: (NHTSA) . , EE Times . NHTSA , « » .
The document, published by NHTSA, reflects the management's views on the future of unmanned vehicles. The table below summarizes the basic safety principles of automated driving systems. The column on the left is a summary of the document published by NHTSA. In the middle is a summary of the basic information, and the right column lists additions to this summary. In this article, I've managed to compress 60+ pages down to eight.
Summary
The annotation to the document defines ADS (Ride Automation System) as a combination of hardware and software that performs all driving functions. The agency emphasizes that the development of safety standards is completely different from the development of federal vehicle safety regulations.
The foundation of ADS safety standards rests on the expectations of the advancement of self-driving technology and the emergence of various innovations. The Office wants to make sure it does not interfere with potential progress by introducing premature restrictive regulation.
ADS development
ADS development is in full swing and solutions in this area are constantly evolving. In July 2020, NHTSA supported road tests and development of such systems in 40 states and the District of Columbia. One of the main centers of testing activity in this area is California - 66 companies have received permits to test vehicles with ADS (test drivers) on public roads.
ADS development doesn't start with open road tests. Most of the early prototype testing is done in simulated environments or behind closed doors. Tests on public roads are carried out after an engineering analysis and a safety analysis that evaluates the risks. To address these risks, mitigation strategies are being developed. It is important to note that the development process is usually iterative and cyclical. Developers don't go from simulation to indoor track testing, then road testing, and finally deploying their solution.
Instead, developers simulate their solutions throughout the development process to gain experience with scenarios rarely seen in the real world. Likewise, track testing is designed to test rare scenarios that would be dangerous to test on public roads before a product reaches a certain maturity. These testing procedures are used in parallel with road tests.
Experience gained during road tests is often reused in a simulated environment and / or on a test track to refine systems. In other words, just because a vehicle passes tests on public roads does not mean that the vehicle itself or ADS is approaching deployment. Conversely, if a car is tested in simulations and / or on the track, this does not mean that it is not safe to test it on the road.
Potential Benefits of ADS
NHTSA's mission is to save lives, prevent injury and reduce the cost of road crashes through education, research, guidance, safety standards and regulations. ADS can help management meet many challenges, given the potential of these systems to prevent, reduce and mitigate the consequences of human error and wrong decisions. This potential is associated with the peculiarities of the human factor - distraction, deterioration of health, fatigue, erroneous decisions and traffic violations. All these features play a large role in the many accidents that occur. In addition, ADS can improve accessibility by increasing the mobility of people with disabilities and people unable to drive. Also ADS can improve the efficiency of various processes,allowing people to work while traveling or organize convoys, partly or wholly of self-driving trucks. That is why NHTSA places great emphasis on ADS development and testing, monitoring security at all stages - right down to the deployment of solutions.
The desire to get rid of excessive regulation
Today, many of the FDA's regulations focus on ADS vehicles without the usual manual controls. These rules have been drafted by editing existing standards and may require significant improvement. Different ADS security requirements may imply that the installation of certain components required by applicable standards is optional. Examples of such components include rearview mirrors, dashboard and some displays.
The need for security standards for ADS
Normally NHTSA starts the process of promoting new standards by identifying the aspect that needs regulation. These are the security requirements. The department analyzes statistics of accidents and other available information to identify problems of a qualitative assessment of their scale.
The Office then investigates potential solutions or countermeasures to these problems, and then develops performance characteristics or requirements to address the problem or reduce the risks associated with it.
Further, manufacturers are required to independently certify their solutions by any reasonable means (of their choice) - they are required to confirm that their cars comply with all requirements and regulations. Finally, NHTSA assesses the suitability of vehicles or equipment for them using approved testing procedures.
ADS is still under development - mature and ready-to-release solutions do not exist. Accordingly, there is no data on the experience of using these systems on the road that could be used to determine the safety requirements that could be met. It is also unknown what aspects of the performance of these systems need to be regulated - it is not clear what requirements would be reasonable, feasible and appropriate, nor are there minimum performance thresholds. Nor are there vehicles equipped with mature ADS solutions that NHTSA can test to validate the intended safety standards.
The NHTSA does not seek to issue regulations that unnecessarily hinder the deployment of ADS vehicles, as such regulations could hinder the development of promising technology that can exceptionally improve road safety.
However, NHTSA can now work with stakeholders to begin developing a security framework that will meet vehicle requirements and measure the success of developer efforts. This structure also needs to be flexible enough to remain able to deal with security innovations.
