An overview of taxonomy, legislation, regulations, and standards for automated mobility
Updated: Feb 14
We are regularly updating this article. The changelog is at the bottom of the article.
I have been working on autonomous vehicles and driver assistance systems for 23 years. During this time, I have had many touchpoints with legal and regulatory aspects as well as with functional safety and the respective certification. I helped write the SAE levels of automated driving, and I cover many aspects in the class I am teaching at Stanford University. Discussion and publication often do not address these topics holistically. This post is an attempt to summarize all aspects in one article. Comments, additions, suggestions are welcome. Contact email@example.com. Thanks.
Why are legislation, standards, and taxonomy for vehicle automation needed or at least useful in the first place? Well, obviously, for the same reasons that apply to other technology fields as well:
A taxonomy provides a common set of definitions and language to describe the technology. Terms are defined to mean the same thing when used accordingly.
Standards extend definitions and language to technical implementations and enable performance and safety minimums. In the course of progressing maturity of a technology, a standard is typically approved through expert consensus by a recognized standardization body. It provides for repeated and common use, rules, guidelines, or characteristics for products or related processes and production methods, with which compliance is not mandatory. Standards enable interoperability.
Legislation and regulations are issued by governments and define product characteristics or their related processes or production methods, including the applicable administrative provisions, with which compliance is mandatory. Regulations often make use of standards. Laws and regulations enable operability.
We have visualized the content of this article in a graphic. Click on the graphic to open in a separate tab. The article is best read with the graphic open next it.
The purpose of a taxonomy is to provide a standardized classification system to define terms and terminology. Unfortunately, the attempt to establish common terminology has so far been only semi-successful. It seems that the world now has agreed on one taxonomy (the SAE levels, see below), but the world, including some carmakers, has not been able to agree to use those consistently.
The German Federal Highway Research Institute (BASt) was the first in 2010 to publish a taxonomy for vehicle automation. The result of the activity was rather short-sighted as an equivalent to SAE level 5 does not exist in the BASt taxonomy—remember this was written three years after the DARPA Urban Challenge and one year after Google launched the project that is now known as Waymo. BASt defines five levels as follow:
Level 0: driver only (equivalent to SAE level 0).
Level 1: assisted (SAE level 1).
Level 2: partially automated (SAE level 2).
Level 3: highly automated (SAE level 3).
Level 4: completely automated (more or less equivalent to SAE level 4).
NHTSA issued in 2013 a preliminary statement of policy concerning automated vehicles, in which five levels of automation are defined:
Level 0: No automation (equivalent to SAE level 0).
Level 1: Function-specific automation (SAE level 1).
Level 2: Combined function automation (SAE level 2).
Level 3: Limited self-driving automation (SAE level 3).
Level 4: Full self-driving automation (SAE level 4 and 5 combined).
NHTSA deprecated their levels in 2016 to adopt the SAE levels.
SAE launched their first Taxonomy and Definitions for Terms Related to Driving Automation Systems for On-Road Motor Vehicles in 2014, with updates in 2016 and 2018. While the levels themselves did not change since 2014, the descriptive language in the standard has become significantly richer and more clarifying over time.
Level 0: No Driving Automation—The performance by the driver of the entire Dynamic Driving Task (DDT), even when enhanced by active safety systems.
Level 1: Driver Assistance—The sustained and Operational Design Domain (ODD)-specific execution by a driving automation system of either the lateral or the longitudinal vehicle motion control subtask of the DDT (but not both simultaneously) with the expectation that the driver performs the remainder of the DDT.
Level 2: Partial Driving Automation—The sustained and ODD-specific execution by a driving automation system of both the lateral and longitudinal vehicle motion control subtasks of the DDT with the expectation that the driver completes the Object and Event Detection and Response (OEDR) subtask and supervises the driving automation system.
Level 3: Conditional Driving Automation—The sustained and ODD-specific performance by an Automated Driving System (ADS) of the entire DDT with the expectation that the DDT fallback-ready user is receptive to ADS-issued requests to intervene, as well as to DDT performance-relevant system failures in other vehicle systems, and will respond appropriately.
