Updated: September 30, 2022. We are regularly updating this article. The change log is at the bottom of the article.
This is the fourth post of the series on a Brief History of Automated Driving. The other posts can be found here, here, and here.
I have been working on autonomous vehicles and driver assistance systems for over24 years. During this time, I have had many touch points with legal and regulatory aspects as well as with functional safety and the respective certification. I helped write the SAE levels of automated driving, and I cover many aspects in the class I am teaching at Stanford University. Discussion and publication often do not address these topics holistically. This post is an attempt to summarize all aspects in one article. Comments, additions, suggestions are welcome. Contact info@apex.ai. Thanks.
Motivation
Why are legislation, standards, and taxonomy for vehicle automation needed or at least useful in the first place? Well, obviously, for the same reasons that apply to other technology fields as well:
A taxonomy provides a common set of definitions and language to describe the technology. Terms are defined to mean the same thing when used accordingly.
Standards extend definitions and language to technical implementations and enable performance and safety minimums. In the course of progressing maturity of a technology, a standard is typically approved through expert consensus by a recognized standardization body. It provides for repeated and common use, rules, guidelines, or characteristics for products or related processes and production methods, with which compliance is not mandatory. Standards enable interoperability.
Legislation and regulations are issued by governments and define product characteristics or their related processes or production methods, including the applicable administrative provisions, with which compliance is mandatory. Regulations often make use of standards. Laws and regulations enable operability.
We visualized the content of this article in a graphic. Click on the graphic to open it in a separate tab. The article is best read with the graphic open next to it.
Taxonomy
The purpose of a taxonomy is to provide a standardized classification system to define common terms and terminology.
Since 2016, the SAE levels (see below) are the commonly used taxonomy for driving automation, even though the terminology isn't being used consistently.
The German Federal Highway Research Institute (BASt) was the first to publish a taxonomy for vehicle automation in 2010. The result of the activity was rather short-sighted as an equivalent to SAE level 5 does not exist in the BASt taxonomy — remember this was written three years after the DARPA Urban Challenge and one year after Google launched the project that is now known as Waymo. BASt defines five levels as follow:
Level 0: driver only (equivalent to SAE level 0).
Level 1: assisted (SAE level 1).
Level 2: partially automated (SAE level 2).
Level 3: highly automated (SAE level 3).
Level 4: completely automated (more or less equivalent to SAE level 4).
NHTSA issued in 2013 a preliminary statement of policy concerning automated vehicles, in which five levels of automation are defined:
Level 0: No automation (equivalent to SAE level 0).
Level 1: Function-specific automation (SAE level 1).
Level 2: Combined function automation (SAE level 2).
Level 3: Limited self-driving automation (SAE level 3).
Level 4: Full self-driving automation (more or less SAE levels 4 and 5 combined).
NHTSA deprecated their levels in 2016 to adopt the SAE levels.
SAE launched their first Taxonomy and Definitions for Terms Related to Driving Automation Systems for On-Road Motor Vehicles in 2014, with updates in 2016, 2018, and 2021. While the level definition itself hasn’t changed since 2014, the descriptive language in the standard has become significantly richer and more clarifying over time.
Level 0: No Driving Automation—The performance by the driver of the entire Dynamic Driving Task (DDT), even when enhanced by active safety systems.
Level 1: Driver Assistance—The sustained and Operational Design Domain (ODD)-specific execution by a driving automation system of either the lateral or the longitudinal vehicle motion control subtask of the DDT (but not both simultaneously) with the expectation that the driver performs the remainder of the DDT.
Level 2: Partial Driving Automation—The sustained and ODD-specific execution by a driving automation system of both the lateral and longitudinal vehicle motion control subtasks of the DDT with the expectation that the driver completes the Object and Event Detection and Response (OEDR) subtask and supervises the driving automation system.
Level 3: Conditional Driving Automation—The sustained and ODD-specific performance by an Automated Driving System (ADS) of the entire DDT with the expectation that the DDT fallback-ready user is receptive to ADS-issued requests to intervene, as well as to DDT performance-relevant system failures in other vehicle systems and will respond appropriately.
Level 4: High Driving Automation—The sustained and ODD-specific performance by an ADS of the entire DDT and DDT fallback without any expectation that a user will respond to a request to intervene.