NHTSA is committed to developing safety standards and guidelines that ADS manufacturers will follow to evaluate and demonstrate their products — at least throughout the lifecycle of those systems. In addition, the Office seeks to develop optimal administrative mechanisms for the formation and implementation of engineering and technological metrics, as well as to simplify security control.
Safety system: engineering assessments
The management, together with the developers of ADS, carried out a lot of research to prepare for the design of the automated driving safety system structure. These efforts will be briefly described in this section.
Key ADS Security Features
The core functions of ADS reflect the four core aspects of driving: perception, recognition, planning and control. A set of sensors for a vehicle with ADS can include cameras, radars, lidars, GPS devices, interfaces for V2V and V2X connections, and many other technologies. The detection also includes scanning the environment with an emphasis on the direction of movement of the vehicle.
The recognition includes the detection and identification of static signs and objects detected by the sensors (road boundaries, markings and signs), and the objects can be in motion (vehicles, cyclists and pedestrians). The recognition provides the ADS with the information it needs to predict the behavior of various objects that could pose a risk of collision. The recognition systems also provide ADS with the information necessary to successfully perform all functions and aspects of driving.
Planning is the ability of ADS to plan and follow a route to a destination. Scheduling functions rely heavily on perception and recognition systems.
Steering involves the implementation of a travel plan by transmitting appropriate signals (steering, acceleration and braking) to follow the planned path. Management also involves adjusting plans as needed based on the continuous collection and analysis of vehicle and environmental data.
Other security features
The security of ADS is highly dependent on the functions and capabilities of the system, as well as how it interacts with people both inside and outside the vehicle.
One of the aspects related to the safety of a vehicle is its ability to communicate with passengers, other vehicles and people in traffic, and especially with vulnerable road users. The interaction of people with vehicles is expected to affect the safety of ADS, as well as public acceptance of such systems. Another important aspect is the ADS's ability to accurately and reliably detect faults within itself or other systems in the vehicle. The ADS should also be able to safely switch between different modes designed to detect problems or faults (such as safe mode or emergency shutdown).
The list of aspects that can affect the safety and reliability of ADS operation also includes:
- Identifying system performance degradation in case of problems
- Reduced performance mode with reduced system requirements
- Completing the main task of transporting passengers or goods from the point of departure to the point of destination
- Recognition and adequate response to messages from emergency services (including firefighters, emergency services and law enforcement)
- Receive, download and monitor software updates wirelessly
- Performing system maintenance and calibration
- Eliminating cybersecurity risks
- Availability of backup systems.
The agency also notes that under the Safety Act, its powers are limited to vehicle safety. The Office is not empowered to regulate privacy and cybersecurity outside of its scope.
Development of federal engineering standards
One of NHTSA's most important safety performance projects is the management's Instant Safety Metric (ISM). The document describing this metric was published in 2017. The ISM evaluates all the paths along which the vehicle itself and other road users can move, taking into account their possible actions (turns, braking / acceleration) within a given period of time and calculates which combinations of paths can lead to collisions.
An updated approach, MPrISM (Predictable Instant Security Metric Model) is based on ISM and complements the method for evaluating this metric. MPrISM considers the range of vehicle actions to be monitored and calculates the consequences of an accident in accordance with the scenario in which the vehicle in question responds best and the rest of the participants react worst.
Other measures under consideration
In 2018, the Rand Corporation released a report proposing a partial safety assessment scheme for vehicles equipped with ADS. As part of this project, Rand studied methods for assessing and measuring ADS security, and methods for communicating what the system has learned or understood. Rand's report also raises the issue of measuring security across companies and their technologies.
Nvidia has published a project called Safety Force Field (SFF), which claims to be a computational method for assessing safety through simulation. SFF lets you know if ADS is successfully monitoring the environment and is not acting in an unacceptable manner. The goal of the SFF is to prevent accidents, and the system aims to achieve this by establishing a driving policy to analyze the environment and predict the actions of other road users. Based on this analysis, the system will identify potential actions to avoid creating unsafe situations that could lead to accidents or contribute to their occurrence.
Mobileye (a division of Intel) has published a system called RSS (Responsibility Sensitive Safety). RSS solves problems with multi-agent security (safe operation and interaction of several independent road users in a given environment). RSS is a mathematical model for multi-agent safety that incorporates reasonable driving practices when interacting with other road users in such a way as to minimize the likelihood of accidents while operating within normal behavioral expectations. The method is built taking into account the rules of priority, avoiding objects and maintaining a safe distance in all directions. Mobileye also claims that the system also takes into account special traffic conditions - intersections with traffic lights,roads with no clear structure and accidents involving pedestrians (or other road users).