Level 4: High Driving Automation—The sustained and ODD-specific performance by an ADS of the entire DDT and DDT fallback without any expectation that a user will respond to a request to intervene.
Level 5: Full Automation—The sustained and unconditional (i.e., not ODD- specific) performance by an ADS of the entire DDT and DDT fallback without any expectation that a user will respond to a request to intervene.
Assisted driving features
Level 0: You're driving.
Level 1: You're driving, but you're assisted with either steering or speed.
Level 2: You're driving, but you're assisted with both steering and speed.
Automated driving features
Level 3: You're not driving, but you will need to drive if prompted in order to maintain safety.
Level 4: You're not driving, but either a) you will need to drive if prompted in order to reach your destination (in a vehicle you can drive) or b) you will not be able to reach every destination (in a vehicle you can't drive).
Level 5: You're not driving, and you can reach any destination.
This table, also created by Bryant, summaries the levels and compares SAE, BASt, and NHTSA levels:
There are some common misconceptions about the levels of vehicle automation.
The levels are numbered and therefore describe a sequence. No, not necessarily. While traditional manufacturers of personally owned vehicles have gradually increased the level (i.e., level 0 with the invention of the modern automobile through the Benz Motorwagen, ACC in the 1990s at the first L1 system, Mercedes' Distronic Plus with Steering Assist (traffic jam assist) in the Mercedes-Benz S-Class in 2013 as the first level 2 system (yes, Tesla did not invent level 2 systems), Audi's A8 in 2017 with Traffic Jam Pilot as the first L3 system (although that never became available in the US), Google jumped directly to developing L4 systems.
L3 systems, in which the human is required to execute the fallback performance of the dynamic driving task, are insanely dangerous. No, not necessarily. This is based on the incorrect assumption that an L3 system would drive with the 65mph on the freeway, then beep to request driver takeover, then—in the event the driver does not take over— give up and let the vehicle steer off the road. Obviously, in practice, any reasonable manufacturer would not build such a system—which would likely be subject to product liability—but rather build in a risk mitigation strategy if the driver does not take over, e.g. not allow activation at higher velocities or turn on the emergency signal and stop the vehicle in the lane in case the driver does not respond to a takeover request. On the other hand, manufacturers might also skip level 3 because of the resulting system complexity, cost, and lack of tangible user benefit.
Isn't that then an L4 system? No, an L4 system needs to be able to lead the vehicle into a risk minimal state, e.g., by parking the vehicle on the shoulder of the road instead of in the lane of traffic.
L4 vehicles will take forever to be ready. No, in fact, we already have self-driving vehicles today in limited ODDs (operational design domains), in certain cities running driverless shuttles, or in Phoenix.
Tesla sells Autopilot with Full Self-Driving Capability. It must be level 4. Unfortunately not. It's a Level 2 driver assistance system, as stated in the fine print: "Autopilot is an advanced driver assistance system that enhances safety and convenience behind the wheel."
Bryant demystifies more misconceptions around automated driving in his article "How Reporters Can Evaluate Automated Driving Announcements."
Recently, manufacturers and suppliers are ramping up their use of the term Level 2 plus or L2+ or even Level 2 plus plus. According to the SAE taxonomy, this level obviously is not defined. Manufacturers use this term to show advances in technology, e.g., through the inclusion of maps into driver assistance systems or the addition of driver monitoring. This doesn't change that — as Bryant puts it — "you're driving, but you're assisted with both steering and speed."
There has been continued criticism of the SAE levels. Brad Templeton published a satire of the NHTSA levels in 2017 and pointed out in 2018, that, in his opinion, defining automation by degrees of human input is the root flaw and that the levels as defined above "may be contributing to highway deaths." Alex Roy went a step further in the same year writing "How the Language of Self-Driving Is Killing Us" and "The Language of Self-Driving Cars Is Dangerous—Here's How To Fix It," proposing to ditch the levels altogether, replacing them by two functionalities called "geotonomous" (autonomy limited by location) and Human-Assisted Systems (HAS). Alex then founded the Human Driving Association in 2018 and published the Human Driving Manifesto.