Level 5: Full Automation—The sustained and unconditional (i.e., not ODD- specific) performance by an ADS of the entire DDT and DDT fallback without any expectation that a user will respond to a request to intervene.
Bryant Walker Smith has published a simplified summary of the SAE levels:
Assisted driving features
Level 0: You're driving.
Level 1: You're driving, but you're assisted with either steering or speed.
Level 2: You're driving, but you're assisted with both steering and speed.
Automated driving features
Level 3: You're not driving, but you will need to drive if prompted in order to maintain safety.
Level 4: You're not driving, but either a) you will need to drive if prompted in order to reach your destination (in a vehicle you can drive) or b) you will not be able to reach every destination (in a vehicle you can't drive).
Level 5: You're not driving, and you can reach any destination.
This table, also created by Bryant, summaries the levels and compares SAE, BASt, and NHTSA levels:
There are some common misconceptions about the levels of vehicle automation.
The levels are numbered and therefore describe a sequence. No, not necessarily. While traditional manufacturers of personally owned vehicles have gradually increased the level (i.e., level 0 with the invention of the modern automobile through the Benz Motorwagen, ACC in the 1990s at the first L1 system, Mercedes' Distronic Plus with Steering Assist (traffic jam assist) in the Mercedes-Benz S-Class in 2013 as the first level 2 system (yes, Tesla did not invent level 2 systems), Audi's A8 in 2017 with Traffic Jam Pilot as the first L3 system (although that never became available in the US), Google jumped directly to developing L4 systems.
L3 systems, in which the human is required to execute the fallback performance of the dynamic driving task, are insanely dangerous. No, not necessarily. This is based on the incorrect assumption that an L3 system would drive with the 65 mph on the freeway, then beep to request driver takeover, then—in the event the driver does not take over— give up and let the vehicle steer off the road. Obviously, in practice, a reasonable manufacturer would not build and release such a system—which would likely be subject to product liability—but rather build in a risk mitigation strategy if the driver does not take over, e.g., not allow activation at higher velocities or turn on the emergency signal and stop the vehicle in the lane in case the driver does not respond to a takeover request. On the other hand, manufacturers might also skip level 3 because of the resulting system complexity, cost, and lack of tangible user benefit.
Isn't that then an L4 system? No, an L4 system needs to be able to lead the vehicle into a risk-minimal state, e.g., by parking the vehicle on the shoulder of the road instead of in the lane of traffic.
L4 vehicles will take forever to be ready. No, in fact, we already have self-driving vehicles today in limited ODDs (operational design domains), in certain cities running driverless shuttles, or in Phoenix.
Tesla sells Autopilot with Full Self-Driving Capability. It must be level 4. Unfortunately, not. It's a Level 2 driver assistance system, as stated in the fine print: "Autopilot is an advanced driver assistance system that enhances safety and convenience behind the wheel."
Bryant demystifies more misconceptions around automated driving in his article "How Reporters Can Evaluate Automated Driving Announcements."
Recently, manufacturers and suppliers are ramping up their use of the term Level 2 plus or L2+ or even Level 2 plus plus. According to the SAE taxonomy, these levels obviously are undefined. Manufacturers use this term to show advances in technology, e.g., through the inclusion of maps into driver assistance systems or the addition of driver monitoring. This doesn't change that — as Bryant puts it — "you're driving, but you're assisted with both steering and speed."
There has been continued criticism of the SAE levels. Brad Templeton published a satire of the NHTSA levels in 2017 and pointed out in 2018 that, in his opinion, defining automation by degrees of human input is the root flaw and that the levels as defined above "may be contributing to highway deaths." Alex Roy went a step further in the same year, writing "How the Language of Self-Driving Is Killing Us" and "The Language of Self-Driving Cars Is Dangerous—Here's How To Fix It," proposing to ditch the levels altogether, replacing them with two functionalities called "geotonomous" (autonomy limited by location) and Human-Assisted Systems (HAS). Alex then founded the Human Driving Association in 2018 and published the Human Driving Manifesto.