Considering the company's presentation at CES 2021 on a strategy using RSS and two independent and redundant systems, NHTSA may look at Mobileye further.
ADS Industry Security Standards
SOTIF (Security of Target Functionality) or ISO 21448 works in conjunction with ISO 26262 to help manufacturers assess and mitigate various risks during the development process. ISO 26262 aims to reduce the risk of failure and IS0 21448 to reduce predictable system misuse.
ISO 21448 is designed to assess functions for which information awareness plays a critical role (as well as systems where information awareness is provided through the use of complex sensors and processing algorithms, especially when it comes to emergency systems). SOTIF does not apply to faults specified in ISO 26262
UL 4600 is a technology standard that is intended for use by manufacturers in the development of ADS - it was developed for them in the first place.
The Office is exploring the use of all of these standards when developing a new draft security requirements for ADS, based on regulations or guidelines. Existing regulations may not be appropriate to address a number of critical safety issues related to essential driving functions. The NHTSA is collecting comments and suggestions on how these standards can be adapted or modified (or left as they are) for implementation in a system through which the management can describe the minimum ADS performance requirements or set the system security threshold that it must meet for meet the requirements of the Security Law.
Voluntary participation in the development of a security project
NHTSA can take a number of measures to collect or generate data:
- ADS
The set of available mechanisms can be roughly divided into two categories: (1) voluntary measures of monitoring, influencing and / or rewarding to increase the vigilance of developers; and (2) regulatory mechanisms. The first category includes voluntary disclosures, participation in a new car assessment program, and adherence to guidelines. The second includes current legislation and other mandatory requirements.
The AV 2.0 report provides stakeholder guidance on the design, development and testing of ADS. This document identifies 12 security aspects that developers should consider when developing and testing their solutions.
AV 2.0 also introduces the concept of voluntary self-assessment of security (VSSA), which aims to encourage developers to demonstrate to the public that they: analyze the security aspects of ADS; cooperate with the US Department of Transportation; adhere to self-assessment measures and industry safety standards; seek public trust and acceptance by transparently testing and deploying their ADS. (see Voluntary Safety Self-Assessment | NHTSA )
The Office believes that voluntary self-assessment measures are an important tool for companies demonstrating a non-disclosure approach to security. As of January 2021, 26 developers and automakers have accepted the voluntary self-assessment program, representing a significant portion of the entire industry.
Another voluntary assessment tool that fosters transparency is AV Test, an NHTSA self-driving vehicle testing initiative that includes a series of activities across the country. As part of these activities, NHTSA, state and local governments share data on their performance. The AV Test website has also been created where companies can share information about their vehicles (including test results). Website now available: AV TEST Initiative | Automated Vehicle Tracking Tool | NHTSA
One type of administrative mechanism considered is the use of guidelines to encourage the development of “safety cases”. A document published by NHTSA defines safety rationales as “structured arguments that describe convincing, understandable, and valid arguments that a system is safe for certain applications in certain environments.” In the context of NHTSA work, valid means verifiable. Such an administrative mechanism can be implemented faster than others and can give developers the flexibility to document their ADS capabilities while performing basic driving functions.
An ADS competency assessment can also be added to NCAP. However, the existing regulatory lane-crossing test will not be sufficient for a full assessment. Such a test can provide a useful basis for collecting consumer information within the NCAP. This score can be used to measure the performance of the ADS while driving in a variable environment (when operating in a supported area). The tests should include checking for complex interactions with road users (dummies, pedestrians and cyclists). Also, the tests should keep records describing the differences in the way they were passed. All ADS equipped vehicles can be expected to avoid collisions, minimize the risk of being involved in an accident, and comply with operating restrictions - acceleration / deceleration and absolute speed limits.The tests should be similar to the driving test for human drivers.
Data from NCAP will enable consumers to compare the safety of new vehicles and make informed purchasing decisions.
At this stage in the development of ADS technologies, it is not clear in what areas the intervention of regulatory authorities may be required, and therefore the safety thresholds remain uncertain. This is why NHTSA strives to improve safety through voluntary advice, not requirements. The Office also solicits comments and asks: Is the development of an engineering and technology approach manual the most appropriate method for this project?
Regulation of safety standards: mechanisms for forming requirements
The NHTSA believes that ADS regulation will eventually become a necessity and is exploring ways to implement these regulations. The vast majority of recall campaigns are related to security flaws that are not related to existing regulations.