Brad also points out "that Waymo has announced it wants to change the generic term for what it’s doing, and presumably push others to use the same generic term. They’ve mostly said “self-driving” in the past, but because some other companies and the public are now misusing that term, they hope sticking to “autonomous” will clarify the language." I can't blame Waymo. Brad is correct stating that "it’s odd that the industry never settled on a good generic term for a car that, given a destination, will perform the driving task to take you there. There have been lots of candidates, but no winner."
The 1949 United Nations Convention on Road Traffic, also known as the Geneva Convention on Road Traffic, is an international treaty promoting the development and safety of international road traffic by establishing certain uniform rules among the contracting parties. It was ratified by 101 countries, including the US and Japan, not including Germany and China. Article 8 pertains to requirements on the driver and states:
1. Every vehicle or combination of vehicles proceeding as a unit shall have a driver.
5. Drivers shall at all times be able to control their vehicles or guide their animals.
Many of the contracting parties have also ratified the Vienna Convention on Road Traffic of 1968. For the signatory countries of the 1968 Vienna Convention, this replaces previous road traffic conventions, including the Geneva Convention on Road Traffic, in accordance with Article 48 of the Vienna Convention. Seventy-two countries, including Germany, signed this updated treaty, but the US, China, and Japan did not. Article 8 contains very similar requirements on the driver and states:
1. Every moving vehicle or combination of vehicles shall have a driver.
5. Every driver shall at all times be able to control his vehicle or to guide his animals.
National Laws and Regulations
The USA ratified the Geneva Convention, which states that every vehicle shall have a driver, and the driver shall at all times be able to control their vehicles. According to the supremacy clause of the constitution, ratified treaties are on the same level as federal law. It seems obvious that under these conditions, driverless vehicles violate federal law. Nevertheless, Bryant Walker Smith concludes in 2012 in this foundational article that "Automated Vehicles Are Probably Legal in the United States." He argues that the Geneva convention requirement that "drivers shall at all times be able to control their vehicles" is likely satisfied if a human is able to intervene in the automated vehicle’s operation. He further states that US federal regulations do not prohibit automated vehicles (with the possible exception of one rule regarding emergency flashers). US state vehicle codes at the time the article was published in 2012 did not prohibit—but may complicate—automated driving. These codes often assume the presence of licensed human drivers who are able to exercise human judgment, and particular rules may functionally require that presence. For example, New York is the only state in the US that requires drivers to keep at least one hand on the steering wheel while the vehicle is in motion. This might make it illegal for humans to ride in a level 4 or 5 vehicle that was built without a steering wheel.
The US Federal Government has not yet issued any binding laws or regulations. Instead, the National Highway Traffic Safety Administration (NHTSA), an agency of the US Department of Transportation, issued the following non-binding guidelines:
In September 2016 (under the Obama administration), a detailed 116-pages long guide Federal Automated Vehicles Policy—Accelerating the Next Revolution In Roadway Safety.
The Trump administration issued September 2017 the 28-pages Automated Driving System 2.0—A Vision for Safety.
In October 2018, Automated Vehicles 3.0—The Future of Transportation (65-pages).
In January 2021, Automated Vehicles - Comprehensive Plan.
Several US states have moved forward with their own legislation filling the void the non-existent federal regulations created. Nevada's bill AB511 in 2011 was the first bill in the US pertaining to automated vehicles. Section 8 of this bill required the Nevada Department of Motor Vehicles to adopt regulations authorizing the operation of autonomous vehicles on highways within the State of Nevada. This Wired article describes how Anthony Levandowski hired a lobbyist in Nevada for Google and how the two drafted the bill that would allow Google to test and operate self-driving cars in Nevada. This panel, which included all relevant stakeholders in the process, provided an Oral History of Nevada's regulation of self-driving vehicles.
Florida declared legislative intent in 2012 to encourage the development, testing, and operation of autonomous vehicles and determined that the state would not prohibit/regulate the testing/operation of autonomous vehicles.
