The EU's latest legislative draft for ADS provides guidance for performance, with an extensive focus on functional and operational safety of AVs.
In April, the European Union (EU) released a draft version of its legislation for vehicles with automated driving systems (ADS). This column provides an overview of what is included in the proposed ADS legislation.
The ADS legislation draft uses acronyms including SAE terminology. This is a short summary for easier understanding of the key abbreviations that are used:
The EU ADS legislation draft has two main parts: ADS performance requirements and ADS compliance assessment. The ADS performance requirements specify what capabilities an autonomous vehicle must have to receive a type–approval in Europe. The ADS compliance assessment specifies how an autonomous vehicle will be evaluated, audited, and tested before it will get type–approval.
The following table is a summary of the two key parts of ADS legislation. The chapter name in the legislation draft is listed in the table — Annex 2 for the ADS performance requirements specifications and Annex 3 for the ADS compliance assessment specifications.
ADS performance requirements and details summary
This section summarizes the ADS capabilities and accounts for ten pages in the legislative draft. The ADS performance requirements are the keys to designing the software and hardware for autonomous vehicles, including safety requirements for secure operation. The table below shows more details on the ADS performance requirements.
The ADS requirements use five traffic scenarios to describe the capabilities needed. The ADS must perform the entire dynamic driving tasks (DDT) for all traffic scenarios.
It also specifies functional and operational safety conditions to be met. MRM is important for avoiding crashes and dangerous situations.
The ADS must also have built–in cybersecurity and software management systems. An event recorder is needed to keep track of the performance of the ADS. A detailed operating manual is required as part of the type–approval application. A later section has more details on the ADS performance requirements.
The ADS performance requirements are the keys to designing the software and hardware for autonomous vehicles, including safety requirements for secure operation. The table below shows more details on the ADS performance requirements.
ADS compliance assessment summary
This section summarizes how the type–approval organization will evaluate the ADS capabilities and assess its compliance with EU legislation. This section accounts for 50 pages of the ADS legislation draft or five times larger than ADS performance requirements. It is interesting that the ADS evaluation, assessment, and testing has much more complexity and specifications than the ADS performance requirements.
The first task is to consider how ODD scenarios, such as types of roads, will be used including urban, rural, and highways. Other elements of ODD assessment include common operations such as lane changes, merging, turning against traffic, cross traffic, and other driving tasks.
The second part is audit and assessment of the ADS design concept. This includes assessing all the ADS documentation the manufacturer provides. The manufacturer’s safety management system is also audited.
The third element is a description of driving tests that will be performed. These are pass or fail tests that assess the safety of the ADS in a variety of driving situations.
The fourth assessment is looking at the manufacturer’s modelling and simulation (M&S) that has been performed and how capable the M&S systems are.
The last compliance assessment is to track the ADS performance after it is deployed. It includes information of what must be tracked and reported to the type–approval organization in order to retain the vehicle’s type–approval.
This section will be covered in further detail later in the column.
ADS capabilities and traffic scenarios
The EU legislation draft uses five traffic scenarios to specify ADS capabilities — ranging from normal traffic to critical traffic events, failure events, and MRM. The specifications are focused on DDT and ODD. Each scenario is summarized below.
Normal traffic scenarios: The ADS must perform the entire DDT, which is determined by the ODD. The ADS must operate at safe speeds and maintain appropriate distances from other road users by controlling the longitudinal and lateral motion of the vehicle. ADS must also adapt its behavior in line with safety risks and provide the highest priority for the protection of human life.
The ADS must also demonstrate anticipatory behavior in interaction with other road users, including motorcycles, bicycles, pedestrians, and obstacles (e.g. debris, lost cargo). The ADS must detect and respond to road accidents, traffic congestions, road work, road safety officers and law enforcement agents, emergency vehicles, traffic signs, road markings, and environmental conditions. More requirements are detailed in the regulation draft.
Critical traffic scenarios: The ADS must perform the DDT for all reasonably foreseeable critical traffic scenarios in the ODD. The ADS is essentially in emergency operation. This means the ADS must detect collision risks with other road users and suddenly appearing obstacles, as well as be able to automatically perform emergency operations to avoid collisions and minimize safety risks to the vehicle occupants and other road users.
Two items in this section are very interesting and attempt to address the so–called “trolley problem”. The two statements are:
If a crash occurs, the ADS should execute an MMR to reach the MRC. The ADS cannot resume normal operation until safe operation has been confirmed by self–checks of the ADS and/or the onboard operator (if applicable), or the remote intervention operator (teleoperation). If a collision can be safely avoided without causing another one, it shall be avoided by the ADS.
Minimum risk maneuver: During the MRM, the ADS shall slow down, with an aim of achieving a deceleration no greater than 4.0 meters/second, to a standstill in the safest place based on surrounding traffic and road infrastructure. Higher deceleration values are permitted in the event of a severe ADS or vehicle failure.
The autonomous vehicle (AV) shall only leave the MRC after ADS and/or by the onboard operator or teleoperator checks that the MRM causes are no longer present.
