Deliverable D2.2 Draft and Results From Pilot Application of Draft Cop
Deliverable D2.2 Draft and Results From Pilot Application of Draft Cop
Deliverable D2.2 Draft and Results From Pilot Application of Draft Cop
Ares(2020)2000219 - 09/04/2020
Deliverable D2.2 /
Draft and results from pilot application of
draft CoP
Version: 1.0
Dissemination level: PU
Lead contractor: BMW
Due date: 31.10.2019
Version date: 02.04.2020
Authors
Coordinator
Aria Etemad
Volkswagen Group Research
Hermann-Münch-Str. 1
38440 Wolfsburg
Germany
Phone: +49-5361-9-13654
Email: aria.etemad@volkswagen.de
Project funding
Horizon 2020
ART-02-2016 – Automation pilots for passenger cars
Contract number 723051
www.L3Pilot.eu
The information in this document is provided “as is”, and no guarantee or warranty is given that the
information is fit for any particular purpose. The consortium members shall have no liability for
damages of any kind including, without limitation, direct, special, indirect, or consequential damages
that may result from the use of these materials, subject to any liability which is mandatory due to
applicable law. Although efforts have been coordinated, results do not necessarily reflect the opinion
of all members of the L3Pilot consortium.
© 2020 by L3Pilot Consortium
1 Introduction 1
1.1 Motivation for the L3Pilot project 1
1.2 L3Pilot Objectives 1
1.1 Approach and scope 3
6 Conclusion 121
Annex 1 Report of the L3Pilot SP “Methodology” on test and evaluation of ADF 131
Objective data collection 131
Subjective data collection 140
Figure 1.1: SAE Levels of Driving Automation J3016 (Copyright 2014 SAE International). .... 2
Figure 1.2: L3Pilot approach and the mechanism for deployment. ........................................ 3
Figure 1.3: L3Pilot testing areas and cross-borders............................................................... 4
Figure 2.1: Scope of the CoP-AD. ......................................................................................... 7
Figure 3.1: Development phases that have been proposed in deliverable D3.1 ....................10
Figure 3.2: Development phase applied in the draft CoP-AD. ...............................................11
Figure 3.3: Categories used for the draft CoP-AD. ...............................................................12
Figure 4.1: Development phase applied in the draft CoP-AD. ...............................................14
List of tables
Table 3.1: Overview of topics of the CoP-AD categories and the corresponding chapters ....12
Table 5.1: Overview on topics of the CoP-AD that are relevant in L3Pilot. ..........................111
Table A1.1: Overview pros and cons for different objective data collection tools by SP3. ...131
Table A1.2: Rating of the suitability of different objective data collection tools (1 of 3) ........133
Table A1.3: Rating of the suitability of different objective data collection tools (2 of 3) ........135
Table A1.4: Rating of the suitability of different objective data collection tools (3 of 3) ........137
Table A1.5: Overview pros and cons for different subjective data collection tools by SP3. .140
Table A1.6: Rating of the suitability of different subjective data collection tools (1 of 2) ......141
Table A1.7: Rating of the suitability of different subjective data collection tools (2 of 2) ......142
The data collected in these extensive pilots will support the main aims of the project to:
● Lay the foundation for the design of future, user-accepted, L3 and L4 functions, to ensure
their commercial success. This will be achieved by assessing user reactions, experiences
and preferences of the AD functionalities.
● Enable non-automotive stakeholders, such as authorities and certification bodies, to
prepare measures that will support the uptake of AD, including updated regulations for the
certification of vehicle functions with a higher degree of automation, as well as incentives
for the user.
● Create unified de-facto standardised methods to ensure further development of AD
applications (Code of Practice).
● Create a large databank to enable simulation studies of the performance of AD over time
which can’t be investigated in road tests, due to the time and effort needed. The data will
be one product of the pilots.
The L3Pilot consortium brings together stakeholders from the whole value chain, including:
OEMs, suppliers, academic institutes, research institutes, infrastructure operators,
governmental agencies, the insurance sector and user groups. More than 1,000 users will
test approximately 100 vehicles across Europe with bases in 10 European countries,
including: Austria, Belgium, Finland, France, Germany, Italy, Luxembourg, the Netherlands,
Sweden, Spain and the United Kingdom, as shown in Figure 1.3. The project will last for 48
months, and includes 18 months of road tests.
Since the development of ADF, especially at SAE L3, is fairly well progressed, the aim is not
only to pilot the functions, but also to study user preferences, reactions and willingness to
use vehicles equipped with AD applications. This information leads the consortium to create
plans for the market introduction of AD. The L3Pilot concept can be split into the following
two large parallel, but intertwined, activities:
(i) Development of test and evaluation methodologies, and actual testing and evaluation of
L3 and L4 ADFs. In this scientific part, a variety of controlled experiments will be carried out
in the three pilot areas shown above (see Figure 1.3).
(ii) Promotion of the project work for maximum impact. This includes dissemination of the
project results, and communication to the public, through showcases, to accelerate
deployment of AD.
The European research project L3Pilot combines different activities. The main objective of
this deliverable is to report on the draft version of the Code of Practice for automated driving
(CoP-AD). The CoP-AD is to provide comprehensive guidelines for supporting the
automotive industry and relevant stakeholders in the development of automated driving
technology. The guidelines are derived from knowledge gained in the industry as well as
from collected best practices on this topic. Thus the CoP-AD includes the following aspects:
Collection of best practices on the topics that have been identified as relevant to L3Pilot;
A typical process for the development and release of an automated driving function;
Safety aspects and methods to confirm the safe operation of automated driving
functions;
It is important to note that this document presents only the draft version of the
CoP-AD. The main purpose of this document is to be the basis for discussion
and preparation of the final CoP-AD. All of this report’s findings are therefore
intermediate results that are still under discussion and will be subject to a future
review. The final version of the CoP-AD will be published in the upcoming L3Pilot
deliverable D2.3.
The document is structured as follows: After a general introduction to the L3Pilot Project, the
history of the Code of Practice is outlined and its scope for automated driving is described.
The third chapter presents the approach for the COP-AD and clarifies the adaptations that
have been necessary during the compilation of the CoP-AD as compared to the initial plan
presented in deliverable D2.1 (Wolter et al., 2018). The draft version of the Code of Practice
for automated driving is described in chapter four. The final chapter reports on the application
of the CoP-AD within L3Pilot. Note: As a reminder, the L3Pilot project does not cover the
entire development process of the vehicle. Thus the description of the application is limited to
topics actually covered as part of L3Pilot. A second aspect that must be considered is that
the L3Pilot project continues after the publication of this deliverable. Accordingly, this
document only contains a snapshot of the current status of the L3Pilot project at the time of
its writing and publication.
Europe
Extent to selected non-
EU regions
Extent to driving
scenarios in urban /
Motorway & Parking rural environment
This chapter describes the development process of the CoP-AD, beginning with a recap on
the CoP-AD framework as described in the L3Pilot deliverable D2.1 (Wolter et al., 2018).
Over the course of the project, certain updates related to the development phase and
categories have been necessary. These updates of the framework are described and
combined with an overview about the categories and topics of the CoP-AD.
Figure 3.1: Development phases that have been proposed in deliverable D3.1 (Wolter et al.,
2018).
A consensus was reached over the course of the work that merging two pairs of phases to
two single phases would improve the structure and comprehensibility of the CoP document
without leading to a loss of content (see Figure 3.2). The main changes are:
● “Concept Selection Phase” and “Proof of Concept Phase” are merged to one phase
“Concept Selection”, since the covered time frame of the “proof of concept” is rather short
and it can be seen as the final step of the concept selection;
● “Verification” and “Validation & Sign off” are merged to one phase “Validation &
Verification”, which still includes the sign-off process; the reason is to avoid confusion
between the two phases.
1Please note that in this deliverable the term “driver” also covers users outside the vehicle that are operating the
vehicle.
The CoP-AD covers 22 different topics overall. The following table provides an overview of
the different topics and the related categories.
Table 3.1: Overview of topics of the CoP-AD categories and the corresponding chapters
Category Topics
Overall Guidelines and ● Minimal Risk Manoeuvre (4.1.1)
Recommendations ● Documentation (4.1.2)
● Existing Standards (4.1.3)
ODD Traffic System & ● Automated Driving Risks and Coverage of Interaction with Mixed
Behavioural Design Traffic (4.3.1)
● V2X Interaction (4.3.2)
● Traffic Simulation (4.3.3)
● Ethics & Other Traffic-Related Aspects (4.3.4)
This chapter presents each question of the draft CoP-AD in the design of a card. The sub-
chapters are structured by the CoP-AD categories and topics. All cards follow a template
presenting the main question, possible sub-questions and the relevant development phases.
Each card is followed by a short explanation of the questions, which can also include hints
regarding relevant literature.
The cards with the CoP-AD questions are presented according to this template:
In the upper left corner question is identified by a three-part ID X-Y-Z. The first “X” denotes
the category (0 - 4). The second, “Y” denotes the topic of the category. With the third, “Z”, the
number of the questions in the topic is identified. The cells on the upper right hand side are
intended to mark the development phase, for which the question is relevant. The colours
correspond with the previously defined development phases (see Figure 4.1). An abbreviated
title for each development phase has been used for improved readability of the template, e.g.
the Definition Phase is abbreviated to DF.
The cell on the left side includes the main question, which should be answered by indicating
yes or no. In addition to the yes/no answer, there is room to elaborate more on the answers,
e.g. to describe why the question has not been considered in the ADF development process.
On the right side the cell can include (several) sub-questions that are related to the main
question. These sub-questions have two purposes: 1) they should indicate relevant sub
topics of the main question 2) they should support you in answering the main questions.
Following each main question you can find – depending on the question – additional
explanations on the question and relevant literature references.
Different characteristics for initiation and not-initiation of a MRM depending on the TOR
status (not issued, issued and noted, issued and not noted), automation level (level 3 or 4)
and the driver reaction (no reaction, reaction) are possible. In the following it is focused on
characteristics in which a TOR is issued and driver does not react. There could be two
different sequences for initiation of a MRM. In the first the ADF initiates a take-over request
(TOR) and at the same time MRM. In the second the MRM starts just after TOR fails and the
ADF does not detect any driver response. The TOR is a key consideration for a level 3 or
level 4 ADF. Information about the design of HMI can be found in chapter 4.5. The take-over
request must be carefully considered and designed, thus reducing the likelihood that the
MRM will need to be activated. This aspect is also of relevance, when considering SOTIF
(see chapter 4.4.4).
For more information please check:
● “Safety first for automated driving” (Wood et al., 2019).
The MRM only becomes relevant when the ADF reaches its limits. Therefore, it is likely that
not all information that the ADF would provide in normal conditions will be available for the
MRM to use. It is important to compare exactly what information is available from the sensors
at this moment in time and what information is required in order to execute the MRM. If
significant gap is detected between available and required information, measures need to be
taken to ensure it is minimised.
For more information please check:
● NHTSA’s “Framework for Automated Driving System Testable Cases and Scenarios Final
Report” (Thorn et al., 2018);
● “Safety first for automated driving” (Wood et al., 2019).
Once a concept has been decided on, it must be ensured that the MRM is correctly
implemented. For this purpose, different verification steps are required in order to prove
completeness and correctness.
For more information please check:
● Thatcham Research Report (Thatcham 2018);
● “Safety first for automated driving” (Wood et al., 2019).