Brad also points out "that Waymo has announced it wants to change the generic term for what it’s doing, and presumably push others to use the same generic term. They’ve mostly said “self-driving” in the past, but because some other companies and the public are now misusing that term, they hope sticking to “autonomous” will clarify the language." I can't blame Waymo. Brad is correct in stating that "it’s odd that the industry never settled on a good generic term for a car that, given a destination, will perform the driving task to take you there. There have been lots of candidates, but no winner."
Manufacturers occasionally intentionally misuse terminology to imply a higher level of automation than their product is actually capable of. This behavior has been termed Autonowashing by Liza Dixon to describe the gap in the presentation of automation and the actual system capabilities.
Global Legislation
The 1949 United Nations Convention on Road Traffic, also known as the Geneva Convention on Road Traffic, is an international treaty promoting the development and safety of international road traffic by establishing certain uniform rules among the contracting parties. It was ratified by 101 countries, including the US and Japan, not including Germany and China. Article 8 pertains to requirements on the driver and states the following:
1. Every vehicle or combination of vehicles proceeding as a unit shall have a driver.
5. Drivers shall at all times be able to control their vehicles or guide their animals.
Many of the contracting parties have also ratified the Vienna Convention on Road Traffic of 1968. For the signatory countries of the 1968 Vienna Convention, this replaces previous road traffic conventions, including the Geneva Convention on Road Traffic, in accordance with Article 48 of the Vienna Convention. Seventy-two countries, including Germany, signed this updated treaty, but the US, China, and Japan did not. Article 8 contains very similar requirements on the driver and states:
1. Every moving vehicle or combination of vehicles shall have a driver.
5. Every driver shall at all times be able to control his vehicle or to guide his animals.
National Laws and Regulations
The USA ratified the Geneva Convention, which states that every vehicle shall have a driver, and the driver shall at all times be able to control their vehicles. According to the supremacy clause of the constitution, ratified treaties are on the same level as federal law. It seems obvious that under these conditions, driverless vehicles violate federal law. Nevertheless, Bryant Walker Smith concludes in 2012 in this foundational article that "Automated Vehicles Are Probably Legal in the United States." He argues that the Geneva convention requirement that "drivers shall at all times be able to control their vehicles" is likely satisfied if a human is able to intervene in the automated vehicle’s operation. He further states that US federal regulations do not prohibit automated vehicles (with the possible exception of one rule regarding emergency flashers). US state vehicle codes at the time the article was published in 2012 did not prohibit—but may complicate—automated driving. These codes often assume the presence of licensed human drivers who are able to exercise human judgment, and particular rules may functionally require that presence. For example, New York is the only state in the US that requires drivers to keep at least one hand on the steering wheel while the vehicle is in motion. This might make it illegal for humans to ride in a level 4 or 5 vehicle that was built without a steering wheel.
The US Federal Government has not yet issued any binding laws or regulations. Instead, the National Highway Traffic Safety Administration (NHTSA), an agency of the US Department of Transportation, issued the following non-binding guidelines:
In September 2016 (under the Obama administration), a detailed 116-pages long guide Federal Automated Vehicles Policy—Accelerating the Next Revolution In Roadway Safety.
The Trump administration issued September 2017 the 28-page Automated Driving System 2.0—A Vision for Safety.
In October 2018, Automated Vehicles 3.0—The Future of Transportation (65-pages).
In January 2020, Automated Vehicles 4.0—Ensuring American Leadership in Automated Vehicle Technologies.
In January 2021, Automated Vehicles - Comprehensive Plan.
Several US states have moved forward with their own legislation filling the void the non-existent federal regulations created. Nevada's bill AB511 in 2011 was the first bill in the US pertaining to automated vehicles. Section 8 of this bill required the Nevada Department of Motor Vehicles to adopt regulations authorizing the operation of autonomous vehicles on highways within the State of Nevada. This Wired article describes how Anthony Levandowski hired a lobbyist in Nevada for Google and how the two drafted the bill that would allow Google to test and operate self-driving cars in Nevada. This panel, which included all relevant stakeholders in the process, provided an Oral History of Nevada's regulation of self-driving vehicles.
Florida declared legislative intent in 2012 to encourage the development, testing, and operation of autonomous vehicles and determined that the state would not prohibit/regulate the testing/operation of autonomous vehicles.
