By David Browne

This is the second in an INROAD series on the Autonomous Vehicle (AV). Each article will update you with timely news, as well as, highlight a specific theme or issue within the field. This article is an introduction to the safety implications of the AV, with particular emphasis on just-introduced new guidelines by DOT.

For your ongoing reference, Autonomous Vehicles (AVs) may be characterized by 6 levels of SAE’s classification (simplified) relating to their level of automation, i.e., current human roles assumed by automated technologies:

AV SAFETY – Timely Update:
On September 12th at the MCity vehicle testing facility in Ann Arbor, Michigan, U.S. DOT Secretary Elaine Chao unveiled the Administration’s new efforts to encourage self-driving technology, issuing voluntary testing guidelines for companies to test AVs on public roadways. The new guidance reflects an update of the Federal Automated Vehicles Policy released last year by the Obama Administration. During the September 6 preview for GHSA, NHTSA shared that the updated document will have a new title and structure, will re-emphasize its voluntary nature and will clarify federal and state roles.

The purpose of this Voluntary Guidance is to encourage AV design entities to analyze, identify, and resolve safety considerations prior to deployment using their own, industry, and other best practices.

It outlines the 12 most salient safety elements for developing, testing, and deploying AV on public roadways:

1. System Safety – Follow a robust design and validation process based on a systems-engineering approach with the goal of designing AVs free of unreasonable safety risks.

2. Operational Design Domain – Define and document the Operational Design Domain (ODD) for each AV available on their vehicle(s) as tested or deployed for use on public roadways, as well as, document the processes and procedures for assessment, testing, and validation of AV functionality with the prescribed ODD. The ODD should describe the specific conditions under which a given AV or feature is intended to function. The ODD is the definition of where (i.e. roadway types and speeds) and when (under what conditions, such as day/night, weather, etc.) an AV is designed to operate.

3. Object and Event Detection and Response (OEDR) Functions – Detect and respond to the broadest range of pre-crash scenarios – by either the driver or AV. A documented process for assessment, testing, and validation of their AV’s OEDR capabilities. Scenarios include other vehicles in and out of its travel path (including emergency vehicles), pedestrians, bicyclists, animals, and objects, as well as, temporary work zones, and other unusual conditions (e.g., police manually directing traffic or other first responders or construction workers controlling traffic) that may impact the AV’s safe operation.

4. Fallback (Minimal Risk) Conditions – Document the process for transitioning to a minimal risk condition when a problem is encountered or the AV cannot operate safely. AV should be capable of detecting malfunctions, operating in a degraded state, outside of the operational design domain (ODD). AV should be able to notify the human driver of such events in a way that enables the driver to regain proper control of the vehicle or allows the AV to return to a minimal risk condition independently.

5. Validation Methods – To appropriately mitigate the safety risks associated with their AV approach. Tests should demonstrate competencies during normal operation, crash avoidance situations, and the performance of fallback strategies. Test approaches may include a combination of simulation, test track, and on-road testing, with simulation and track testing precedent strongly encouraged.

6. Human Machine Interface (HMI) – Understanding the interaction between the vehicle and the driver, commonly referred to as “human-machine interface”, has always played an important role in the automotive design process. The vehicle must be capable of accurately conveying information to the human driver regarding intentions and vehicle performance. This is particularly true for AVs in which human drivers may be requested to perform any part of the driving task. For example, in a Level 3 vehicle, the driver always must be receptive to a request by the system to take back driving responsibilities. However, a driver’s ability to do so is a function of their alertness to the driving task and capability to quickly take over control. Entities are encouraged to consider whether it is reasonable and appropriate to incorporate driver engagement monitoring in cases where drivers could be involved in the driving task.

7. Vehicle Cybersecurity – Entities are encouraged to follow a robust product development process based on a system’s engineering approach to minimize risks to safety, including those due to cybersecurity threats and vulnerabilities. This process should include a systematic and ongoing safety risk assessment for each AV, the overall vehicle design into which it is being integrated, and when applicable, the broader transportation ecosystem. Entities are encouraged to consider and incorporate voluntary guidance, best practices, and design principles published by National Institute of Standards and Technology (NIST21), NHTSA, SAE International, the Alliance of Automobile Manufacturers, the Association of Global Automakers, the Automotive Information Sharing and Analysis Center (Auto-ISAC), and other relevant organizations, as appropriate. NHTSA encourages entities to document how they incorporated vehicle cybersecurity considerations into AVs, and industry sharing of information will be essential to avoid vulnerabilities. Entities are encouraged to report to the Auto-ISAC all discovered incidents, exploits, threats and vulnerabilities from internal testing, consumer reporting, or external security research as soon as possible, regardless of membership.