In order to perform these verification tests, the test cases for the MRM need to be defined
beforehand. When defining the test cases, it must be ensured that they cover the entire
operation of the MRM including different traffic and environmental conditions. Furthermore, it
must be defined, which test methods (test track, simulation etc.) shall be applied for testing
the MRM.
4.1.2 Documentation
This sub-chapter deals with the documentation of results. The main purpose of the
documentation is to enable a later comprehension of the ADF’s capabilities, performance as
well as decisions made during the development.
Documentation is not only relevant for internal purposes, but can also be relevant for external
stakeholders, i.e. for homologation and certification of the ADF and liability issues.
Documentation does not mean explicitly that any kind of information is stored, it means that
information that is relevant today or might become relevant at a later stage shall be stored.
The following questions focus on the documentation in the context of test activities. This
does not mean that other development related information does not need to be documented.
This information is not covered by this document, since it is expected that this is defined by
company internal rules, which follow for instance the ISO 9001 (ISO 9001 2015), or external
The first question focuses on whether all test related aspects (test plan, test execution and
test result) have been documented properly. The term “test” covers the test and evaluation of
the ADF capabilities as well as the general validation & verification of the ADF including the
validation of design decisions. In addition to the test activities, the documentation shall cover
updates of the test plan, and for comprehensibility, it is also recommended to document the
reasons for these changes.
In case documentation of test activities needs to be shared with external stakeholders, i.e. for
homologation or certification purposes, it shall be checked, whether the documentation
format complies with their requirements.
Are (industry) standards and best practices Have / Are relevant standards and best
according to their current availability been practices (according to their current
followed? availability) been identified and evaluated?
( ) Yes / ( ) No
A non-complete list of example safety standards that are relevant in the context of ADF
development based on (Wood et al., 2019) is given below:
● Endangerment caused by the intended function (e.g. due to sensor performance
boundaries), ISO PAS 21448 “SOTIF“(ISO 21448 2019)
● Foreseeable misuse, ISO PAS 21448 “SOTIF“(ISO 21448 2019); ISO 26262 “Functional
Safety“ (ISO 26262 2018)
● Malfunctions due to e/e defects and systematic programming- and design errors, ISO
26262 “Functional Safety“(ISO 26262 2018)
● Deliberate manipulation of the system from security point of view, ISO/SAE 21434 „Road
Vehicles – Cybersecurity Engineering“ (ISO 21434 20XX)
● Influences from the (traffic) environment, ISO PAS 21448 “SOTIF“(ISO 21448 2019)
● Influences from the humans behaviour, ISO PAS 21448 “SOTIF“ (ISO 21448 2019)
The state of the art is changing over time. Therefore, the compliance with this question
requires a constant review and update process.
There are other related topics that are not covered in detail by the CoP-AD. For those topics
please have a look at previous CoP deliverables, Response 3 (Knapp et al., 2009) and
Functional requirements identify what the ADF should do. These can be conceptualised with
use cases or other specific functionalities that define what an ADF is supposed to
accomplish.
Functional requirements include descriptions of the ADF and detail the data to be held in the
ADF. Features needed to achieve the required functionality should be as specific as possible
including any limitations specific to the ODD.
Non-functional requirements specify how the ADF should work. These can be conceptualized
mainly with performance requirements, design constraints and quality attributes.
Non-functional requirements usually detail constraints, targets or control mechanisms related
with the qualities of the ADF and its success. They describe how well or to what standard an
ADF should be provided. In principle those requirements are difficult to measure and test.
Therefore, experience in the look and feel of the ADF as well as safety, security and privacy
requirements play an important role.
The core technical requirements for ADF must be addressed. Those requirements should be
the basis of operational approval. Meeting the key requirements and achieving operational
approval will determine whether the ADF is complying with the specifications and rules. For
example in addition to yes/no questions, it is helpful to explain how the requirements are met.
This can be done by describing the ADF by design and by providing a brief overview of the
system architecture focusing on items maximizing performance, reliability and overall system
stability.
The main purpose of the question is to formulate a runtime representation of the operational
domain in which the requirements are linked with the ODD elements and the system
functionality. To ensure that the complete system is built according to the laid out
requirements a design methodology is required. Model Based Systems Engineering (MBSE)
is one such engineering technique that exploits the use of models to define and analyse a
system. The MBSE approach is highly recommended by ISO 26262.
Modelling is a way to deal with the limitations of document-based approaches while being
capable of identifying problems and reducing the risk of having ambiguous requirements.
MBSE is utilising a System Modelling Language (SysML) which can use requirements
diagrams to efficiently capture functional, performance and interface requirements.
Fundamental to AD is the need to be safe even as real-life driving context changes. At the
same time operation under certain conditions and states should also be considered. Here, it
is assumed that there is redundancy in the system so that the ADF can always perform a
fallback. Therefore, any additional information relevant to the safe operation of the vehicle
must be effectively communicated to the driver. A simulation-based testing methodology
provides a structured approach to evaluate the operation state of the system in a wide variety
of operating conditions. Generally accepted operational scenarios may be considered the
following:
● Not operational – ADF not available
● Operational without notifications – ADF available but unobservable state
● Operational with some notifications – ADF available with limitations on the state
● Operational with all notifications available – ADF available
ADFs are limited in the way their algorithms react on sensor and other hardware malfunction.
Measures must be provided that ensure that risks are minimised when systems fail to work
as intended. The ADF must be robust to uncertainties e.g. when system encounters an
exception or other situation for which it was not designed for. Please consider in this context
also the Safety of the Intended Functionality (SOTIF) (see chapter 4.4.4).
Each level has a specific set of safety requirements that an ADF must meet before it can be
considered to operate at that level. The safe state of an ADF heavily relies on the situation in
which the state has to be maintained or reached. Low levels of automation rely on the human
driver in order to maintain a safe state. Higher levels of automation do not rely on the human
driver as fall back solution but they are also limited by ODD. Higher levels of automation
need more intelligence in processing, sensing and monitoring requirements. This results to
higher computing requirements to execute more complex software. From fully manual to fully
automated capabilities, the SAE’s approach to automated driving remains the industry’s most
widely accepted classification system. Please consider in this context also the Safety of the
Intended Functionality (SOTIF) (see chapter 4.4.4).
Such a list is unlikely to be complete, but an attempt to compile a list can be a starting point
for listing all possible considerations and help to ensure that ODD requirements do not
contain crucial gaps due to missing information. This list can be enhanced based on
significant experience and can prove essential for ensuring safe real-world operation.
While any such question is unlikely to be answered completely, the question can serve as a
starting point to ensure that ODD verification efforts for the ADF do not contain crucial
process gaps. A conventional strategy on vehicle level should include:
● Requirements-based verification of function, sub-functions and components.
● Validation of a typical fail-operation function with all redundant components capable of
performing safe state transitions.
Whatever verification targets are set, the complexity of vehicles and their environment will
make testing challenging at a fundamental level. An essential next step will be finding ways
to manage the complexity of verification without missing critical effects that may cause
unexpected results. It is important to understand that the automated driving domain is
changing rapidly and all actors need to track emerging technology trends. Therefore, by
using a verification strategy, we maintain a consistent approach of identifying risks,
implementing solutions and verifying their effectiveness.
An important goal for automated vehicle systems is to reduce the potential of risks occurring
during operation. Especially for safety assurance at all levels from individual components and
subsystems to the vehicle as a whole, a safety assurance methodology must be introduced.
Such methodology could include pre-market testing, design and manufacturing processes,
performance criteria and standards conforming to national guidance before system
deployment.
A typical ODD approach defines a limited number of performance expectation criteria which
allow the system designers to assess in terms of the ability to achieve the overall desired
operational capability within the ODD. The minimum performance criteria define how the
ADS is expected to perform and that all aspects of the ODD have been addressed either by
ensuring safe system operation or by ensuring that the system can control and mitigate any
exemptions beyond the defined ODD.
Perhaps the most logical way to assess an automated vehicle is to drive it in real traffic and
observe its performance. If an ADF system is expected to detect whether it has left the ODD,
then it must be able to monitor the ODD at runtime. Even after a vehicle is released a
mechanism to monitor performance results or safety trends by collecting the vehicle’s safety
data should be included as a next step. Developers of automated vehicles rely upon this
approach to evaluate and improve their systems
An automated system is not enabled by one single technology or component, but rather by a
combination of technologies. Numerous lessons could be learned during the development
and deployment of AD systems. A strategy must exist to explore and highlight challenges
associated with the deployment of the system in real-world.
4.2.2 Scenarios and Limits
Depending on the automation level (SAE 2018), each ADF will face certain restrictions as
part of its specification. These restrictions define the ODD of the ADF. Most of the restrictions
will be defined intentionally and are known, but it can be expected that there will be cases
where the intended ODD is either “smaller” or “larger” than the implemented ODD. Potential
causes for such inconsistencies could be for instance technical limitations of ADF (sensors,
logic, and actuators) or unexpected driving scenarios, which have not been considered
The ODD summarises operating conditions under which the ADF is specifically designed to
function. The ODD is comprised of elements that can be allocated to different categories
including, but not limited to, environmental, geographical, time-of-day restrictions, and/or the
required presence or absence of certain traffic or roadway characteristics (SAE 2018). In
addition, all objects classes which the driving automation function shall respond to must be
defined in the ODD.
Defining a consistent ODD is one of the key success factors for an ADF. For every element
in the ODD, the possible values or parameter ranges must be defined, e.g. the illumination
can be limited to values greater than 500 lx, to ensure that the driving automation function (or
feature) only operates during day time. The ODD might however change during the
development due to newly discovered limitations or changes in the development. In this
case, it is not feasible to cover the originally defined ODD any longer. Therefore a constant
review of the function limits in relation to the ODD is necessary. One indicator is an
inconsistent behaviour of the vehicle function while driving with an activated ADF.
An ADF that operates outside of the ODD can instil false customer trust and overconfidence.
In order to identify limits and update the specification accordingly the identification of relevant
driving scenarios is required. Apart from “black box testing” of an integrated function, which
involves real world testing to try to find potential issues based on real world traffic in a
representative environment, there are several other approaches that can be applied to test
for such limitations at an early stage of development. One approach is to identify corner and
edge cases combined with robustness tests (e.g. by introducing noise). The underlying
assumption is that if the ADF can deal with these, it will also be capable of dealing with less
critical scenarios. Thus, it is necessary to expose the ADF to a repeatable set of driving
scenarios, an activity for which a simulation environment is most suitable.
In addition to the approach in 1-2-6 the application of a test catalogue supports reuse of past
experiences and company / vehicle specific test sets. A test catalogue will also be needed for
regression testing to re-run past tests for a system after a modification has been introduced
during development.
The tests should be defined in a way that they address all definition layers of test – ranging
from functional via logical up to concrete test scenarios. Additional information regarding this
topic is provided by the PEGASUS project (PEGASUS 2019).
4.2.3 Performance Criteria and Customer Expectations
This topic covers the performance criteria for the ADF developed as well as the customer
expectations of the ADF. The link between both aspects is required since the customer will
need to be supported in order to have an understanding about the ADF’s performance and
his or her role and responsibilities during automated driving (ITF 2018).
This question addresses the importance of considering customer expectations, which can be
translated to requirements when setting performance criteria for the ADF to be developed.
Customer expectations may cover a wide spectrum, not considering only comfort but also
safety, usability, controllability, acceptance etc. Additionally, customer’s abilities and
limitations shall be identified, considering different learning curves. In order to identify these
aspects, it may be relevant to segment the customers / users groups identified. Finally,
reflecting customer feedback refers to the information which can be obtained after
deployment and which can be fed into the next development or ADF update. These factors
shall be addressed at the definition phase.