California's senate bill 1298 required the Department of Highway Patrol to establish safety standards and performance requirements to ensure the safe operation and testing of autonomous vehicles on its public roads. This bill also permitted autonomous vehicles to be operated and tested on public roads as long as they meet the standards and requirements outlined. Dr. Bernard Soriano, Deputy Director of the California DMV, outlines the challenges the DMV faced and the process the DMV took in this talk. Bernard also regularly talks in my class ME302B at Stanford University.
As of May 2020, 29 states—Alabama, Arkansas, California, Colorado, Connecticut, Florida, Georgia, Illinois, Indiana, Kentucky, Louisiana, Maine, Michigan, Mississippi, Nebraska, New York, Nevada, North Carolina, North Dakota, Oregon, Pennsylvania, South Carolina, Tennessee, Texas, Utah, Virginia, Vermont, Washington, Wisconsin, and Washington D.C.—have enacted legislation related to autonomous vehicles and thereby created a patchwork of different rules and regulations.
Other states, like Arizona, have gone in the opposite direction. Arizona's governor signed executive orders in 2015 and 2018 that instructed the state to eliminate unnecessary regulations and hurdles to the new technology. Just 18 days later, an Uber self-driving test vehicle struck and killed a pedestrian. The NTSB investigation revealed a stunning lack of proper testing protocols. Eight days later, the governor asked Uber to suspend their testing activities. Previously Uber had refused to comply with California's testing requirements and moved their testing operations to Arizona.
In Germany and several other countries, international treaties such as the Vienna Convention have to be transitioned to national law and regulations in order to become effective. Germany ratified the Convention in 1978. When transitioning into domestic law, the statement "every driver shall at all times be able to control his vehicle…" was translated into "jeder Führer muss dauernd sein Fahrzeug beherrschen," which can be interpreted as "the driver needs to at all times handle his vehicle." Hence it comes down to an interpretation issue of "control" versus "to supervise." Consequently, the predominant interpretation of this clause is that autonomous driving is not legal in Germany.
Then, in 2014, the governments of Belgium, France, Germany, and Italy proposed amending article 8 of the Vienna Convention to allow automated driving technologies. As justification, the countries argued that traffic accidents are predominantly caused by human error and that automated driving systems enhance road safety. The amendment to the Convention became effective in 2016 and states that driving automation technologies transferring driving tasks to the vehicle will be explicitly allowed in traffic, provided that these technologies are in conformity with the United Nations vehicle regulations or can be overridden or switched off by the driver. This amendment was implemented into German law later in 2016. Another amendment in 2020 adds further definitions.
A UN/ECE Resolution on the Deployment of Highly and Fully Automated Vehicles in Road Traffic, published in October 2019, presents the Resolution on the Deployment of Highly and Fully Automated Vehicles in Road Traffic adopted by the Global Forum for Road Traffic Safety (WP.1) of the United Nations Economic Commission for Europe on 20 September 2018.
In 2020, the German Department of Transportation proposed a law enacting Level 4/5 highly/fully automated driving under certain circumstances. The draft was rejected by the Department of Justice in January 2021, arguing that data protection and security and accident liability regulations were insufficient, and delegated the proposal back to the DOT for refinement. The draft was then approved by the cabinet on February 10, 2021 and is targeted to pass the parliament in the summer 2021.
UN/ECE Regulation 79 was created with the intention of providing a common understanding and a definition of steering systems for road vehicles. The original UN/ECE Regulation 79-01 in 1988 was written rather narrowly minded, permitting only corrective steering interventions but not automatic steering at speeds over 10 km/h. To enable more capable driver assistance systems and automated driving at higher levels (i.e., 3, 4, 5), UN/ECE Regulation 79-03 was launched in 2018, but at the same time requires production vehicles with a Lane Keeping Assist feature to provide an advanced means of detecting that the driver is holding the steering control from 2021 on. UN/ECE 79 also applies to existing vehicles, with the result that Tesla Autopilot in Europe received a downgrade of functionality in 2020 to comply, while US models did not receive this downgrading software update, as reported by Tesla owners.
