.1 Vehicles manufactured on or after capture packet device. S7.4.5.4 Apply the service brake to September 1, [2 years after issuance of a final S7.2.10.7 Retrieve and process the log decelerate the vehicle 0.3 g, bring the vehicle rule], and before September 1, [3 years after files to determine compliance with the to a stop. issuance of a final rule]. For vehicles positional accuracy requirements. S7.4.5.6 Shift the transmission to ‘‘Park’’ manufactured on or after September 1, [2 S7.3 Simulated Performance Tests. and cycle the ignition. years after issuance of a final rule], and

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00165 Fmt 4701 Sfmt 4702 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 4018 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules

before September 1, [3 years after issuance of years of the September 1, [2 years after S9.1.3.3 [Reserved for test procedures on a final rule], the number of vehicles issuance of a final rule] through August 31, receiving BSMs from a DSRC test device] complying with this standard must not be [4 years after issuance of a final rule] phase- S9.1.3.4 [Reserved for test procedures on less than 50 percent of the manufacturer’s in by a manufacturer that produces fewer ensuring interoperability with other production on or after September 1, [2 years than 5,000 vehicles for sale in the United approved non-DSRC V2V devices] after issuance of a final rule], and before States during that year are not subject to the September 1, [3 years after issuance of a final phase-in requirements of S8.1 through S8.4. Appendix A to § 571.150: V2V Privacy rule]. Instead, all vehicles produced by these Statement manufacturers on or after September 1, [4 S8.2 Vehicles manufactured on or after (a) V2V Messages September 1, [3 years after issuance of a final years after issuance of a final rule] must rule], and before September 1, [4 years after comply with this standard. (1) The National Highway Traffic Safety issuance of a final rule]. For vehicles S8.7 Final-stage manufacturers and Administration (NHTSA) requires that your manufactured on or after September 1, [3 alterers. Vehicles that are manufactured in vehicle be equipped with a Vehicle-to- years after issuance of a final rule], and two or more stages or that are altered (within Vehicle (V2V) safety system. The V2V system before September 1, [4 years after issuance of the meaning of 49 CFR 567.7) after having is designed to give your vehicle a 360 degree a final rule], the number of vehicles previously been certified in accordance with awareness of the driving environment and complying with this standard must not be part 567 of this chapter are not subject to the warn you in the event of a pending crash, less than 75 percent of the manufacturer’s phase-in requirements of S8.1 through S8.4. allowing you to take actions to avoid or production on or after September 1, [3 years Instead, all vehicles produced by these mitigate the crash, if the manufacturer of after issuance of a final rule], and before manufacturers on or after September 1, [5 your vehicle has installed V2V safety September 1, [4 years after issuance of a final years after issuance of a final rule] must applications. rule]. comply with this standard. (2) Your V2V system periodically S8.3 Vehicles manufactured on or after S9 Interoperable technology. broadcasts and receives from all nearby September 1, [4 years after issuance of a final S9.1 The agency is also recognizing that vehicles a V2V message that contains rule]. All vehicles manufactured on or after communications mediums other than DSRC important safety information, including September 1, [4 years after issuance of a final may be capable of providing equal or better vehicle position, speed, and direction. V2V rule] must comply with this standard. performance than DSRC. These alternative messages are broadcast ten times per second S8.4 Calculation of number of complying technologies would be permissible if and in only the limited geographical range vehicles. only if it satisfies all of the criteria set forth (approximately 300 meters) necessary to (a) For purposes of complying with S8.1, in this section: enable V2V safety application to warn drivers a manufacturer may count a vehicle if it is S9.1.1 Interoperable technology testing of pending crash events. certified as complying with this standard and requirements: (3) To help protect driver privacy, V2V is manufactured on or after June 5, [1 year S9.1.1.1 Transmitting and receiving an messages do not directly identify you or your after issuance of a final rule], but before established message with all other V2V vehicle (as through vehicle identification September 1, [3 years after issuance of a final devices, including DSRC devices, including number or State motor vehicle registration), rule]. BSM content data as specified in S5.1.2, or contain data that is reasonably or, as a (b) For purposes of complying with S8.2, S5.1.3, S5.1.4, S5.1.5, S5.1.6, and S5.1.7; practical matter, linkable to you. For a manufacturer may count a vehicle if it. S9.1.1.2 Utilizing transmissions protocols purposes of this statement, V2V data is (1) Is certified as complying with this that achieve at least the same level of ‘‘reasonably’’ or ‘‘as a practical matter’’ standard and is manufactured on or after performance as DSRC including S5.2, S5.3.1, linkable to you if it can be used to trace V2V June 5, [1 year after issuance of a final rule], S5.3.4, and S5.3.5; and messages back to you personally for more but before September 1, [4 years after S9.1.1.3 Ensuring, at the minimum, the than a temporary period of time (in other issuance of a final rule], and is not counted same robustness to incorrect or malicious words, on a persistent basis) without toward compliance with S8.1; or incoming messages as DSRC as specified in unreasonable expense or effort, in real time (2) Is certified as complying with this the plausibility checks specified in S5.6.2. or after the fact, given available data sources. standard and is manufactured on or after S9.1.2 Interoperable technology Excluding reasonably linkable data from V2V September 1, [3 years after issuance of a final performance requirements: messages helps protect consumer privacy, rule], but before September 1, [4 years after S9.1.2.1 A device that enables V2V while still providing your V2V system with issuance of a final rule]. communication, but does not use DSRC sufficient information to enable crash- S8.5 Vehicles produced by more than one technology must perform at the same level as avoidance safety applications. manufacturer. the requirements found in S5.2, S5.3, S5.4, S8.5.1 For the purpose of calculating S5.7–S5.10 for DSRC devices, except that it (b) Collection, Storage and Use of V2V average annual production of vehicles for is not required to meet: Information each manufacturer and the number of S9.1.2.2 Specific references to DSRC, (1) Your V2V system does not collect or vehicles manufactured by each manufacturer where the technology meets all other store V2V messages except for a limited time under S8.1 through S8.3, a vehicle produced requirements; needed to maintain awareness of nearby by more than one manufacturer must be S9.1.2.3 The message packaging or vehicles for safety purposes or in case of attributed to a single manufacturer as protocol suite requirements found in S5.1.1. equipment malfunction. In the event of follows, subject to S8.5.2: S9.1.2.4 The required channel or data rate malfunction, the V2V system collects only (a) A vehicle that is imported must be in S5.3.2 and S5.3.3; and those messages required, and keeps that attributed to the importer. S9.1.2.5 The requirements associated information only for long enough to assess a (b) A vehicle manufactured in the United with message congestion mitigation and V2V device’s misbehavior and, if a product States by more than one manufacturer, one of misbehavior detection found in S5.5 and S5.6 defect seems likely, to provide defect which also markets the vehicle, must be except as specified in S5.6.2; information to your vehicle’s manufacturer. attributed to the manufacturer that markets S9.1.3 Interoperability technology testing (2) NHTSA does not regulate the collection the vehicle. procedures: or use of V2V communications or data S8.5.2 A vehicle produced by more than S9.1.3.1 The test conditions for testing beyond the specific use by motor vehicles one manufacturer must be attributed to any non-DSRC V2V devices shall be the same as and motor vehicle equipment for safety- one of the vehicle’s manufacturers specified those for DSRC devices in S6. related applications. That means that other by an express written contract, reported to S9.1.3.2 The test procedures for testing individuals and entities may use specialized the National Highway Traffic Safety non-DSRC V2V devices to determine whether equipment to collect and aggregate (group Administration under 49 CFR part 585, they can send BSMs that are interoperable together) V2V transmissions and use them for between the manufacturer so specified and with DSRC devices shall be the same as those any purpose including applications such as the manufacturer to which the vehicle would for DSRC devices in S7, minus any specific motor vehicle and highway safety, mobility, otherwise be attributed under S8.5.1. references to DSRC in the vehicle being environmental, governmental and S8.6 Small volume manufacturers. tested, including but not limited to S7.3.4, commercial purposes. For example, States Vehicles manufactured during any of the two S7.3.5, and S7.4.6. and localities may deploy roadside