Additional information regarding this topic is provided by:
● International Transport Forum “Safer Roads with Automated Vehicles” (ITF 2018).
A validation and verification concept is required to ensure that the targets that were defined
in the design phase can be met. Therefore, the validation and verification concept must be
implemented. This validation and verification shall include not only the performance criteria
As part of the validation phase, it is necessary to review whether the customer requirements
are in line with their expectations. Those expectations can evolve over time alongside with
the user’s driving experience. A higher level of driving experience might lead to evolving
capabilities of the user based on different learning curves (Abbink et al., 2018).
Additional information regarding this topic is provided by:
● A Topology of Shared Control Systems – Finding Common Ground in Diversity (Abbink et
al., 2018).
4.2.4 Architecture
An architecture framework for an ADF is made by several standardised viewpoints, among
which typically a functional, a logical and physical architecture. As the complexity of software
and hardware integrated in vehicles grows, there is an increasing need to plan and verify the
architecture starting from the early development stages, to ensure safety and to reduced
development risks and costs. The questions in this section aim at highlighting fundamental
steps in the development and validation of the architecture at vehicle level, with a focus on
assuring safety when the ADF finds itself outside its ODD a detailed example of a testing
architecture and a scenario-based test framework for ADF features can be found in Thorn et
al., 2018.
However, the process of choosing an architecture includes going through different views, and
finally identifying the physical function elements capable of performing the desired AD
functions and identifying the physical interfaces capable of carrying the required data flows.
One of the critical aspects of developing an ADF is the interaction with its user, as the
function must be developed to be easily and safely operated by the user, and therefore one
of its critical elements is the HVI. Because of its relevance, a section of this CoP is devoted
to display and control concepts, i.e. the human-vehicle-integration (HVI – Section 4.5). In
According to ISO 15288:2015 (ISO15288 2015), ‘the purpose of the Architecture Definition
process is to generate function architecture alternatives, to select one or more alternative(s)
that frame stakeholder concerns and meet function requirements, and to express this in a set
of consistent views’. At the end of the process, the optimal physical architecture should be
selected that implements all the stakeholder and function requirements. To select the final
architecture, criteria to compare the produced candidates should be defined and the
selection criteria should also be documented. A more detailed elaboration on architecture
selection activities can be found in (INCOSE 2015), where possible criteria for selection are
listed, together with additional activities like assessments, risks analysis, prototypes, etc.
which are generally performed in parallel to obtain “proven” requirements.
Purpose of this question is to ensure that the rationale for the final architecture, i.e. not only
requirements but also decision activities and steps, is recorded for later steps and to ensure
traceability. This allows design validation of the architecture against its specification. In later
iterations architectural decisions can still be understood and can be maintained or changed
based on the defined target.
Once the ODD is defined, the Object and Event Detection Response (OEDR) capabilities
must be specified. OEDR refers to ‘the subtasks of the DDT that include monitoring the
driving environment (detecting, recognizing, and classifying objects and events and
preparing to respond as needed) and executing an appropriate response to such objects and
events (i.e., as needed to complete the DDT and/or DDT fallback’ (SAE 2018)).
ODD and OEDR allow the derivation of logical scenarios. Logical scenarios, in combination
with requirements, form the input for testing the architecture response. Thorn et al., (Thorn
2018) suggests three testing techniques, i.e. modelling and simulation, closed-track testing
and open-road testing, which constitute a three-pillar approach becoming a standard in
validating complex ADF features. Test procedures can vary depending also on the selected
tools, but should always aim at “achieving repeatability, reliability, and practicality” (Thorn
2018).
The SAE J3016 standard (see end of the Section) describes the classification for road-bound
vehicles with autonomous driving functions. Each of the six defined levels is classified by the
(minimum) requirements on how much the driver has to be involved in the Dynamic Driving
2 ODD limit includes here also the continued operation during a take-over request until the driver has taken over
the control or a minimum risk manoeuvres start. Operation during the minimum risk manoeuvre shall be also be
covered in an appropriated way.
Ensure that the required interfaces of the function(s) to backend solutions are considered. By
doing this, the function(s) integrity is ensured for a specific context. An interface Control
Document should be available. Additionally, relevant documentation for functional safety and
cybersecurity (item definition, safety case, safety manuals, cybersecurity case, …) can
support safety and cybersecurity analyses. The functional safety concept and the
cybersecurity concept of the different involved systems, if safety and/or security relevant,
should be analyzed for consistency.
The architecture and the ADF shall be designed to satisfy additional non-functional
requirements from different disciplines and standards, of which most relevant are
requirements regarding safety, security and maintenance. Since such aspects have a huge
impact on the architecture and ADF design, the entire section 4.4 “safeguarding automation”
addresses these cross-functional topics.
The purpose of this question is to investigate whether the mapping and allocation of the
desired functions or sub-functions to physical components is done properly. In addition it
checks if the selected ADF elements are reviewed to be capable to satisfy the defined
functions.
In the case a tool is used in the development of ADF, confidence in the use of the selected
tool is required. For software, confidence is achieved if the tool effectively minimises the risk
of systematic faults in the developed product, and the development process and the tool
complies with the processes of ISO 26262 (ISO 26262 2018). To evaluate the confidence of
a software tool in the development, following criteria shall be considered:
● the possibility that a malfunctioning software tool could produce erroneous outputs, which
could in turn:
● introduce errors in the function being developed;
● prevent errors in the function being developed to be detected; and
● the confidence in preventing or detecting such errors in the output.
Unfortunately the ISO 26262 standard does not address evaluation of HW tools, like
measurement equipment, reference systems for data collection. Nevertheless, the
verification strategy and the test equipment should be checked through a Functional Safety
analysis.
4.2.5 Testing
At different stages of the development process the ADF needs to be assessed regarding the
technical capabilities, verified with respect to the compliance with the function requirements
and to be validated regarding their design. All these steps require testing by means of one or
more test tools (field test, test in controlled environments like test tracks, driving simulators,
computer simulation etc.).
The following question shall support a safe testing of ADF and cover the entire range from
the development of the test concept up to the execution of the tests with the ADF.
Furthermore, they are defined independently of the used test tool. However, not all sub-
questions are equally relevant for each test tool.
Before the actual tests are performed, a test concept shall be defined which states the
respective purpose for the different tests and the various aspects that need to be tested.
First, the technical maturity of the ADF shall be tested at different stages of the development
and before the market introduction in order to ensure a safe enough operation of the ADF in
its ODD. Depending on the stage (e.g. first test in a closed environment, start of on-road
testing, market introduction), different safety thresholds might apply while testing.
Nevertheless, at any time all feasible measures must be taken in order to reduce the
potential risk for all involved persons to the technical minimum. The test concept needs to
include and detail the safety measures which must be taken while carrying out the test.
The test concept shall define the tests, which are required in order to verify that the function
meets its requirements. The requirements can be internal ones as well as external require-
ments that are relevant for the homologation or certification of the ADF in a market. The
homologation / certification of an ADF might require specific tests in certain markets. It must
be ensured that these tests are covered by the test concept.
When the tests are due to be carried out, it becomes necessary to specify the tests in more
detail. This automatically leads to the question, whether a certain test has been specified in a
proper manner. For this purpose, the specification shall include information about the
following items:
● The parameters to be tested must be specified. It is important that the parameters are in
line with the scenarios the ADF will encounter in its ODD. Therefore, it must be analysed
before the test, which situations and parameters occur in the ADF’s ODD.
● Depending on the test, the test amount (e.g. number of repetitions, number of test
persons, driven mileage, driven time) needs to be defined. It is important that the amount
of testing is chosen in a way that it ensures sufficient data to run a solid analysis. The test
amount covers also the duration of each test.
● The success criteria for a test must be defined. This could be a single criterion or multiple
criteria. It shall be also defined under which conditions a test needs to repeated or re-run.
● Guidelines on the test execution shall be defined in order to minimise the risk of false test
execution, which typically leads to useless data.
● It shall be defined, which data and information of the test must be documented and how
the data are stored (see also chapter 4.1.2).
● If reference data are required for or measured in the test, these reference data shall be
clearly defined. This includes information, which data should be used as a reference and
how they are collected respectively by which tool they are measured.
● It shall be checked for the different tests, whether privacy aspects are relevant and how
these can be ensured during testing.
● In case certain interactions (e.g. interaction with other users, V2X interactions) are
simulated in test, since the test environment does not provide the real interaction, the
The tests have to be in line with the driving scenarios that the ADF will encounter while
operating in real traffic. Therefore, it is necessary to investigate the driving scenarios as well
as their parameters before defining the test parameters. A general concept for determining
relevant test cases has been developed for instance by the German research project
PEGASUS (PEGASUS 2019).
Since the scenarios to be tested depend strongly on the ODD of the ADF as well as the
technical capabilities of the ADF, first a description of the intended ODD and the function are
required. In the second step the test space and test cases can be defined.
The selected test cases should not only cover scenarios that occur frequently, it is also
necessary to test the ADF in rare scenarios – in particular if these rare scenarios could lead
to serious consequences. The test scenarios shall cover all operation conditions of the ADF.
These include scenarios, in which the function is not operating (ADF not available, ADF
ready to be activated, activation) as well as those in which the function is operating (ADF is
operating, ADF is deactivated). Within these conditions different modes or sub-conditions
could exist (e.g. deactivation by the user, deactivation by the function). If this is the case, the
sub-condition must also be covered by the tests.
Once the tests have been executed, the question, whether the test plan is correctly
implemented and followed, becomes relevant. While testing, different limitations or
constrains can occur that lead to intended or unintended deviations from the test plan.
Intended deviation might be necessary to overcome detected issues. In contrast the
unintended deviations might not be noticed. Therefore, it is strongly recommended to check
during the test execution as well as afterwards, whether the tests have been carried out
according to plan. This includes checking whether all relevant information has been
documented and stored correctly. If a deviation from the test plan has occurred, it should be
documented. The documentation should also cover the reasons for this deviation from the
test plan.
In the end it must be ensured that the required data for the sign-off, homologation or
certification process are available at required quality. If this is not the case, the tests need to
be repeated.
A test concept and test case description are the basis for the test. In order to prevent that the
concept and description do not stay abstract, testability of each test need to be checked and
ensured. In case the testability is not fulfilled, the test plan or description needs to be
updated or the test needs to be postponed in case of time limitations. It is recommended to
check the testability from the beginning in order to address issues as early as possible.
For the testability four primary aspects need to be assessed: test tool status, technical testing
requirements, status of ADF and the safety & security aspects.
A key aspect for the testing of ADF is to try to prevent any risk of material damage or
personal harm. It is also clear that there is no absolute guarantee that material damages or
personal harm can be prevented at all times. However, in the testing individuals involved
should take all necessary precautions to ensure the testing process is completed as safely
as possible.
These precautions which need to be taken are identified early on in the test planning
activities by conducting a risk assessment for the test. This risk assessment must also
include individuals that are not directly involved in the testing (e.g. other users of the test
track). This becomes even more relevant if tests are conducted on public roads, where other
road users (motorised as well as non-motorised road users) might not even be aware of the
ongoing tests. Before the testing it must be ensured that the planned safety measures are
available and operating successfully.