California's senate bill 1298 required the Department of Highway Patrol to establish safety standards and performance requirements to ensure the safe operation and testing of autonomous vehicles on its public roads. This bill also permitted autonomous vehicles to be operated and tested on public roads as long as they meet the standards and requirements outlined. Dr. Bernard Soriano, Deputy Director of the California DMV, outlines the challenges the DMV faced and the process the DMV took in this talk. Bernard also regularly talks in my class ME302B at Stanford University.
As of May 2020, 29 states—Alabama, Arkansas, California, Colorado, Connecticut, Florida, Georgia, Illinois, Indiana, Kentucky, Louisiana, Maine, Michigan, Mississippi, Nebraska, New York, Nevada, North Carolina, North Dakota, Oregon, Pennsylvania, South Carolina, Tennessee, Texas, Utah, Virginia, Vermont, Washington, Wisconsin, and Washington D.C.—have enacted legislation related to autonomous vehicles and thereby created a patchwork of different rules and regulations.
Other states, like Arizona, have gone in the opposite direction. Arizona's governor signed executive orders in 2015 and 2018 that instructed the state to eliminate unnecessary regulations and hurdles to the new technology. Just 18 days later, an Uber self-driving test vehicle struck and killed a pedestrian. The NTSB investigation revealed a stunning lack of proper testing protocols. Eight days later, the governor asked Uber to suspend their testing activities. Previously Uber had refused to comply with California's testing requirements and moved their testing operations to Arizona.
In Germany and several other countries, international treaties such as the Vienna Convention have to be transitioned to national law and regulations in order to become effective. Germany ratified the Convention in 1978. When transitioning into domestic law, the statement "every driver shall at all times be able to control his vehicle…" was translated into "jeder Führer muss dauernd sein Fahrzeug beherrschen," which can be interpreted as "the driver needs to at all times handle his vehicle." Hence it comes down to an interpretation issue of "control" versus "to supervise." Consequently, the predominant interpretation of this law was that autonomous driving is not legal in Germany.
Then, in 2014, the governments of Belgium, France, Germany, and Italy proposed amending article 8 of the Vienna Convention to allow automated driving technologies. As justification, the countries argued that traffic accidents are predominantly caused by human error and that automated driving systems enhance road safety. The amendment to the Convention became effective in 2016 and states that driving automation technologies transferring driving tasks to the vehicle will be explicitly allowed in traffic, provided that these technologies are in conformity with the United Nations vehicle regulations or can be overridden or switched off by the driver. This amendment was implemented into German law later in 2016.
In 2020, the German Department of Transportation proposed a law enacting Level 4/5 highly/fully automated driving under certain circumstances. The draft was rejected by the Department of Justice in January 2021, arguing that data protection and security and accident liability regulations were insufficient, and delegated the proposal back to the DOT for refinement. The draft was then approved by the cabinet on February 10, 2021 and is targeted to pass the parliament in summer 2021.
UN/ECE Regulation 79 was created with the intention of providing a common understanding and a definition of steering systems for road vehicles. The original UN/ECE Regulation 79-01 in 1988 was written rather narrowly minded, permitting only corrective steering interventions, but not automatic steering at speeds over 10 km/h. To enable more capable driver assistance systems and automated driving at higher levels (i.e., 3, 4, 5), UN/ECE Regulation 79-03 was launched in 2018, but at the same time requires production vehicles with a Lane Keeping Assist feature to provide an advanced means of detecting that the driver is holding the steering control from 2021 on. UN/ECE 79 also applies to existing vehicles, with the result that Telsa Autopilot in Europe received a downgrade of functionality in 2020 to comply, while US models did not receive this downgrading software update, as reported by Tesla owners.
In June 2020, the UN Regulation on Automated Lane Keeping Systems established requirements for Automated Lane Keeping Systems (ALKS) for passenger cars which, once activated, are in primary control of the vehicle, but can be overridden by the driver at any moment. The name is a bit of an understatement as this is the first binding international regulation for "level 3" vehicle automation. It will enter into force in January 2021. Japan drove this together with Germany. The law allows level 3 systems only on streets, which are not accessible to pedestrians and bicyclists, and on which traffic flows unidirectionally, with velocity limited to 60 km/h. In practice, this follows a German law, where it was introduced in 2017.