Mandatory reporting and disclosure
Management requires mandatory disclosure and transmission of data if any exceptions are granted. An example of such an exemption is the petition to exempt a Nuro vehicle from the 40 km / h speed limit (this vehicle is electrically powered and equipped with ADS). The list of conditions for disclosing this data will include the transmission of crash reports, periodic reporting, cybersecurity and a number of other requirements.
Authority to implement security standards
The 1966 Safety Act gives NHTSA a broad motor vehicle safety mandate with the goal of “reducing the number of road traffic accidents and the number of deaths and injuries resulting from them.”
In particular, "the safety of motor vehicles implies aspects that protect people from unreasonable risks arising from the design, design or characteristics of the motor vehicle, as well as non-operational safety."
The NHTSA may issue safety standards for vehicles and their equipment, which may include recall campaigns and troubleshooting requirements for vehicles that do not meet standards or present operational risks. Safety standards must be consistent across the country so that compliant cars can be sold in all states.
Safety standards fall into three categories: collision avoidance (100 series), collision resistance (200 series), and post-crash resistance (300 series). Federal Motor Vehicle Safety Standards - Wikipedia .
The NHTSA believes that ADS regulation will become a necessity at some point, and therefore the Authority is looking into ways to implement the regulation. The agency can develop new safety standards or modify existing ones to take into account the specificity of ADS vehicles.
Typically, the department used its powers in two ways:
- Or to oblige companies to implement proven technologies in accordance with standards to meet safety requirements, as well as to adjust technologies to minimum requirements
- Or to regulate voluntarily introduced technologies with minimum security requirements
Applying Federal Security Standards to ADS
The Office believes that the communication between ADS and decision-making systems in a vehicle creates a need to assess the safety of ADS operation, taking into account the areas in which the system is designed to work (when it comes to automation systems below 5 levels).
State and local authorities also play an important role in ensuring road safety. Such authorities can establish new traffic rules for vehicles equipped with ADS.
Reforming safety standards with rapid technological advances
As the functions and capabilities of vehicles are increasingly defined and controlled by software, vehicles will continue to change and improve through updates throughout the vehicle's life cycle. The faster vehicle systems can change, the greater the risk that regulatory requirements can impede development and innovation. The slow pace of regulatory processes to remove redundant barriers can also delay the introduction of safety innovations.
If ADS requires a new generation of standards and other security rules, then they can be written within the framework defined by the law, and they should not put ADS tied to software and hardware in their current state.
In other words, NHTSA should not assume that specific technologies used in today's vehicles will be used in the future. A good approach to writing standards for the future (especially those requiring the use of specific technologies) is to focus on objective functionality rather than the characteristics of specific systems.
The next generation of safety standards should give manufacturers of vehicles, sensors, software, and other technologies needed for ADS the flexibility to change and improve their solutions without the need to continually correct regulations.
Different Approaches to Regulation: ADS
NHTSA offers 3 options for possible approaches to ADS regulation:
- , , . .
- , , . , RSS Mobileye, SFF Nvidia MPrISM.
- , . . , ADS.
NHTSA is looking forward to the phased development of safety regulation methods as the Agency's resources are limited and ADS technology and business models are constantly evolving.
The Office is already working to implement oversight and guidance - including disclosure requirements and highlighting key security aspects that are important to all ADS developers. Where appropriate, the agency provides (and will provide) exemptions to standards to allow limited deployment or testing in a manner that minimizes risk and expands the technical knowledge base.
Critical Factors Considered in Designing, Evaluating and Selecting Administrative Mechanisms
To help commentators provide NHTSA with useful insights into the administrative mechanisms described above, we have highlighted key factors that management will consider when examining the strengths and weaknesses of these mechanisms:
- Consistent and reliable security . Criteria should be in place to objectively assess whether each manufacturer's methods should meet an overall level of requirements (including documentation) and a standardized minimum level of safety.
- . NHTSA , . ( ) , .
- . ADS , , .
- . , , .
- . , NHTSA , , , .
- . NHTSA . , , , , .
- . , , NHTSA , .
- Resource requirements . Measured in terms of added safety, ROI (for example, efficient use of available resources) is especially important when choosing mechanisms and deciding which safety features should be emphasized by NHTSA.
NHTSA Questions to Industry
The NHTSA has put forward 25 questions to industry representatives to gather expert opinions on how the agency should work in developing an ADS safety regulatory framework. More than half of the questions concern the safety standards themselves. Seven questions relate to administrative arrangements and four more concern NHTSA's mandate.
- Russia's first serial control system for a dual-fuel engine with functional separation of controllers
- In a modern car, there are more lines of code than ...
- - Automotive, Aerospace, (50+)
- McKinsey: automotive