Furthermore, plans should be established that define how the individuals involved in the test
should react in case of a failure or malfunction. The test engineers should receive the
necessary training which informs them of the appropriate action to take in the case of an
issue during testing. In addition to training, it must also be ensured that the driver(s) have
the permission to operate the vehicle with the ADF at all times. Here, company internal rules
as well as governmental rules need to be followed.
During the testing national testing guidelines and regulations must be followed. Ideally, the
testing regulations have already been considered in the test concept and the test
specification. However, it is also important to double check them once the actual testing is /
has been planned, since they can change over time. Example testing guidelines are:
The application of simulation tools comes with some associated challenges. The challenge of
validation and verification is already addressed by the questions 1-5-5. However, there are
further aspects that need to be considered for the virtual testing:
● It must be decided in which way the ADF is represented in the simulation tool. The three
basis options are software-in-the-loop (SIL), model-in-the-loop (MIL) or hardware-in-the-
loop (HIL). For each options it must be ensured that the simulation tool provides the right
interface to connect the function to the simulation tool. It must be ensured that the function
makes use of the information provided by the simulation tool correctly.
● In addition to the type of simulation, it must be decided whether a test can be performed in
an open-loop manner (no feedback loop is required) or whether the test requires close-
loop testing. Close-loop testing requires a feedback loop from the environment and
vehicle back to the ADF. In simulation where the function is not in control of the lateral and
longitudinal movement of the vehicle, this feedback loop is typically the driver behaviour
model.
● The final aspect which needs to be considered is the testing and the primary objective of
the tests. For example, if learning algorithms are applied for the ADF, it must be clearly
distinguished between training data (information used to find the requested parameters),
validation data (information to evaluate the model fit) and test data (information used for
the evaluation). These data sets must be independent.
A challenge with simulation is how to deal with an ADF which has been developed using an
AI method. The primary sub-question related to the application of simulations in the context
of an AI based ADF is, to make sure the purpose or objective of the simulation has been
clearly defined; is the focus on testing or development? Depending on the answer different
measures can be taken. If the focus is on the testing activity, the major challenge is to ensure
a high coverage of the situation space that the ADF or the component being tested will
encounter while driving in its ODD. But if the focus is on the development, it must be further
distinguished between the development of the entire system or of single components. The
latter case requires modelling of the related components and inclusion of all models which
interact with this component. For the entire system this task becomes even more demanding,
not only do all components require modelling but also the environment and other traffic
participants need to be modelled in a correct and sufficient manner. Following on from this, it
must also be noted that the interaction between the ADF and other traffic participants needs
to be modelled. Regardless of the simulation objective (development / testing) the integrity of
the input data needs to be ensured in all cases.
This question addresses directly, whether all ADF related risks have been considered and
identified within the ODD. The sub-questions should assist the analysis of this main question.
They target specific risk types, which could occur within the ODD and prompt further
thoughts whether the risks have been fully understood. Additional information regarding this
topic is provided by:
● Safer Roads for Automated Driving (ITF 2019).
Focusing on the object detection and response capability of the ADF, this question verifies
whether the associated risks have been considered. The number of different types of objects
which need to be detected in mixed traffic is significant. The sub-questions refer to many
different object types that the ADF might encounter. Once an object is detected, it needs to
be classified. This step includes further risks. An incorrect classification may lead to an
incorrect response by the ADF. Additional information regarding this topic is provided by:
● Recent release of NHTSA’s “Framework for Automated Driving System Testable Cases
and Scenarios Final Report” (Thorn et al., 2019).
3 Corner cases are very important to consider when defining and validating an ADF. These are scenarios which
are of very rare occurrence within the ODD of the ADF, but the ADF still needs to be able to respond
appropriately. Often validation efforts will have a high amount of focus on these corner cases so that the failure
modes of the ADF can be assessed. If the ADF performs well in the corner cases, it is also highly likely that it will
perform well in the nominal or high occurrence scenarios. It can be very difficult to determine the corner cases for
the ADF as they can be very rare scenarios which one may never have experienced. During the validation of the
ADF, real world testing is a very good way of validating how the ADF performs in a wide range of these corner
scenarios.
The transfer of control is likely to be associated with risks for the ego vehicle as well as for
the surrounding traffic. There will be some scenarios in which a transfer of control is
inappropriate and / or a driver take-over should not be allowed until the ADF is well within its
limits. The transfer itself must be designed in a robust and intuitive way in order to ensure
that the driver has regained situational awareness. The HVI is a key component to com-
municate, whether the driver is responsible for controlling the vehicle or the ADF. Even if the
driver is fully in control of the vehicle, there is still a significant risk that the driver has not
completely regained situational awareness and will not respond appropriately to all
scenarios. It is important that these risks are considered over the entire for all scenarios.
Additional information regarding this topic is provided by:
● Safety first for automated driving (Wood et al., 2019).
In order to minimise risks it is vital that the failure modes of the ADF are identified and
mitigation strategies are put in place. Whenever possible, fail operational strategies should
be implemented in a way that the ADF can remain in control of the driving task for at least a
certain time without initiating an emergency handover. Significant risks are introduced as
soon as such emergency handover manoeuvres are required, since this limits the time period
for the driver to regain the necessary situational awareness. There may be several mitigation
strategies to handle individual failure modes. These should be considered and prioritised
depending on their effectiveness. Additional information regarding this topic is provided by:
● Recent release of NHTSA’s “Framework for Automated Driving System Testable Cases
and Scenarios Final Report” (Thorn et al., 2019).
4.3.2 V2X interaction
Communication with other vehicles and / or the surrounding environment is an important and
complementary technology that is expected to enhance the benefits of automation at all
levels (USDOT 2018). V2X or Vehicle-to-X-communications refers to the technology that
allows vehicles to communicate with other objects around them; V2X encompasses vehicle
to vehicle and vehicle to infrastructure (CATAPULT 2017).
This topic is addressing the V2X interactions that an AD vehicle may have to deal with. It is
not in the scope of this section to provide the details of which method may be used to deal
with them, such as WiFi-DSRC based systems or cellular network-based systems.
At the concept phase and based on the scope of the ADF to be developed, it is necessary to
identify all the interactions that the vehicle may have to deal with. This should be done in a
holistic manner, considering any possible interaction that may happen from strategic level
down to operational level, and considering any type of road user (vehicles, VRU’s…) and
infrastructure (buildings, traffic, overhead structure etc.).
Once the interactions have been identified, a high-level system architecture needs to be
defined in order to understand how the AD Function will be able to cope with them. This
process will support the understanding of the relationship with the external environment and
defining the ADF’s ODD (Thorn et al., 2018). In this context it is also necessary to
understand whether the function is available at any time within the ODD.
Additional information regarding this topic is provided by:
● Recent release of NHTSA’s “Framework for Automated Driving System Testable Cases
and Scenarios Final Report” (Thorn et al., 2018).
It is not in the scope of this question to address the requirements and details of the ADF and
sensor architecture, since there are already several related standards. Instead, this question
addresses how the identified interactions will be integrated into the sensor architecture. It is
expected that a plan drafts how each sensor will be able to deal with the different
interactions, including a validation strategy by means of appropriate testing. The plan should
also include a reference on how to address potential cyber security threats and consider
alternative strategies in case the required infrastructure is not available.
Some of these alternative strategies – like the back-up solutions can be considered as critical
scenarios, therefore it is expected that this plan includes a methodology / toolchain to identify
all of them.
Additional information regarding this topic is provided by:
After identifying the V2X interactions and developing a plan for its integration into the sensor
architecture, it is necessary to have a clearly defined strategy to validate and verify the
operation of the sensor architecture. This strategy should consider possible errors or failures
that could happen either due to external communications (e.g. network being down,
unavailable infrastructure) or internal events (e.g. sensor misdetection, sensor
communication delay…). Additionally, the development of appropriate countermeasures shall
be included.
At this stage it is important that the validation strategy considers appropriate testing methods
to provoke every identified potential failure, including countermeasures. A clear
documentation of the tests shall also be part of the validation strategy.
Additional information regarding this topic is provided by:
● Recent release of NHTSA’s “Framework for Automated Driving System Testable Cases
and Scenarios Final Report” (Thorn et al., 2018).
At the validation and verification stage, it must be ensured that the validation strategy of the
concept phase is implemented and followed (see chapter 4.2.5 testing). This testing shall
include proper documentation of tests and actions taken when failures happened, showing
the countermeasures taken and their effect.
At the validation and verification stage, it must be ensured that the validation strategy of the
concept phase is implemented and followed. This testing shall include proper documentation
of tests and actions taken when failures happened, showing the countermeasures taken and
their effect.
The technological state-of-the-art should be investigated during the definition phase. The
preliminary research is deployed in a wide range, which includes:
1. Studies of present toolchains or models in both research and industry, which may
provide the possibility to use exchangeable ADF, evaluation metrics and parameter
spaces suitable for the intended identification process, and could be applied in the traffic
flow simulation and response to the requirements of the simulation task (Hallerbach et
al., 2018).
2. Studies of ISO 21934-1, which provide a prospective safety performance assessment of
pre-crash technology by virtual simulation (ISO 21934 20XX).
3. Studies of benchmark activities, which is an action of gathering, analysing, and applying
information, measures or practices about the latest technology of simulation in the
automobile industry.
In addition to the sensor suite of the vehicle, the vehicle architecture and the potential
hardware/software for the simulation process should also be considered and documented
This question provides a preliminary analysis and assessment of the impact of the ADF on
the traffic flow simulation. The impact of the applied ADF on traffic flow simulation could be
related to the safety aspect, the efficiency aspect and the interaction aspect. The traffic flow
simulation can be characterised in several ways, two examples are presented below (Maurer
et al., 2016):
1. The microscopic approach describes the relevant characteristics of a single vehicle, like
its speed, temporal headway or spatial separation;
2. The macroscopic approach takes several vehicles into account and the relevant
properties of a traffic flow, like the traffic volume, traffic density and mean speed.
The impact of the safety aspect focusses on the potential risks that may arise from the
limitation of the performance of ADF or the unpredicted behaviour of other road users. The
impact on the efficiency aspect is related to the density of the platoon of vehicles and the
speed with which the platoon passes through the cross-section. The impact on the
interaction aspect takes into account the interaction between ego vehicle and infrastructure
or other road users.
Several scenarios and traffic flows could be implemented in the simulation approach in order
to evaluate the ADF evolution. ADF applied in the traffic flow simulation will surely improve
the safety circulation of the ego vehicle, as well as other road users. All scenarios identified
as potentially critical, such as hard deceleration or an accident, will be addressed and
In a virtual environment, High fidelity is not always necessary or advantageous. The relevant
fidelity for specific simulation components has to be considered in order to keep the
effectiveness of the simulation as well as a relative low cost of either hardware or software.
The relevant fidelity will be based on the requirement and specification for the overall
simulation approach and/or for a specific scenario.
Furthermore, the hardware-based XIL approaches use virtualisation of the physical
components and the embedded function architectures to allow engineers to test different
components in the model. Thus, by using these approaches faster development cycles could
be achieved (Riedmaire et al., 2018).
A driver model could generate different types of control inputs to the vehicle model, such as
steering angle for each time step and braking behaviour as a deceleration value. It should be
in line with the real human drivers behaviours. In addition to the input on the stabilisation
level, the driver behaviour model must consider decisions on the vehicle guidance level, such
as lane keeping, lane change or evasive manoeuvres. At the same time, the potential
reaction from non-automated drivers towards automated vehicle also needs to be covered.
A driver behaviour model is typically applied in the simulation in order to predict driver control
inputs to the ADF, to decide on the right action in the situation and to accomplish the driving
task in the test scenarios. Each traffic participant possesses its own adjustable driver model.