UN Regulations R155 and R156 deal with cyber security and cyber security management systems. These regulations were adopted in 2020 by the UNECE World Forum for Harmonization of Vehicle Regulations (UNECE WP.29) and officially came into effect in January 2021. The scope comprises passenger vehicles, buses, light and heavy-duty trucks, quadricycles, and trailers. UN R155 requires the operation of a certified cybersecurity management system (CSMS), and UN R156 requires that of a software update management system (SUMS) as a future condition of type approval. The UNECE regulations specify four disciplines: Managing cyber risks to vehicles; Securing vehicles “by design” to mitigate risks along the value chain; Detecting and responding to security incidents across vehicle fleets; Safely and securely updating the vehicle software, including a legal basis for over-the-air updates. The EU is planning to make these requirements mandatory for the approval of new vehicle types by July 2022 and to extend it to existing architectures by July 2024. Japan and Korea are following similar timetables.
UN Regulation R157, the UN Regulation on Automated Lane Keeping Systems, established requirements for Automated Lane Keeping Systems (ALKS) for passenger cars which, once activated, are in primary control of the vehicle but can be overridden by the driver at any moment. The name is a bit of an understatement as this is the first binding international regulation for "level 3" vehicle automation. It will enter into force in January 2021. Japan drove this together with Germany. The law allows level 3 systems only on streets, which are not accessible to pedestrians and bicyclists, and on which traffic flows unidirectionally, with velocity limited to 60 km/h. In practice, this follows a German law, where it was introduced in 2017. Adherence to R155 and R156 is a requirement in R157 as well.
International Norms and Standards
IEC 61508 is the international standard published by the International Electrotechnical Commission consisting of methods on how to apply, design, deploy, and maintain safety-related systems. The full title is "Functional Safety of Electrical/Electronic/Programmable Electronic Safety-related Systems (E/E/PE, or E/E/PES)." IEC 61508 is a (or actually the) basic functional safety standard applicable to all kinds of industries. It defines an engineering process called the safety lifecycle based on best practices in order to discover and eliminate design errors and omissions and a probabilistic failure approach to account for the safety impact of device failures. Several domain-specific functional safety norms, such as the ones listed above, are derived from it.
ISO 26262 — Road vehicles Functional safety is an international standard for functional safety of electrical and electronic systems (a.k.a. E/E systems) in production passenger vehicles defined by the International Organization for Standardization (ISO) in 2011 and updated in 2016. It is an automotive-specific adaptation of the general functional safety standard IEC 61508.
The document describes a framework for functional safety to assist the development of safety-related E/E systems as well as hardware and software components. Some requirements have a technical focus to implement functional safety into the product; others address the development process.
Automotive Safety Integrity Levels (ASIL) refer to the classification of inherent safety risks in an automotive system or of elements of such a system. ASIL classifications are used within ISO 26262 to express the level of risk reduction required to prevent a specific hazard, with ASIL D representing the highest hazard level and ASIL A the lowest. At the beginning of the safety lifecycle, a hazard analysis and risk assessment (HARA) is performed, resulting in the attribution of ASIL to all identified hazardous events and safety goals.
ISO 21448 — Safety of the Intended Functionality applies to functionality in an automotive component that requires proper situational awareness to be safe. The standard is concerned with guaranteeing the safety of the intended functionality — SOTIF — in the absence of a fault. This contrasts with traditional functional safety, which is concerned with mitigating risk due to system failure. The standard defines its goal as “the absence of unreasonable risk due to hazards resulting from functional insufficiencies of the intended functionality or by reasonably foreseeable misuse by persons is referred to as the Safety Of The Intended Functionality (SOTIF).” ISO 21448 was originally intended to be ISO 26262 part 14, but then became a standard on its own. ISO 26262 covers functional safety in the event of system failures. ISO 21448 covers safety hazards on the functional level that result without system failure.
The recently published standard ISO/TR 4804 — Safety and cybersecurity for automated driving systems — Design, verification and validation describes steps for developing and validating automated driving systems based on basic safety principles derived from worldwide applicable publications. It considers safety- and cybersecurity-by-design, as well as verification and validation methods for automated driving systems focused on vehicles with level 3 and level 4 features according to SAE J3016. In addition, it outlines cybersecurity considerations intersecting with objectives for safety of automated driving systems.
ISO/DIS 24089 adds guidelines for software update engineering for road vehicles. This norm describes the design and implementation of processes is according to the requirements described in UN R156.