International Norms and Standards
ISO 26262 — Road vehicles Functional safety is an international standard for functional safety of electrical and electronic systems (a.k.a. E/E systems) in production passenger vehicles defined by the International Organization for Standardization (ISO) in 2011 and updated in 2016. It is an automotive-specific adaptation of the general functional safety standard IEC 61508.
The document describes a framework for functional safety to assist the development of safety-related E/E systems as well as hardware and software components. Some requirements have a technical focus to implement functional safety into the product; others address the development process.
Automotive Safety Integrity Levels (ASIL) refer to the classification of inherent safety risks in an automotive system or of elements of such a system. ASIL classifications are used within ISO 26262 to express the level of risk reduction required to prevent a specific hazard, with ASIL D representing the highest hazard level and ASIL A the lowest. At the beginning of the safety lifecycle, a hazard analysis and risk assessment (HARA) is performed, resulting in the attribution of ASIL to all identified hazardous events and safety goals.
ISO 21448 — Safety of the Intended Functionality applies to functionality in an automotive component that requires proper situational awareness to be safe. The standard is concerned with guaranteeing the safety of the intended functionality — SOTIF — in the absence of a fault. This contrasts with traditional functional safety, which is concerned with mitigating risk due to system failure. The standard defines its goal as “the absence of unreasonable risk due to hazards resulting from functional insufficiencies of the intended functionality or by reasonably foreseeable misuse by persons is referred to as the Safety Of The Intended Functionality (SOTIF).” ISO 21448 was originally intended to be ISO 26262 part 14, but then became a standard on its own. ISO 26262 covers functional safety in the event of system failures. ISO 21448 covers safety hazards on the functional level that result without system failure.
The recently published standard ISO/TR 4804 — Safety and cybersecurity for automated driving systems — Design, verification and validation describes steps for developing and validating automated driving systems based on basic safety principles derived from worldwide applicable publications. It considers safety- and cybersecurity-by-design, as well as verification and validation methods for automated driving systems focused on vehicles with level 3 and level 4 features according to SAE J3016. In addition, it outlines cybersecurity considerations intersecting with objectives for safety of automated driving systems.
The ANSI/UL 4600 Standard for Safety for the Evaluation of Autonomous Products was created by Underwriters Laboratories and Edge Case Research in 2019. UL 4600 addresses safety principles and processes for evaluating fully autonomous products requiring no human driver supervision, e.g. SAE Level 4 and 5 vehicles. It does not replace ISO 26262 or ISO 21448, but rather seeks to extend those standards to specifically address the ability of autonomous products to perform safely and as intended — without human intervention — based on their current state and sensing of the operating environment. The reliability of hardware and software necessary for machine learning, sensing of the operating environment, and other safety aspects of autonomy are also addressed. It is envisioned that future end-product standards will tailor UL 4600 to address specialized applications.
ISO 13849 — Safety of Machinery is the safety standard that applies to parts of machinery control systems that are assigned to providing safety functions. Industrial automation systems, e.g. mobile factory robots and automated yard logistics are often certified to this norm.
ISO 10218 — Robots and robotic devices, Safety requirements for industrial robots specifies requirements and guidelines for the inherent safe design, protective measures and information for use of industrial robots. It describes basic hazards associated with robots and provides requirements to eliminate, or adequately reduce, the risks associated with these hazards.
IEC/EN 62061 — Safety of machinery: Functional safety of electrical, electronic and programmable electronic control systems is the machinery specific implementation of IEC/EN 61508. It provides requirements that are applicable to the system level design of all types of machinery safety-related electrical control systems and also for the design of non-complex subsystems or devices.
The Machine directive 2006/42/EC in the European Union, address the protection of workers and consumers using such machinery. In that context vehicle automation systems operating in certain environments can fall under these directives, depending on the local legislation.
ISO 15998 — Earth-moving machinery, Machine-control systems (MCS) using electronic components specifies performance criteria and tests for functional safety of safety-related machine-control systems (MCS) using electronic components in earth-moving machinery and its equipment, as defined in ISO 6165.