Different types of driver behaviour models have been studied and designed, such as control
perspective (Prokop 2001), behaviour perspective (Markkula et al., 2012) and cognitive
perspective (Wann et al., 2004). Depending on the purpose of the simulation, the right driver
behaviour model should be used.
The designed vehicles need to be capable of complying with federal, state and local laws
within their geographic area of operations. The validation process should follow local
regulation. Besides the internal processes of the company, it is recommended to follow the
framework(s) or the guideline(s) of the automobile community/industry (SAE, NHTSA, ACEA,
OICA, etc.).
It is assumed that communication of the validation strategy through immersive simulation will
improve the public acceptance of the AV. Therefore it is important that these communications
are done carefully in order to produce a positive impression with members of the public.
4.3.4 Ethical & Other Traffic Related Aspects
This topic covers the ethical and legal aspect related to the ADF and its development.
Overall, this topic consists of three questions. It should be noted that these questions are
quite high level. And therefore the sub questions should be addressed carefully.
By means of this question, it should be ensured that the development as well as the function
behaviour follows the laws. An important aspect is that laws can differ from country to
country. Therefore, it is important to know, in which countries the function is developed, in
which countries test drives are conducted and in which countries drivers can use the ADF.
Regarding the national laws, it is strongly recommended to consult individuals who are
familiar the national regulations and laws.
In addition to the legislation, it is also essential to comply with ethical standards. The ethical
standards do not need to be explicit standards but can also be implicit societal agreements.
Ethical standards can change over time.
One fundamental principle is to prevent causing physical or mental harm to people. This
should be ensured, within the realms of technical possibility, through the entire development
process. To achieve this goal tests where human actors are involved need to be planned
very carefully and risk assessments need to be completed in order to minimise any harm to
the individuals both inside and outside of the vehicle. It is also important that ethical
By means of this question it should be investigated, whether the ADF is beneficial in terms of
traffic safety compared to human drivers. According to the German Ethic Commission
prerequisite for the market introduction of a technology is: “The licensing of automated
systems is not justifiable unless it promises to produce at least a diminution in harm
compared with human driving, in other words a positive balance of risks” (Fabio et al., 2017)].
For this purpose, a baseline condition (human driving) must be compared to the treatment
condition with the ADF in place.
The challenges for investigating the risk balance is that it needs to be performed
prospectively, i.e. already before the market introduction of ADF. Therefore, methods that
Specific consideration during this activity has to be given to the driver. The driver and other
involved traffic participants play an important role in mitigating a certain hazard by actively
reacting to a certain hazardous scenario and taking appropriate action(s) to avoid harm or
damage. In this context the infrastructure might also be relevant. ADF specific aspects like
an ADF that does not require a take-over ready driver needs to be reflected in the analysis.
Based on this the risks are assessed.
Once a safety concept has defined the required reactions to mitigate the potential hazards of
an ADF, a confirmation of the effectiveness of the measures is needed. In this sense
Requirements for data collection may result from several sources and depend on whether
the vehicle is a prototype or a series production vehicle. Requirements may also be country
or state specific. Before a vehicle is used for development in public areas (e.g. road testing)
or introduced to the market, the existing requirements within the specified ODD need to be
collected, please see also sub-chapter 4.2.1. The requirements have to be considered
already during the design phase as this may have an impact on the overall vehicle
architecture and on the required bandwidth of the communication bus and storage size.
Examples for such requirements are EDR data for post-crash evaluation or data for
disengagement reports as required for automated vehicles by the State of California (DCM
2019).
A clear structure of the requirements for an ADF and a systematic approach to requirements
elicitation are key to argue safety for any vehicle function. Using safety analyses to support
the process of breaking down the requirements from one level of detail to the next and
identifying gaps in the requirements structure at the same time, are common practice when
deriving and defining requirements.
A fault in an ADF may occur at any time, independent from the current operating mode or the
driving scenario of the vehicle. At each possible operating mode an appropriate safety
mechanism has to keep the vehicle in a safe state in case of a failure. To achieve this there
are several options:
● switch off the function and inform the driver (e.g. when driving in manual mode and a
sensor which is required for an ADF fails, meaning the ADF is no longer available for the
driver)
● provide a backup with full functionality for a limited amount of time (e.g. if driving in an
automated mode provide a backup for sufficient time to transfer the control to the driver)
● Switch to a degraded mode (e.g. if one sensor in a set of sensors fails that results in a
reduced resolution of environmental data, then reduce the ODD, e.g. the maximum
vehicle speed)
For different operating modes and failure scenarios the ADF’s reaction may be different in
order to achieve a safe vehicle reaction. Consider operating modes that are generally
applicable for all ADF (ADF on/off, inside/outside ODD, handover driver-ADF etc.) but also
function specific modes such as diagnostic mode or decommissioning. These modes might
be part of a MRM, see section 4.1.1.
During the integration of the elements that are needed for an ADF several stakeholders will
be involved, e.g. suppliers for hardware elements, software and ECU, and on the OEM side
the function and vehicle integration (and most likely also part of the software). To finally
When verification is based on tests (and not simulation or similar), it needs to be considered
that the tests could be either passed or failed. Note ISO 26262 is applied to achieve safe
products and does not have a focus on a safe development. Even more, it may be necessary
to manipulate the function under development to stimulate a certain faulty behaviour for the
verification of safety mechanisms. Before executing any test, assess what the possible
outcome would be in the case the test failed, if this may result in material damage or harm to
people, and if there are additional measures that should be taken to prevent any damage or
harm.
Test cases have to cover the entire ODD. This is practically impossible. When designing the
test cases, an approach needs to be defined how the relevant test cases will be determined,
e.g. choosing representative operating profiles, building equivalence classes for test cases,
etc. One approach for testing of the safety requirements is that faults need to be injected to
stimulate the safety mechanisms and, as described above, if these mechanisms depend on
the operating state, at least all these states need to be tested.
When all the safety requirements are verified and have been successfully implemented there
is one final step: it needs to be validated, whether the implemented safety concept with all its
safety mechanisms is appropriate and keeps the vehicle safe in the case of a fault.
Independent of the automation level it must also be checked whether the safety concept
avoids that involved people are harmed in the case of a failure. The involved people may be
the driver, passengers or other traffic participants outside the vehicle, depending on the
automation level and current operating mode.
4.4.2 Cybersecurity
One of the topics to be addressed within the Category “Safeguarding Automation” is the
cybersecurity. As summarized by Mcity researchers in their report Identifying and Analysing
Cybersecurity Threats to Automated Vehicles (Mcity2018), automated vehicles will probably
have to face all the security threats that nowadays disrupt our computer networks, on top of
the ones that could be unique to them. Therefore, one of the first steps towards mass market
introduction of automated vehicles is the need of establishing robust and sophisticated
cybersecurity measures.
For reference, the information contained in this section is aligned with the L3Pilot D4.2 Legal
Requirements to AD piloting and cybersecurity analysis. For more details, refer to this
deliverable
During the whole development cycle, a self-audit process shall be considered. This is part of
the cybersecurity culture to ensure that the whole function from a component level up to
vehicle level is secure enough. To do so, self-audits shall be put in place not only internally
but also at Tier 1’s and subcontractors.
The audit shall be able to collect all the information related to the policies and procedures
established by the company. Additionally, it should also contain logging of hazardous events,
report eventual vulnerabilities and include a documentation with the test reports.
● ACEA principles of Automobile Cybersecurity (ACEA 2017);
● Draft Recommendation on Cybersecurity of the Task Force on Cybersecurity and Over-
the-air issues of UNECE WP.29 GRVA;
● L3Pilot D4.2 Legal Requirements to AD piloting and cybersecurity analysis (Vignard et al.,
2018)
During the concept selection phase, and once the threat analysis has been performed, some
vulnerabilities may have been identified and the sensor architecture may need to be revised.
At the design phase, cybersecurity by design means that from the beginning the design shall
be secure. In order to comply with this principle, secure programming and software
development guidelines need to be followed.
Also, as the development process evolves, new and developing risks may appear and
therefore appropriate protection mechanisms shall be put in place. One example is the
software update, which may have not been considered at the beginning of the development
but that will take place in time based on the existing architecture. Therefore, those new
potential risks have to be identified and appropriate actions have to be taken by for example
performing an additional threat analysis and risk assessment, which as shown in the first
question, has to be addressed along the whole development process.
● ACEA principles of Automobile Cybersecurity (ACEA 2017);
● Draft Recommendation on Cybersecurity of the Task Force on Cybersecurity and Over-
the-air issues of UNECE WP.29 GRVA;
● L3Pilot D4.2 Legal Requirements to AD piloting and cybersecurity analysis (Vignard et al.,
2018).
The last step to be covered within cybersecurity refers to the importance of sharing with
others the concerns identified such as threats and vulnerabilities. Some consortiums already
exist to share such information within the industry such as Auto-ISAC established in 2015
with the aim of sharing within global automakers the emerging cybersecurity risks. The sub-
questions show examples of possible risks that may happen after sign-off and which have to
be addressed.
● Auto-ISAC Best practices (2016) (AUTO-ISAC 2016);
● ACEA principles of Automobile Cybersecurity (AECA 2017);
● L3Pilot D4.2 Legal Requirements to AD piloting and cybersecurity analysis (Vignard et al.,
2018).
4.4.3 Implementation of Updates
This topic addresses the implementation of updates using traditional forms, as well as those
completed over the air (OTA). The following questions are to be used as prompts for
consideration at the different development stages.
When developing the update life cycle and future updates for a function it is essential to
consider and follow both international and national laws, as well as obtaining the relevant
type approvals. These should be reviewed and resubmitted where necessary for any updates
or modifications to the vehicle.
As this is a fast developing field in the automotive sector, it is important to continuously check
for new legislative standards that are required in the relevant markets. See section 4.1.3 for
more information on existing standards. Also, the following documents provide current
information as of the day of publication:
● 24. UNECE WP29 GRVA Draft Recommendation on Software Updates (UNTF 2018).
● Secure Over-the-Air Vehicle Software Updates - Operational and Functional
Requirements (Sena 2015).
When defining/ developing the update strategy it is essential to consider both the vehicle’s
hardware and functional capability as well as its lifecycle. Considering the short development
cycles – in particular for software – it is inevitable that there will be a necessity to make
updates throughout the lifetime of the vehicle. The vehicle and the ADF should be designed
in such a way as to allow for a safe and seamless update process for the user. These
documents provide initial guidance to consider:
● A System-Theoretic Safety Engineering Approach for Software-Intensive Systems
(Abdulkhaleq 2017);
● Secure Over-the-Air Vehicle Software Updates - Operational and Functional
Requirements (Sena 2015).
The vehicle is a complex collection of interconnected ECUs that must endure extreme
variations in environment, as well as having a lifetime far exceeding that of any ordinary
electronic consumer device. It is therefore essential that a clear update strategy is developed
during the design of the vehicle to ensure that future updates are compatible with the
hardware on the vehicle. Furthermore, it is essential that sufficient V&V testing is done
before releasing updates to the customer. Additional information can be found here:
● A System-Theoretic Safety Engineering Approach for Software-Intensive Systems
(Abdulkhaleq 2017);
● Secure Over-the-Air Vehicle Software Updates - Operational and Functional
Requirements (Sena 2015).
It is essential that both holistically and on a function by function basis the relevant software
safety requirements are identified and incorporated into the design. As safety standards
develop, the system’s functional safety should be modified to comply.