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00166 Fmt 4701 Sfmt 4700 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2 Federal Register / Vol. 82, No. 8 / Thursday, January 12, 2017 / Proposed Rules 4019

equipment that enables connectivity between V2V messages to provide valuable services to Assessment, published by The U.S. your vehicle, roadways and non-vehicle customers, such as traffic flow management Department of Transportation at http:// roadway users (such as cyclists or and location-based analytics, and for other www.transportation.gov/privacy. pedestrians). These technologies may provide purposes (some of which might impact (4) If you have concerns or questions about direct benefits such as use of V2V data to consumer privacy in unanticipated ways). the privacy practices of vehicle further increase your vehicle’s awareness of NHTSA does not regulate the collection or its surroundings, work zones, first use of V2V data by commercial entities or manufacturers or third party service responders, accidents, cyclists and other third parties. providers or applications, please contact the pedestrians. State and local entities (such as (3) While V2V messages do not directly Federal Trade Commission. https:// traffic control centers or transportation identify vehicles or their drivers, or contain www.ftc.gov. authorities) may use aggregate V2V safety data reasonably linkable to you on a Dated: December 12, 2016. messages for traffic monitoring, road persistent basis, the collection, storage and Anthony R. Foxx, maintenance, transportation research, use of V2V data may have residual privacy transportation planning, truck inspection, impacts on private motor vehicle owners or Secretary, Department of Transportation. emergency and first responder, ride-sharing, drivers. Consumers who want additional [FR Doc. 2016–31059 Filed 1–3–17; 4:15 pm] and transit maintenance purposes. information about privacy in the V2V system Commercial entities also may use aggregate may review NHTSA’s V2V Privacy Impact BILLING CODE 4910–59–P

VerDate Sep<11>2014 23:49 Jan 11, 2017 Jkt 241001 PO 00000 Frm 00167 Fmt 4701 Sfmt 9990 E:\FR\FM\12JAP2.SGM 12JAP2 srobinson on DSK5SPTVN1PROD with PROPOSALS2