Trusted Information Security Assessment Exchange, or TISAX, is a common assessment and exchange mechanism used in the Automotive industry and beyond. It was developed under the guidance of the VDA (German Association of the Automotive Industry) to help ensure an appropriate level of information security. TISAX brings standardization, quality assurance and mutual recognition of information security audits in accordance with ISO 27001 standards.
The ANSI/UL 4600 Standard for Safety for the Evaluation of Autonomous Products was created by Underwriters Laboratories and Edge Case Research in 2019. UL 4600 addresses safety principles and processes for evaluating fully autonomous products requiring no human driver supervision, e.g., SAE Level 4 and 5 vehicles. It does not replace ISO 26262 or ISO 21448, but rather seeks to extend those standards to specifically address the ability of autonomous products to perform safely and as intended — without human intervention — based on their current state and sensing of the operating environment. The reliability of hardware and software necessary for machine learning, sensing of the operating environment, and other safety aspects of autonomy are also addressed. It is envisioned that future end-product standards will tailor UL 4600 to address specialized applications.
ISO 13849 — Safety of Machinery is the safety standard that applies to parts of machinery control systems that are assigned to providing safety functions. Industrial automation systems, e.g., mobile factory robots and automated yard logistics, are often certified to this norm.
ISO 10218 — Robots and robotic devices, Safety requirements for industrial robots specifies requirements and guidelines for the inherent safe design, protective measures, and information for use of industrial robots. It describes basic hazards associated with robots and provides requirements to eliminate, or adequately reduce the risks associated with these hazards.
IEC/EN 62061 — Safety of machinery: Functional safety of electrical, electronic and programmable electronic control systems is the machinery-specific implementation of IEC/EN 61508. It provides requirements that are applicable to the system level design of all types of machinery safety-related electrical control systems and also for the design of non-complex subsystems or devices.
The Machine directive 2006/42/EC in the European Union addresses the protection of workers and consumers using such machinery. In that context vehicle automation systems operating in certain environments can fall under these directives, depending on the local legislation.
ISO 15998 — Earth-moving machinery, Machine-control systems (MCS) using electronic components specifies performance criteria and tests for functional safety of safety-related machine-control systems (MCS) using electronic components in earth-moving machinery and its equipment, as defined in ISO 6165.
SO 25119 — Tractors and machinery for agriculture and forestry, safety-related parts of control systems sets out general principles for the design and development of safety-related parts of control systems (SRP/CS) on tractors used in agriculture and forestry and on self-propelled ride-on machines and mounted, semi-mounted and trailed machines used in agriculture. It can also be applied to mobile municipal equipment (e.g., street-sweeping machines).
The ISO 3691-series covers the basic safety requirements for industrial trucks. ISO 3691-4 specifies these requirements as a Type C standard for driverless industrial trucks. It starts with hazard analysis and risk estimation. During the design process of the protective functions, it is of main importance to put focus on the complete system. This contains the understanding of the relationship between the different functions and Safety Functions for the overall safety of the AGV.
This can be accomplished with the help of the table of ISO 3691-4, Annex B, where hazards and their possible consequences are listed.
EN 50126, EN 50128, and EN 50129, abbreviated as EN 5012x are the three railroad main standards related to Reliability, Availability, Maintainability, and Safety (RAMS) specified by the European Committee for Electrotechnical Standardization (CENELEC).
EN 50126 defines the terms of RAMS, their interaction, and a process based on the system lifecycle for managing RAMS. In addition, a systematic process for specifying requirements for RAMS and demonstrating that these requirements are achieved is defined.
EN 50128 specifies procedures and technical requirements for the development of programmable electronic systems for usage in railway control and protection applications aimed at usage in any area where there are safety implications. In contrast to EN 50126, it is applicable exclusively to software and the interaction between software and the system of which it is part.
EN 50129 specifies those lifecycle activities which shall be completed before the acceptance stage, followed by additional planned activities to be carried out after the acceptance stage. It is therefore concerned with the evidence to be presented for the acceptance of safety-related systems and is highly related to EN 50126.