Previous development and project experience, as well as lessons learnt (both in and out of
the field) are an invaluable improvement tool. It is recommended to establish a process for
implementing this learning back into the development phases and even update the current
OTA update process.
A vehicle contains both safety and non-safety critical functions. Depending on the safety
criticality of the effected function, the requirements for the update might differ. A failure in the
vehicle infotainment introduced by a bug in a software update might lead to user frustration.
On the other hand a failure caused by an update to a safety critical component might lead to
serious consequences and must be prevented.
For more information, see Secure Over-the-Air Vehicle Software Updates - Operational and
Functional Requirements (Sena 2015).
Any updates sent out to customers should have been sufficiently tested beforehand to
ensure the updates are bug free. However, there are always factors that may be overlooked.
In these cases, there should be a “failsafe strategy”, which ensures that the vehicle is still
operational by for example reverting back to a former software version. Combined with this
there should be some form of warning and information on how the user can resolve the
issue. In extreme failure cases the response might be to stop the user from being able to use
the vehicle. In this case the manufacturer must be informed to resolve the issue.
For more information see Secure Over-the-Air Vehicle Software Updates - Operational and
Functional Requirements (Sena 2015).
With the introduction of OTA updates manufacturers will move – at least partly – away from
the traditional customers visiting a dealership approach for servicing to a remote service
approach used by software companies. This approach has risks, which are potentially safety
critical. This means that the customer has to have confidence that updates are from a trusted
Just as it is important for the manufacturer to provide proof of the authenticity of the update, it
is also important that only authorised people can accept or decline provided updates. This is
to stop interference from individuals who may seek to install malicious software or may try to
stop new updates from being installed for some benefit to themselves or a third party.
4.4.4 Safety of the Intended Functionality (SOTIF)
Unlike functional safety of automated vehicles, the safety of the intended functionality
(SOTIF) mainly focuses on systems that rely on sensing the external or internal environment.
The potential hazardous behaviour related to the intended functionality or performance
limitation of a system are in the scope of SOTIF (ISO/PAS 21448).
The cause of hazardous event in the scope of SOTIF could incorporate the source with
system aspect, as well as external factor aspect, for instance:
● Performance limitations, insufficient situational awareness with or without conjunction with
a foreseeable user misuse;
● Reasonably foreseeable misuse, incorrect HVI (user confusion, user overload);
● Impact from car surroundings (other users, “passive” infrastructure, environmental
conditions, weather, electromagnetic interference, etc.) (ISO/PAS 21448, 2019).
The following definitions shall support the interpretation of relevant terms:
● Intended use: Any use of the product consistent with the manner in which it is
promoted/advertised and described by the manufacturer and which can be justifiably
expected in accordance with the knowledge and skills of the intended user.
● Foreseeable misuse/reasonably foreseeable misuse: Usage of a product in a way not
intended by the manufacturer and in a manner inconsistent with the user manual, but
which may result from foreseeable human behaviour.
● Misuse: Describes an improper and inappropriate usage of the product, which in a
particular circumstance can be deemed irresponsible and in complete contradiction to the
intended purpose or function of the product
The development of SOTIF should comply with the latest international standards, such as the
homologation of state-of-the-art ISO/PAS 21448. The first version of ISO/PAS 21448, which
refers to the safety of the intended functionality (SOTIF) and provides guidance on the
design, verification and validation measures, will be published around 2020. It aims to avoid
a malfunctioning behaviour in the system in the absence of technical faults, which might
result from technological and definitional shortcomings.
Additionally, the latest guidelines or regulations of the development of SOTIF should also be
taken into account. Such as the latest guidelines of NHTSA and SAE for the US. The
organizations OICA and ACEA work to modify and update the Geneva Convention and
provide advice on the regulation regarding the development and deployment of automated
vehicles to European Union.
A definition and description of the functionality, its dependencies on and interaction with the
environment and other functionalities can help to elaborate a functional and system
specification. This functional and system specification can be the beginning for the
improvement regarding the safety of intended functionalities. Similar to the functionality and
system definition of ISO 26262-3, Clause 5, an appropriate description of the functionality
and system is developed to serve as an input to the development of SOTIF.
The description of the functionality provided by the system to the vehicle mainly including:
1. The use cases in which it is activated;
2. The sensing and arbitration concept and technologies;
3. The level of authority over the vehicle dynamics;
4. The interfaces with the other systems and functionalities of the vehicle and the road
infrastructure.
Besides, system related description, such as the system and elements implementing the
intended functionality, the limitations and their countermeasures, need to be taken into
A hazard analysis is employed to identify the different hazards that may arise from a function
or its environment. A hazard represents a “condition, event, or circumstance that could lead
to or contribute to an unplanned or undesirable event, like an accident, a functional failure,
performance limitations or misuse” (ISO 26262-3:2018).
The SOTIF activities/ measures should be derived from the hazard analysis, which can help
to identify all the potential hazards that may occur during a driving task of automated
vehicles. The identification of SOTIF activities/ measures of an ADF shall be conducted in an
earlier phase of development of SOTIF. Later, the SOTIF risk identification and evaluation
shall be conducted, which represent a consistency check of functional safety concept in
chapter 4.4.1.
Based on the identification of hazard events caused by the system or external environment,
the systematic identification and evaluation for the SOTIF risks can be executed in order to
ensure the safety and reliability of intended functionalities. This process can be achieved by
applying the methods proposed in ISO 26262-3:2018. For this purpose the same items such
as the severity, exposure and controllability of the hazardous events need to be derived by
the method as proposed by ISO 26262 (ISO 26262 2018).
A take-over request (TOR) of ADF is a key issue for the level 3 or level 4 of automated
vehicles, which can transfer the driving control from vehicle to human within some situation
that is beyond the ADF’s capabilities. This mechanism is intended to remind the driver to
take over the control of vehicle within an appropriate reaction time, as well as support him /
her in order to reduce the risk via human-vehicle-interface (HVI) system. Thus, an
appropriate HVI can significantly avoid the occurrence of misuse and mitigate the risks under
hazardous events. For the aspects regarding HVI, please see also topic “Mode awareness,
Trust & Misuse” (chapter 4.5.2).
Additionally, a MRM will be performed by the system in case the driver does not respond to
take-over request. The MRM leads to a MRC (such as limited/ end of ADF operation) to
minimize the risk and ensuring the safety of the driver (Resende et al., 2010). For the
aspects related to MRM, please see also topic “Minimal Risk Manoeuvre” (chapter 4.1.1).
A possibility to ensure the controllability of the ADF is to use a driver monitoring system that
can detect distractions or drowsiness of a driver during automated mode. This system could
also invoke action to remind and maintain driver’s attention in both manual and automated
driving. The monitoring allows several functionalities such as: identification of the driver in
order to allow the vehicle to automatically restore its preferences and settings; monitor driver
fatigue and alert the driver when potential drowsiness situation is detected, etc.
A V&V strategy can support the process of ensuring an appropriate performances and safety
capabilities of the ADF. This strategy should support the argumentation for the safety of the
intended functionalities. Additionally, V&V activities of the intended functionalities with regard
to the risk of safety violations without system faults include integration-testing activities to
address the following scope:
1. The ability of sensors and the sensor processing algorithms to model the encountered
driving environment;
2. The ability of the decision algorithm to recognize both known and unknown situations
and make the appropriate decision according to the environment model and the system
architecture;
3. The robustness of the system or function.
4. The ability of the HVI to prevent reasonably foreseeable misuse; and
5. The manageability of the handover scenario by the driver.
In order to achieve this strategy, several information, which is based on the driving test cases
should be addressed, especially the test goals and V&V targets. The test goals and V&V
targets can be derived from the specifications and safety requirements of vehicle design
architecture. These goals and targets should consider known unsafe use cases but should
also aim at discovering unknown unsafe use cases. The different test environment should
also be specified to match the validation strategy (ISO/PAS 21448 2019).
Triggering events4 represent specific conditions of a driving scenario that serve as an initiator
for a subsequent system reaction possibly leading to a hazardous event.
The analysis of triggering events could help to identify the system weaknesses (related to
sensors, algorithms and actuators) and the related scenarios that could result in an identified
hazard. Once the triggering events are identified that could trigger a hazardous event with
credible harms, we need functional improvements of ADF to appropriately respond to
triggering events and reduce SOTIF risks.
Functional improvements could incorporate several aspects, for instance sufficient
performance /accuracy of sensor, sufficient performance of detection and decision
algorithms, as well as appropriate Human-Machine Interface regarding the controllability of
vehicle and avoidance of misuse, etc. (ISO/PAS 21448 2019).
4 Triggering event means a scenarios that serves as an initiator for automated action. E.g. while operating on a
highway, a vehicle’s autonomous emergency braking (AEB) system misidentifies a road sign as a lead vehicle
resulting in braking.
The customer requires an understanding of why personal data is collected. There shall be
information material available explaining the reasons. There must be a clear communication
which data is supposed to be regarded as personal information and which is not. If
applicable, the customer should also be informed about different data categories. It also
includes information about other organisations accessing the data and the reasons for it.
Information about data sharing must be available via different means, such as manuals or
websites. Contact points for the customer shall be provided. Ideally, the customer has the
choice to decide to share data or not, depending on the purpose. The data must be stored
securely. In case requested by authorities, the data shall be made available in an appropriate
manner and in accordance with the law.
Additional information regarding this topic is provided by:
● FESTA Handbook (Barnard et al., 2017);
● ACEA principles of data protection in relation to connected vehicles and services (ACEA
2015);
● The pathway to driverless cars: a code of practice for testing (DOT 2015).
In order to help with the analysis of crashes and the improvement of ADFs, pertaining data
will be collected. This data shall include the status of the ADF, the occurrence of
malfunctions and the arbitration of control between the driver and the ADF before and during
an accident or incident. The data shall be shared with relevant authorities to enable crash
reconstruction up on request. Additional information regarding this topic is provided by:
● Automated driving systems 2.0: a vision for safety (NHTSA 2017).
There must be an assessment conducted analysing the impact of the data protection
measures employed. This includes the impact on the societal level such as customer
acceptance and rejection. In addition, the safety impact is of interest, as data protection
might make it harder to use data in case of accident investigations involving ADFs. Additional
information regarding this topic is provided by:
The measures implemented to protect customer data must be appropriate. This includes the
technical, security and organisational levels. It is especially problematic in the case of
outsourcing personal data. Only relevant and adequate personal data shall be processed,
including means to anonymise them. The data must furthermore only be processed with
permission of the customers. Personal data shall be analysed according to the applicable
laws in a transparent way. Data may only be collected for legitimate and explicitly specified
purposes. In case personal data are stored, it must be limited to what is necessary, given the
reason for which it is processed. Personal data shall be kept in a form allowing to identify an
individual only when and not longer than necessary.
It has to be ensured that the developed ADFs are compliant with the data protection
regulation that apply in the respective countries. For the European Union, the General Data
Protection Regulation (GDPR) has to be considered. Most important, evidence of the steps
taken to comply with the GDPR is necessary. Additional information regarding this topic is
provided by:
● GDPR Guide to the general data protection regulation (IOC 2018).
A key enabling technology for road vehicle automation is V2X-communication requiring back-
end functions (please consider also chapter 4.3.2). However, back-end functions might
provide access to personal data on other functions. In consequence, remote and back-end
functions, including cloud based servers, should have appropriate levels of protection and
monitoring in place to prevent unauthorised access. Additional information regarding this
topic is provided by:
● The key principles of vehicle cybersecurity for connected and automated vehicles (HMG
2017).