ODD boundaries: The ADS shall detect and respond when one or more ODD conditions are not fulfilled. The ADS must recognize ODD conditions such as rain, snow, fog, mist, time of day, light intensity, road and lane markings, and geographical area.
When the ADS reaches the ODD boundaries, it should perform an MRM to reach an MRC and shall warn the operator/teleoperator. The ODD conditions and boundaries must be established by the manufacturer.
Failure scenarios: ADS shall respond safely to a fault/failure in the ADS that does not significantly compromise ADS performance. The ADS must detect and respond to ADS and/or vehicle malfunction and self–diagnose faults and failures. The ADS shall execute a safe fallback response to achieve an MRC in the event of a failure that prevents the ADS from performing the DDT.
Human machine interaction: Adequate information shall be given to the occupants of the vehicle as needed for safe operation. If a teleoperator is part of the safety concept, the ADS shall provide means for vehicle occupants to call the teleoperator through an audio–visual link.
The ADS shall also provide vehicle occupants with means to request a minimum risk maneuver to stop the ADS.
If a teleoperator is part of the safety concept, the ADS will provide visual surveillance of the occupant space of the vehicle as well as the vehicle’s surroundings to allow the teleoperator to assess the situation (e.g. cameras in accordance with chapter 6 of ISO16505:2019).
Manual driving: If the ADS allows manual driving, the vehicle must have safe driver controls. Manual driving may be used for maintenance or to take over after a MRM has been completed. With manual driving at speeds higher than 6 km/h, the vehicle shall be considered a dual–mode vehicle.
Functional and operational safety requires periodic testing
The manufacturer shall demonstrate that an acceptable degree of consideration has been given to the functional and operational safety for the ADS during its design and development processes.
The manufacturer must define the acceptance criteria that defines operational safety of the ADS. The draft suggests one option is to use current EU crash data for buses, coaches, trucks, and cars as acceptable criteria. The draft lists a fatality rate of 1 fatality per 10 million hours of operation (10^–7 fatalities per hour of operation). Data gathered on performances from competent and carefully driven manual vehicles and state–of–the–art technologies are other options for operational safety criteria.
The manufacturer shall manage the safety and continued compliance of the ADS over its lifetime, including wear and tear of components for sensors, new traffic scenarios, etc.
The ADS will also require periodic roadworthiness tests. The regulation specifies these features for the tests:
Cybersecurity and software management
It is good to see that the regulation includes strong requirements for cybersecurity defense. The draft determines all ADS shall be protected from unauthorized access in accordance with UN Regulation No. 1552. This is reference to UNECE WP.29.
There is also strong support for over–the–air software updates. The ADS shall support software updates, which includes requirements to keep track of which software versions are used when any negative event happens, and data is stored for analyses. Software updates for the lifetime of the ADS are also emphasized.
Software updates may also require new type–approval when hardware and/or software functionalities are changed.
Data requirements for event data recorder
An event data recorder is required as part of the ADS. This is needed for analysis for future improvements of the ADS capabilities, or to explain what occurred during complex and/or undesirable ADS operations.
The draft legislation lists 11 events that should be recorded, including activation/re–initialization of the ADS, deactivation of the ADS, request sent by the ADS to the teleoperator, request/input send by the teleoperator, start of emergency operation, end of emergency operation, detected collision, EDR trigger input, ADS MRM engagement, MRC reached by the vehicle, and ADS failure.
The draft legislation lists five data parameters to be recorded including reason for occurrence, date, GPS position, and timestamp with second accuracy. The software version must also be recorded.
The EDR must be placed in a safe location that can survive crashes, which must be documented by the vehicle manufacturer. The EDR must be protected against manipulation, which must be demonstrated by an anti–tampering design.
The manufacturer must provide an operating manual. The purpose of the operating manual is to ensure safe operation of the AV through detailed instructions to the owner, vehicle occupants, transport service operator, onboard operator, teleoperator, and any relevant national authorities.
The manual shall include the functional description of the ADS and technical measures, such as checks and vehicle maintenance work, off–board infrastructure, transport, and physical infrastructure requirements. The manual must also include operational restrictions such as speed limit, dedicated lane, physical separation with upcoming traffic, environmental conditions, and operational measures for safe operation such as onboard operator or teleoperator.
The operating manual shall be submitted to the type–approval authority together with the application for a type–approval and shall be annexed to the type–approval certificate.
My next column will focus on the compliance assessment for type–approval in the EU ADS legislation draft.
This article was originally published on EE Times.
Egil Juliussen has over 35 years’ experience in the high-tech and automotive industries. Most recently he was director of research at the automotive technology group of IHS Markit. His latest research was focused on autonomous vehicles and mobility-as-a-service. He was co-founder of Telematics Research Group, which was acquired by iSuppli (IHS acquired iSuppli in 2010); before that he co-founded Future Computing and Computer Industry Almanac. Previously, Dr. Juliussen was with Texas Instruments where he was a strategic and product planner for microprocessors and PCs. He is the author of over 700 papers, reports and conference presentations. He received B.S., M.S., and Ph.D. degrees in electrical engineering from Purdue University, and is a member of SAE and IEEE.