ISO 25119 Software Development for Tractors and Machinery for agriculture and forestry describes the safety requirements for tractors and machinery for agriculture and forestry. The standard is a sector-specific implementation of IEC 61508 and consists of 4 parts. Like other functional safety standards, ISO 25119 specifies various levels of criticality. The standard defines the Agricultural Performance Level (AgPL) QM, a – e. AgPL a to e correspond to the Performance Levels (PL) a to e as defined in ISO13849. Regarding the software, an SRL (Software Requirement Level) is derived from AgPL. Chapter 7.3.5 in Part 2 of the standard defines the relationship between AgPL and the SRLs (B, 1, 2, 3).
ISO 25119 consists of four parts. The first part primarily defines the management aspects of a functional safety project. The second part discusses the necessary safety concept and the requirements for risk and hazard analysis. The third part deals with hardware and software development and testing. The fourth part discusses the functional safety aspects in production, operation and in case of changes.
ISO 23150 is an upcoming standard to describe the logical interface of the data communication between sensors and data fusion unit for automated driving functions. It is currently in the draft phase and pushed predominantly by German OEMs to achieve sensor interface standardization.
DO-178C "Software Considerations in Airborne Systems and Equipment Certification" is the primary document by which the certification authorities such as FAA and EASA approve all commercial software-based aerospace systems. The document was published by RTCA, Inc., in a joint effort with EUROCAE, and replaces DO-178B. The new document is called DO-178C/ED-12C and was completed in November 2011 and approved by the RTCA in December 2011.
Furthermore, driver assistance systems and safety systems already in production are standardized in these norms, which describe the respective performance requirements and test procedures:
L1 lateral
ISO 11270:2014. Intelligent transport systems — Lane keeping assistance systems (LKAS) — Performance requirements and test procedures
ISO 17361:2017. Intelligent transport systems — Lane departure warning systems — Performance requirements and test procedures
ISO 19638:2018. Intelligent transport systems — Road boundary departure prevention systems (RBDPS) — Performance requirements and test procedures
ISO 21202:2020. Intelligent transport systems — Partially automated lane change systems (PALS) — Functional/operational requirements and test procedures
L1 longitudinal
ISO 15622:2018. Intelligent transport systems — Adaptive cruise control systems — Performance requirements and test procedures
ISO 15623:2013. Intelligent transport systems — Forward vehicle collision warning systems — Performance requirements and test procedures
ISO 20035:2019. Intelligent transport systems — Cooperative adaptive cruise control systems (CACC) — Performance requirements and test procedures
L2
ISO 21717:2018. Intelligent transport systems — Partially Automated In-Lane Driving Systems (PADS) — Performance requirements and test procedures
L3
ISO/WD 23792-1. Intelligent transport systems — Motorway chauffeur systems (MCS) — Part 1: Framework and general requirements
L4
ISO/CD 22737. Intelligent transport systems — Low-speed automated driving (LSAD) systems for predefined routes — Performance requirements, system requirements and performance test procedures
Parking
ISO 20900:2019. Intelligent transport systems — Partially automated parking systems (PAPS) — Performance requirements and test procedures
ISO/AWI 23374. Intelligent transport systems — Automated valet parking systems (AVPS) — System framework, communication interface, and vehicle operation
Safety
ISO 19237:2017. Intelligent transport systems — Pedestrian detection and collision mitigation systems (PDCMS) — Performance requirements and test procedures
ISO 22078:2020. Intelligent transport systems — Bicyclist detection and collision mitigation systems (BDCMS) — Performance requirements and test procedures
ISO/AWI 23375. Intelligent transport systems — Collision evasive lateral manoeuvre systems (CELM) — Performance requirements and test procedures
ISO/CD 23376. Intelligent transport systems — Vehicle-to-vehicle intersection collision warning systems (VVICW) — Performance requirements and test procedures
ISO 19206-1:2018. Road vehicles — Test devices for target vehicles, vulnerable road users and other objects, for assessment of active safety functions
ISO 22839:2013 Intelligent transport systems — Forward vehicle collision mitigation systems — Operation, performance, and verification requirements
Other National Norms
Singapore's Standards Council has published a set of provisional national standards to guide the development and deployment of fully autonomous vehicles. Technical Reference 68 (TR 68) promotes the safe deployment of fully autonomous vehicles in Singapore, said a joint release from Enterprise Singapore (ESG), Land Transport Authority (LTA), Standards Development Organization, and the Singapore Standards Council (SSC).
How about security?