Design guidelines should be followed during the development of the HVI. This ensures that
all aspects of the HVI are considered. A point to note is that there are many different HVI
guidelines (e.g., TRL, 2011; Campbell et al.,, 1996) and the guidelines used during the ADF
development should be selected carefully to ensure they are suitable for the application.
Guidelines adapted to HVIs for conditionally automated vehicles were presented by Naujoks
et al., (2019-1) and validated in empirical studies (Forster et al.,, 2019; Naujoks et al.,, 2019-
2) Guidelines may differ for certain demographics as different groups of people may prefer
different communication methods such as, symbols or colour coding. However, HVI should
be standardised where possible following industry standards that are consistent with user’s
mental models. This will minimise the time required to familiarise oneself with the HVI,
therefore improving the experience of first time users.
Additional information regarding this topic is provided by:
● L3 HMI Checklist (Naujoks et al., 2019-1).
Unintentional deactivation of an ADF by the user is an event which needs to be avoided at all
costs. The driver may be concentrating on a non-driving task and will not be ready to take
control of the driving task immediately. The HVI concept should be designed so that it is not
possible for the driver to inadvertently initiate a transfer of control – in particular not if the
driver has not regained situational awareness yet. Similarly it is important to prevent
unintentional activations of the ADF by the user. Unexpected longitudinal or lateral input from
the ADF may have a detrimental effect on the user’s trust in the ADF and even the vehicle
guidance as a whole.
There are many possible concepts for activating and deactivating the ADF, but the safety of
the transition of control should not be overlooked while designing this part of the HVI.
Additional information regarding this topic is provided by:
● L3 HMI Checklist (Naujoks et al., 2019-1);
● Human Factors Design Guidance For Driver-Vehicle Interfaces (Campbell et al., 2016);
● Guidelines for In-vehicle Display Systems — Version 3.0 (JAMA 2004);
● AdaptIVe D3.3 (Kelsch et al., 2017).
This question focuses on the importance of having a clear strategy for the visual HVI.
Guidelines and standards need to be followed to ensure that the visual feedback is easy and
intuitive to understand. Icons can be designed to be interpreted quickly if standard symbols
and colours are used where possible. Where icons cannot be used, text messages shall be
used. However, it is important that the text can be understood in short glances, so that the
driver is not forced to remove the eyes from the road for extended periods of time. Finally, it
is important to cluster relevant HVI elements in similar locations so that the driver can
intuitively understand where a HVI should appear. It can be confusing if the HVI is spread
across different locations as the driver may then have to check in multiple locations for the
HVI feedback, leading to a longer period of time where the driver is distracted from the road.
Additional information regarding this topic is provided by:
● L3 HMI Checklist (Naujoks et al., 2019-1);
● Human Factors Design Guidance For Driver-Vehicle Interfaces (Campbell et al., 2016);
● Guidelines for In-vehicle Display Systems — Version 3.0 (JAMA 2004);
● AdaptIVe D3.3 (Kelsch et al., 2017).
During the use of an ADF the user may be subject to many types of HVI feedback with
various levels of urgency. It is important that the driver understands which HVI elements are
high priority and are conveying urgent feedback to the driver. Equally, it is important that the
driver understands that other messages are provided primarily for informational purposes
The impact of the HVI on the user acceptance of the ADF has previously been eluded to, but
assessing the user acceptance of the ADF should not be overlooked. Customer clinics,
heuristic expert assessments and various other user trials can be carried out to gain both
subjective and objective data on user acceptance. Having a clear and high quality HVI which
meets all the guidelines outlined in this CoP and the additional material is a good first step to
ensuring user acceptance. It is crucial that this exercise is completed before the ADF is
introduced to the market to ensure that customers are able to trust the ADF and are willing to
use it. It is worth noting that even if the HVI meets the correct standard, the user acceptance
is also heavily influenced by many other factors.
Additional information regarding this topic is provided by:
● L3 HMI Checklist (Naujoks et al., 2019-1);
● L3 HMI Test protocol (Naujoks et al.,, 2019-3).
The goal of this question is to ensure that the possible AD modes are clearly defined not only
from an engineering viewpoint but also from a user’s perspective. It is important that a user is
aware of the possible automated driving modes of the ADF to avoid misunderstandings. This
is the first step which provides the users with an overview of the ADF, to grasp its capabilities
as well as the driver’s roles. The driver’s role may vary depending on the automated driving
mode. Additional information regarding this topic is provided by:
● Ford Safety report (Ford 2018).
This question focuses on how the currently active automated driving modes are
communicated to both the driver and the other road users, in terms of modalities (visual,
auditory, haptic, and so on). It is important that these communication ways are considered
from the definition phase because the chosen modality will impact both the hardware and the
software of the vehicle.
Additional information regarding this topic is provided by:
● Ford Safety report (Ford 2018);
● GM Safety report (GM 2018).
The purpose of this question is to ensure that possible driver mistakes, failures and misuses
have been addressed in the best possible way, in order to be able to define
countermeasures for them. Additional information regarding this topic is provided by:
● Human Factors Design Guidance For Driver-Vehicle Interfaces (Campbell et al., 2016);
● CoP ADAS (Knapp et al., 2009).
This question is related to the negative and positive impacts that a HVI has on important
indicators. The purpose is to trigger a definition of important indicators, related to driver
distraction, situational awareness and “in-the-loop” level, and to study the impact and the
countermeasures that should be implemented.
Additional information regarding this topic is provided by:
● Human Factors Design Guidance for Driver-Vehicle Interfaces (Campbell et al., 2016).
For ADF, a clear communication of the mode is crucial. The driver must understand when he
/ she is in control of the vehicle and when a transfer of control occurs. If the mode is not
clearly understood by the driver, the results could lead to an incident. There are many ways
to communicate the mode to the driver and these should be considered when defining the
HVI.
This question focuses on the HVI to communicate the AD modes, the consideration of a
permanent display of the modes, how to communicate the mode changes, and how well
these HVI are recognised by both the driver and other road users. This question focuses on
more details in comparison to question 4-2-2, which focuses on the modalities (visual,
auditory, haptic etc.).
In the later stages of development, the clarity of mode should also be assessed with a high
level of scrutiny to ensure that there is no ambiguity. A test procedure to assess that basic
mode indicators are capable of informing the driver about relevant modes and transitions has
been proposed by Naujoks et al., (2019-3). Additional information regarding this topic is
provided by:
● L3 HMI Checklist (Naujoks et al., 2019-1);
● L3 HMI Test protocol (Naujoks et al.,, 2019-4)
● Human Factors Design Guidance For Driver-Vehicle Interfaces (Campbell et al., 2016);
● Guidelines for In-vehicle Display Systems — Version 3.0 (JAMA 2004);
● AdaptIVe D3.3 (Kelsch et al., 2017).
The purpose of this question is to draw the attention on the crucial topic related to whether
the driver is “in-the-loop”, and how to help the driver to get back “in-the-loop”.
Of course, the necessary uninterrupted time span of the driver being “in-the-loop” can vary
depending on the situation and on the capability of the function, among others. Nevertheless,
it is important to recognise this necessary level, and to ensure it, because it is strongly
related to safety.
The purpose of this question is to consider how and to what extent the ODD information
should be displayed to the driver. Three major kinds of information are especially relevant:
1. The vehicle is currently in the ODD: the function should inform the driver so that the
driver can decide whether to activate the function.
2. The vehicle is not yet in the ODD but will soon get into the next one: the function should
inform the driver so that the driver can get ready for it and possibly decide to activate the
function.
3. The vehicle is currently in the ODD, and the end of the current ODD is known: the
function should inform the driver so that the driver can prepare for taking over the
controls.
Additional information regarding this topic is provided by:
● L3 HMI Checklist (Naujoks et al., 2019-1);
● L3 HMI Test protocol (Naujoks et al.,, 2019-3).
A MRM typically happens if the driver fails to appropriately take over the controls, or if the
function does not have enough time to make a proper TOR (for example due to a sudden
unexpected situation). This question aims to consider how to inform the driver in case the
function has initiated the MRM in order to provide the driver with the necessary information,
such as what is going on, why, and what the driver could do after that.
One of the crucial aspects of HVI is to make sure that the driver fully understands her / his
responsibilities during each of the defined AD modes, and therefore to understand the
function’s capabilities under these modes. Drivers may be informed by several means,
including advertisement and owner’s manual written explanations. Drivers may get explicit
information by the in-vehicle HVI, during the AD activation itself, just before and just after it.
Drivers may of course also learn by experience. Additionally, a simple and intuitive HVI can
help the drivers understand the situation and take the correct actions with respect to it. This
concept complements the above mentioned concept of situational awareness and “in-the-
loop” (4.2.6). Additional information regarding this topic is provided by:
The purpose of this question is that the driving scenarios may impact the way and the level
drivers understand the communication provided by the ADF. Typically, a more critical
situation would require more attention and – if necessary – a faster reaction from the driver.
In order to ensure these, the displayed feedback information needs to be appropriate and
according to the situation.
Additional information regarding this topic is provided by:
● Human Factors Design Guidance For Driver-Vehicle Interfaces (Campbell et al., 2016).
Driver awareness is a very important topic. Other than “situational awareness” treated by
questions 4-2-6 and 4-2-10 , it is extremely important to ensure driver “mode awareness”, as
previous addressed by questions 4-2-1, 4-2-2, 4-2-5, 4-2-11. Question 4-2-13 focuses on the
resulting awareness, and the need to confirm, for example by clinics and/or by experts, what
has been previously assumed.
During the Validation and Verification Phase, it is important to confirm whether users’
expectations are met. This is a very broad subject that would need to be narrowed down to
precise specifications, and this question is there to make sure that the process will be
Trust is also a very crucial aspect. It is necessary that the users trust the function, so that
they will use it. On the other hand, it is necessary to avoid over-trust, as this may lead to
unintended misuse of the function. Again, a good balance must be targeted in order to
ensure the correct amount of trust. Additional information regarding this topic is provided by:
● Ford Safety Report (Ford 2018).
This question is a general summary confirming that customers would appropriately use the
ADF. Also, they shall not misuse the system. In order to make sure the appropriate usage is
known, the user manual shall contain a description of how to appropriately use the ADF. In
the event the customers do not read the manual, we need to ensure that other methods are
available to ensure that customers use the ADF appropriately. There must be direct and
immediate feedback, for instance via the vehicle HMI to the driver, in case the ADF is
misused. Statistics shall be gathered via the vehicle to inform the OEM about the about the
occurrence of misuse. The measures can be taken to prevent further misuse.
Long-term effects of the AD function need to be fully understood. Every opportunity shall be
used to continuously improve the functions, by understanding these effects and applying
appropriate countermeasures. Designers, developers and evaluators do the utmost to
release a mature function to the market, minimising the negative effects of ADF as much as
possible. Nevertheless, the actual impact on real customers shall be continuously monitored,
and measures need to be applied in order to do so. Typically, the main risks of long-term
effects are skill degradation and building over-trust in the function.
Additional information regarding this topic is provided by:
● CoP ADAS (Knapp et al., 2009).
This question is addressing the impact of the HVI over long journeys. It could be investigated
by taking advantage of dedicated fleets with typically long travel times, for example.
Additional information regarding this topic is provided by:
● Human Factors Design Guidance For Driver-Vehicle Interfaces (Campbell et al., 2016).