SO 25119 — Tractors and machinery for agriculture and forestry, safety-related parts of control systems sets out general principles for the design and development of safety-related parts of control systems (SRP/CS) on tractors used in agriculture and forestry and on self-propelled ride-on machines and mounted, semi-mounted and trailed machines used in agriculture. It can also be applied to mobile municipal equipment (e.g. street-sweeping machines).
EN 50126, EN 50128 and EN 50129, abbreviated as EN 5012x are the three main standards related to Reliability, Availability, Maintainability, and Safety (RAMS) specified by the European Committee for Electrotechnical Standardization (CENELEC).
The EN 50126 defines the terms of RAMS, their interaction and a process based on the system lifecycle for managing RAMS. In addition, a systematic process for specifying requirements for RAMS and demonstrating that these requirements are achieved is defined.
The EN 50128 specifies procedures and technical requirements for the development of programmable electronic systems for usage in railway control and protection applications, aimed at usage in any area where there are safety implications. In contrast to the EN 50126, it is applicable exclusively to software and the interaction between software and the system which it is part of.
The EN 50129 specifies those lifecycle activities which shall be completed before the acceptance stage, followed by additional planned activities to be carried out after the acceptance stage. It is therefore concerned with the evidence to be presented for the acceptance of safety-related systems and is highly related to the EN 50126.
ISO 23150 is an upcoming standard to describe the logical interface of the data communication between sensors and data fusion unit for automated driving functions. It is currently in the draft phase and pushed predominantly by German OEMs to achieve sensor interface standardization.
DO-178C or "Software Considerations in Airborne Systems and Equipment Certification" is the primary document by which the certification authorities such as FAA and EASA approve all commercial software-based aerospace systems. The document was published by RTCA, Inc., in a joint effort with EUROCAE, and replaces DO-178B. The new document is called DO-178C/ED-12C and was completed in November 2011 and approved by the RTCA in December 2011.
IEC 61508 is the international standard published by the International Electrotechnical Commission consisting of methods on how to apply, design, deploy, and maintain safety-related systems. The full title is "Functional Safety of Electrical/Electronic/Programmable Electronic Safety-related Systems (E/E/PE, or E/E/PES)." IEC 61508 is a (or actually the) basic functional safety standard applicable to all kinds of industries. It defines an engineering process called the safety lifecycle based on best practices in order to discover and eliminate design errors and omissions and a probabilistic failure approach to account for the safety impact of device failures. A number of domain-specific functional safety norms, such as the ones listed above, are derived from it.
Furthermore, driver assistance systems and safety systems already in production are standardized in these norms, which describe the respective performance requirements and test procedures:
ISO 11270:2014. Intelligent transport systems — Lane keeping assistance systems (LKAS) — Performance requirements and test procedures
ISO 17361:2017. Intelligent transport systems — Lane departure warning systems — Performance requirements and test procedures
ISO 19638:2018. Intelligent transport systems — Road boundary departure prevention systems (RBDPS) — Performance requirements and test procedures
ISO 21202:2020. Intelligent transport systems — Partially automated lane change systems (PALS) — Functional/operational requirements and test procedures
ISO 15622:2018. Intelligent transport systems — Adaptive cruise control systems — Performance requirements and test procedures
ISO 20035:2019. Intelligent transport systems — Cooperative adaptive cruise control systems (CACC) — Performance requirements and test procedures
ISO 21717:2018. Intelligent transport systems — Partially Automated In-Lane Driving Systems (PADS) — Performance requirements and test procedures
ISO/WD 23792-1. Intelligent transport systems — Motorway chauffeur systems (MCS) — Part 1: Framework and general requirements
ISO/CD 22737. Intelligent transport systems — Low-speed automated driving (LSAD) systems for predefined routes — Performance requirements, system requirements and performance test procedures
ISO 20900:2019. Intelligent transport systems — Partially automated parking systems (PAPS) — Performance requirements and test procedures
ISO/AWI 23374. Intelligent transport systems — Automated valet parking systems (AVPS) — System framework, communication interface, and vehicle operation
ISO 19237:2017. Intelligent transport systems — Pedestrian detection and collision mitigation systems (PDCMS) — Performance requirements and test procedures
ISO 22078:2020. Intelligent transport systems — Bicyclist detection and collision mitigation systems (BDCMS) — Performance requirements and test procedures
ISO/AWI 23375. Intelligent transport systems — Collision evasive lateral manoeuvre systems (CELM) — Performance requirements and test procedures
ISO/CD 23376. Intelligent transport systems — Vehicle-to-vehicle intersection collision warning systems (VVICW) — Performance requirements and test procedures
ISO 19206-1:2018. Road vehicles — Test devices for target vehicles, vulnerable road users and other objects, for assessment of active safety functions
Other National Norms
Singapore's Standards Council has published a set of provisional national standards to guide the development and deployment of fully autonomous vehicles. Technical Reference 68 (TR 68) promotes the safe deployment of fully autonomous vehicles in Singapore, said a joint release from Enterprise Singapore (ESG), Land Transport Authority (LTA), Standards Development Organisation, and the Singapore Standards Council (SSC).