8. Crashworthiness-Occupant Protection – Entities need to consider how to best protect vehicle occupants in the scenario of another vehicle crashing into an AV-equipped vehicle. Regardless of whether the AV is operating the vehicle or the vehicle is human-driven, the occupant protection system should maintain its intended performance level in the event of a crash. Entities should consider incorporating information from the advanced sensing technologies needed for AV operation into new occupant protection systems that provide enhanced protection to occupants of all ages and sizes. In addition to the seating configurations evaluated in current standards, entities are encouraged to evaluate and consider additional countermeasures that will protect all occupants in any alternative planned seating or interior configurations during use. Unoccupied AV vehicles, including those intended for product or service delivery, should provide geometric and energy absorption crash compatibility with a full complement of existing vehicles and road users.

9. Post-Crash Performance  – Consider methods of returning AVs to a safe state immediately after being involved in a crash. Depending on the severity of the crash, actions such as shutting off the fuel pump, removing motive power, moving the vehicle to a safe position off the roadway (or safest place available), disengaging electrical power, and other such actions.

10. Data Recording – Crash Reconstruction – Learning from crash data is central to the safety potential of AVs. Paramount to this type of learning is proper crash reconstruction. Currently, no standard data elements exist for law enforcement, researchers, and others to use in determining why an AV-enabled vehicle crashed. Therefore, entities are encouraged to establish a documented process for testing, validating, and collecting necessary data related to the occurrence of malfunctions, degradation, or failures in a way that can be used to establish the cause of any crash. To promote a continual learning environment, entities engaging in testing or deployment should collect data associated with crashes involving: (1) fatal or nonfatal personal injury or (2) damage that requires towing, damage preventing the vehicle from being driven under its own power, or damage preventing it from being driven without causing further damage or a hazard to itself, other traffic elements, or the roadway. For crash reconstruction purposes (including during testing), it is recommended that AV data be stored, maintained, and readily available for retrieval as is current practice, including applicable privacy protections, for crash event data recorders.

11. Consumer Education and Training – Entities are encouraged to develop, document, and maintain employee, dealer, distributor, and consumer education and training programs to address the anticipated differences in the use and operation of AVs from those of the conventional vehicles of today. Entities should also ensure that their own staff, including their marketing and sales teams, understand the technology and can educate and train their dealers, distributors, and consumers. Consumer education programs are encouraged to cover topics such as those addressed in elements 1-10 above. They should also include explicit information on what the AV is capable and not capable of in an effort to minimize potential risks from user system abuse or misunderstanding.

12. Federal, State, and Local Laws – Finally, entities are encouraged to document how they intend to account for all applicable Federal, State, and Local laws in the design of their vehicles and AVs. Based on the operational design domain(s), the development of AVs should account for all governing traffic laws when operating in automated mode. For testing purposes, an entity may rely on an AV test driver or other mechanism to manage compliance with the applicable laws. In certain safety-critical situations (such as having to cross double lines on the roadway to travel safely past a broken-down vehicle on the road) human drivers may temporarily violate certain State motor vehicle driving laws. AVs are expected to have the capability of handling such foreseeable events safely; entities are encouraged to have a documented process for independent assessment, testing, and validation of such plausible scenarios. Given that laws and regulations will inevitably change over time, entities should consider developing processes to update capabilities accordingly.

The Trump administration and lawmakers in Washington are actively moving toward federal legislation covering AVs. Last week, the House approved legislation (The “Self Drive Act”), to accelerate deployment and testing of AVs by eliminating the complexity of state-level regulatory oversight. This legislation would allow automakers to deploy hundreds of thousands of autonomous vehicles on American roads over the next few years. A similar bill is being drafted in the Senate and is expected to be introduced soon.

If enacted the bill would allow for AV manufacturers to apply for an exemption from federal safety standards designed for conventional cars. The first year the exemption would be capped at 25,000 vehicles but would rise to 100,000 vehicles over 3 years.

Expect to learn more about the new guidance and latest congressional activity on self-driving vehicles at GHSA’s Annual Meeting in mid-September in Kentucky.