Safety needs security, but current functional safety norms do not address cybersecurity. ISO/IEC 27001 is the basic information security standard defining information security management. ISO/IEC 27002 extends this with a code of practice for information security controls. ISO/IEC 15408 establishes a basis for the evaluation of security properties of IT products. ISO/SAE DIS 21434 will be the first standard dedicated to cybersecurity of road vehicles and is currently under development. According to SAE, this document specifies requirements for cybersecurity risk management regarding engineering for concept, development, production, operation, maintenance, and decommissioning for road vehicle electrical and electronic (E/E) systems, including their components and interfaces. A framework is defined that includes requirements for cybersecurity processes and a common language for communicating and managing cybersecurity risk. The document is applicable to series production road vehicle E/E systems, including their components and interfaces whose development or modification began after the publication of the document. It does not prescribe specific technology or solutions related to cybersecurity.
ISO/PAS 5112 adds guidelines for auditing cybersecurity engineering in road vehicles.
Why so many different norms for vehicle automation?
Because there is no one-fits-all norm. ISO 26262 was adapted from the general functional safety standard IEC 61508 to cover all safety-relevant automotive electrical and electronic systems. Initially, software was only addressed superficially until the 2016 update came out. ISO 21448 was originally intended to be a new part 14 of ISO 26262 but then became a norm of its own to address the functionality of automation systems with surround sensing. UL 4600 then focused specifically on highly and fully automated systems in on-road and off-road applications by providing a framework for creating a comprehensive system-level safety case not limited to just passenger vehicles and thereby extending the other norms significantly.
Summary
The taxonomy developed by SAE has been adopted worldwide. Is it perfect? Absolutely not. But the levels are clearly defined and follow a logical structure that is easy to comprehend and use. Is it being used consistently? Unfortunately, also not. Autonowashing, derived from greenwashing, adds to the confusion when higher than actual levels of autonomy are implied or even called out by the manufacturer.
Standards extend the taxonomy to technical implementations and performance and safety requirements. ISO 26262 is the unarguable standard for automotive functional safety as it sets clear reliability and safety targets. It focuses on avoiding design faults and on mitigating the effect of faults during operation but lacks an approach for functional safety of systems that rely on environment perception and are thereby subject to external influences. ISO 26262 was therefore extended by ISO 21448. ISO 26262 covers functional safety in the event of system failures. ISO 21448 covers safety hazards on the functional level that may occur without system failure. Furthermore, UL 4600 was added specifically to cover Level 4/5 systems. These norms now conceptually cover all aspects of driving automation development except for security — which is covered by the ISO 2700x family.
Are standards mandatory? Usually not directly, standards are not laws or mandatory regulations but rather a collection of industry best practices. But compliance with standards is often required by law or regulations.
Legislation addressing driving automation is handled differently in different regions of the world. In the US, a patchwork of state laws and regulations has grown due to a lack of federal regulations. Germany aims to take leadership by passing a law to allow level 4 systems (which have been legal and are being tested in the US for years).
Final thoughts
Where do we stand today — in 2022?
The SAE levels have been widely adopted but are being used inconsistently. Media and companies need to use the levels consistently and correctly, whether they like them or not. Stop Autonowashing!
Standards provide a useful collection of best practices and are highly relevant to manage consumer, customer, and regulator expectations! Smaller companies and those in developing regions should adhere to standards as well to gain traction!
The global and local patchwork of laws and regulations needs to be fixed! I can drive a car across the US, but different (or no) regulations apply across different states. Europe is taking a cautious approach and needs to become more agile to catch up with level 4 development (if it’s not too late). Mandated data collection must account for effects such as road type, vehicle age, driver bias, ODD, etc to avoid implicit statistical manipulation of the results.
Thank you, Bryant Walker Smith for your input and feedback.
Change log:
February 1, 2021: ISO 19206 and ISO/TR 4804 added. Thank you, Martin Holder for pointing to these norms.
February 2, 2021: ISO 10218, IEC62061, ISO 15998, ISO 6165, ISO 25119, EN 5012x added.
September 30, 2022: added UN/ECE R155, R156, R157, IEC 62061, ISO 25119, ISO 3691, ISO 5112, ISO 24089, TISAX, ISO 15623, ISO 22839.
Comments