How about security?
Safety needs security, but current functional safety norms do not address cybersecurity. ISO/IEC 27001 is the basic information security standard defining information security management. ISO/IEC 27002 extends this with a code of practice for information security controls. ISO/IEC 15408 establishes a basis for the evaluation of security properties of IT products. ISO/SAE DIS 21434 will be the first standard dedicated to cybersecurity of road vehicles and is currently under development. According to SAE, this document specifies requirements for cybersecurity risk management regarding engineering for concept, development, production, operation, maintenance, and decommissioning for road vehicle electrical and electronic (E/E) systems, including their components and interfaces. A framework is defined that includes requirements for cybersecurity processes and a common language for communicating and managing cybersecurity risk. This document is applicable to series production road vehicle E/E systems, including their components and interfaces whose development or modification began after the publication of the document. It does not prescribe specific technology or solutions related to cybersecurity.
Why so many different norms for vehicle automation?
Because there is no one-fits-all norm. ISO 26262 was adapted from the general functional safety standard IEC 61508 to cover all safety-relevant automotive electrical and electronic systems. Initially, software was only addressed superficially until the 2016 update came out. ISO 21448 was originally intended to be a new part 14 of ISO 26262 but then became a norm of its own to address the functionality of automation systems with surround sensing. UL 4600 then focussed specifically on highly and fully automated systems in on-road and off-road applications by providing a framework for creating a comprehensive system-level safety case not limited to just passenger vehicles and thereby extends the other norms significantly.
Where do we stand today (in 2020)?
The taxonomy developed by SAE has been accepted worldwide. Is it perfect? Absolutely not. But the five levels are clearly defined and follow a logical structure that is easy to comprehend and use. Is it being used consistently? Unfortunately also not.
Standards extend the taxonomy to technical implementations and performance and safety minimums. ISO 26262 is unarguable the standard for automotive functional safety as it sets clear reliability and safety targets. It focuses on avoiding design faults and on mitigating the effect of faults during operation but lacks an approach for functional safety of systems that rely on environment perception and are thereby subject to external influences. ISO 26262 was therefore extended by ISO 21448. ISO 26262 covers functional safety in the event of system failures. ISO 21448 covers safety hazards on the functional level that result without system failure. Then UL 4600 was added specifically to cover Level 4/5 systems. These norms now conceptually cover all aspects of driving automation development with the exception of security — which is covered by the ISO 2700x family.
Legislation addressing driving automation is handled differently in different regions of the world, but nowhere is legislation seen as a major bottleneck towards introducing vehicle automation into products. While a discussion around the lack of federal regulation in the US starts regularly, this does not seem to impede development and deployment.
Thank you Bryant Walker Smith for your input and feedback.
February 1, 2021: ISO 19206 and ISO/TR 4804 added. Thank you to Martin Holder for pointing to these norms.
February 2, 2021: ISO 10218, IEC62061, ISO 15998, ISO 6165, ISO 25119, EN 5012x added.