4.5.3 Driver Monitoring
This topic addresses the correct understanding of driver monitoring, specifically the
identification and classification of the cognitive status of the driver and the recognition of the
actions made inside the vehicle. This consists of several questions; however, the sub-
questions shall be carefully addressed as well.
Real time monitoring of a driver’s intention / attention is a crucial topic, especially when
discussing automated driving. In fact, not only is driver distraction one of the main causes of
accidents on the roads, but also the knowledge of driver status is fundamental before a TOR
is issued. Since driving is a complex phenomenon, involving the performance of various
tasks (including simultaneous quick and accurate decision making), fatigue, workload and
This question (and related sub-questions) addresses which secondary tasks are allowed
during automated driving (at least from SAE level 3). The idea is to consider what is currently
available and what will become available in the future. In addition, one sub-question focuses
on metrics that shall be considered, when a driver monitoring function is on-board. It is
important to address these items from the beginning of the function development (definition
phase). Moreover, the possibility to add additional apps/secondary tasks to the vehicle HVI in
the future should be considered as well.
It is essential to provide crucial information on driver’s state directly to the driver – for
example drowsiness – because driver impairment (even if only temporarily) can compromise
the safety of the ego-vehicle and other traffic participants (e.g. driver is sleeping when a TOR
is issued by the ADF). These unusual driver states (e.g. drowsiness) need to be
communicated effectively to the driver.
This question focuses on the problem of mirroring contents / apps from user’s own mobile
device directly on to the vehicle’s display(s), especially if some mobile content can create a
strong potential distraction level. This issue has to be considered when a TOR is provided by
the ADF with particular attention (e.g. in a situation, when the ADF leaves its ODD). The
crucial questions are: can the mirroring be limited? If allowed, how can the driver be taken
back into the control loop?
Strongly related to the previous question, we need to measure and to understand the impact
of secondary tasks on the TOR provided by the function in the validation phase. From here,
an answer to the previous point can be given: if the impact is high (i.e. affecting the vehicle
safety) some secondary tasks (e.g. mirroring) shall be forbidden.
The last question of the driver monitoring section is related to measuring the long term
effects of secondary tasks on driver behaviour, considering data if available. The selection of
appropriate data for this long-term evaluation aims at continuously monitoring the actual
impact on real customers.
As aforementioned, long-term effects (at every automation level, including allowed secondary
tasks) of the ADF have to be fully understood, in order to continuously improve the functions,
by understanding these effects and applying appropriate countermeasures.
Additional information regarding the topic mentioned in the questions is provided by:
● Human Factors Design Guidance For Driver-Vehicle Interfaces (Campbell et al., 2016);
During the definition phase, it should be ensured that user needs regarding controllability are
taken into account. For example, the design of the HVI should consider the transition from
automated driving to lower levels of automations with respect to function failures / limits as
well as driver-initiated transition. Relevant and applicable guidelines for the design of the HVI
should be considered in the design phase in order to ensure that they are in line with
The concept selection should be based on a careful consideration of the driver’s sensory and
motor limitations. The concept selection should thus consider topics like colour-blindness,
general vision, sensory-motor and hearing impairments. Additional information regarding this
topic is provided by:
● L3 HMI Checklist (Naujoks et al., 2019-1);
● CoP ADAS (Knapp et al., 2009).
In addition to a control concept in case of ADF malfunction, the design phase should
consider the safety of driver-initiated overrides and deactivations of the ADF (i.e. an
interaction concept for deactivation and overriding should be defined). For example, it should
be ensured that the user can take back control in an intuitive way to ensure an efficient
transition. Additional information regarding this topic is provided by:
● CoP ADAS (Knapp et al., 2009).
The design phase should also consider the limitations and perception of other traffic
participants that are not equipped with an ADF. The automated vehicle’s behaviour should
be designed in a way that it is controllable for these traffic participants and does not exceed
motion ranges of non-equipped drivers in non-emergency situations. Additional information
regarding this topic is provided by:
In the design phase, a preliminary assessment of the controllability should be carried out,
which is normally based on expert assessments. For these, a suitable prototype should be
used that allows for an assessment of function limits / failures, but also normal driver-initiated
transitions. Additional information regarding this topic is provided by:
● Controllability test methods (Bengler et al.,, 2018);
● Expert-based Controllability Rating (Naujoks et al.,, 2018-2);
● CoP ADAS (Knapp et al., 2009).
In the verification phase, controllability assessments should be carried out in suitable test
environments. When these are carried out on test tracks or on public roads, precautions
regarding the safety of participants and other road users should be taken. Additional
information regarding this topic is provided by:
● Controllability test methods (Bengler et al.,, 2018);
● CoP ADAS (Knapp et al., 2009).
The final controllability verification can be based on different evaluation methods such as
expert assessments or controllability verification tests. A variety of use-cases that are listed
in the table above should be considered. Additional information regarding this topic is
provided by:
● Expert-based Controllability Rating (Naujoks et al.,, 2018-2);
Firstly, these questions target the difference between countries and regions. Infrastructural
differences with regard to roads, traffic control functions and driver behaviour in general have
a huge impact on the design of ADFs. These differences need to be handled appropriately
An ADF designed with only a specific country or region without taking into account the
respective infrastructures and the needs and behaviours of their user groups must be
avoided. Secondly, there is a general trend towards an aging population. In addition, the
elderly prefer to drive their own vehicles for transportation. Due to degrading physical
User training for the ADF requires a specification of the ADF’s operation. This serves as a
baseline to create a user training, if it is deemed necessary. Due to the complexity of ADFs,
a user training course might be required or at least recommended. In case such a training
course is regarded as necessary, appropriate measures need to be taken to realise it.
Furthermore, the training methods shall be defined in more detail. This may range from a
training course provided by the dealer to user manuals integrated within the vehicle, online
material for home training, the use of digital assistants and many more. A reasonable
combination of training methods shall be considered taking individual learning preferences
into account.
Additional information regarding this topic is provided by:
● SIP-adus HMI 2017 report (SIP-adus 2017);
● Effects of function information on drivers' behaviour (Brusque et al., 2007);
● Code of Practice for the Design and Evaluation of ADAS (Knapp et al., 2009);
● Human Factors Design Guidance For Driver-Vehicle Interfaces (Campbell et al., 2016).
( ) Yes / ( ) No
Due to the high variability of users, customer studies evaluating the ADF need to take into
account various factors. Depending on the exact customer study to be conducted, this may
range from age, gender, socio-cultural background to previous experience with ADFs or
computers in general. Additional information regarding this topic is provided by:
● Code of Practice for the Design and Evaluation of ADAS (Knapp et al., 2009).
Developers shall ensure that there is enough information available for the users of an ADF to
properly operate it. There shall be sufficient training material available inside the vehicle to
provide users with the required knowledge to operate the ADF quickly and safely on the
road. Marketing a new ADF might tempt people to over-estimate the possibilities offered by
the function. To prevent this, marketing shall support user information and training with
realistic information regarding its abilities. This is aimed at e.g. at commercials and customer
sales information guides. Additional information regarding this topic is provided by:
● Code of Practice for the Design and Evaluation of ADAS (Knapp et al., 2009);
● Ford Safety Report (Ford 2018);
● GM Safety Report (GM 2018).
This chapter reports on the application of the draft CoP-AD in the L3Pilot project. For this
purpose a questionnaire was prepared. The questionnaire was discussed with key persons
of the project (e.g. subproject leaders, vehicle manufactures). In addition, there were direct
contributions from other L3Pilot subprojects. More details are reported in chapter 5.1.
Both inputs were used to identify which CoP-AD questions are relevant in the context of the
L3Pilot project and how they should be managed in L3Pilot. The scope of the L3Pilot project
– testing of automated driving function prototypes on public roads – automatically limits the
overlap of CoP-AD topics, since the CoP itself is intended to cover the entire development
process. There are further aspects that need to be taken into account when the pilot
application in L3Pilot is analysed. These aspects are reported in subchapter 5.2, together
with an overview about the CoP-AD topics that have been addressed in L3Pilot. The final
subchapter 5.3 reports how each of the topics addressed have been handled in the project,
and whether the L3Pilot is in line with the approach suggested by the CoP-AD.
Considering the goal of the L3Pilot project, it is also obvious that the CoP-AD topics which
are relevant are the ones to be addressed in the “Design Phase” and “Validation &
Verification Phase”. It is in these final stages of a function development that the road tests
typically take place. The “Definition Phase” and “Concept Selection Phase” shall at this stage
normally be finished unless the evaluation has serious feedback on the design phase. The
“Post Start of Production Phase” will not be reached in L3Pilot, since these functions will not
be introduced in the market.
This deliverable presents the draft Code of Practice for Automated Driving (AD).
Furthermore, the deliverable also reports on the process of the L3Pilot project. Therefore this
document must be seen as an intermediate result of the L3Pilot “Code of Practice”
subproject. That is why the history of the Code of Practice to present, its development and
the CoP-AD structure are described in the first part of this document.
The core of the document is the draft CoP-AD (chapter 4). Overall, the draft CoP-AD consists
of 155 main questions that have been assigned to 1 of the 5 categories and 1 of the 22
topics. The document focuses on the draft CoP-AD. However, it must be considered that this
document took almost two years of work and included many intense discussions. The CoP-
AD questions were continuously reviewed and updated in several meetings and workshops
during this time. One key task was to reduce the number of questions from the 586 in the first
version to a more reasonable amount so as to make the CoP-AD more usable for readers.
This aspect is of particular importance since the intended purpose is to support developers
and stakeholders to design and develop meaningful ADFs.
In order to present the CoP-AD questions in a comprehensive way, a template was defined
that provides all the relevant information: the main question itself, the supporting sub-
question, the relevant stage in the development process, and the question’s ID. The template
provides a blank space to answer each of the main questions, which have been setup as
“yes/no” questions. Questions are followed by an explanation and literature references.
It must be noted that the scope of the document is not to provide technical solutions, but to
support the development of ADFs by ensuring that relevant aspects have been considered
and followed. This means that there is not necessarily a “right” answer to all the CoP-AD
questions. The purpose of the questions is instead to make the developers and other
relevant stakeholders aware of certain aspects and to ensure that the reasons for certain
decisions are documented. A “no” might mean that the intended topic has been considered in
another way or is not relevant for the particular ADF.
The draft CoP-AD document also describes how and to what extent the L3Pilot project has
applied and followed the draft CoP-AD (chapter 5) up to the due date of the deliverable
(September 2019). A series of interviews with the relevant consortium members were
conducted and summarized. L3Pilot focuses on the testing of automated driving and not on
the development of ADFs, therefore the application of the draft CoP-AD is limited to a few
topics. Deviations from the CoP-AD were found and they are described and explained in the
document.
The draft CoP-AD is to serve as a basis for future work in the subproject. The main objective
of which is to finalise the CoP-AD within the course of the project. Therefore the draft CoP-
AD will be discussed and reviewed in the upcoming months with the internal as well as
external project stakeholders. The discussions will take place in workshops and bilateral
Abbink, D., Carlson, T. et al., (2018). “A Topology of Shared Control Systems – Finding Common
Ground in Diversity”, IEEE Transactions on Human-Machine Systems, Volume 48, Issue 5.
Abdulkhaleq, A. (2017). “A system-theoretic safety engineering approach for software-intensive
systems”, Disseration, University Stuttgart.
ACEA (2015). “ACEA Principles of data protection in relation to connected vehicles and services”,
ACEA Report.
ACEA (2017). “ACEA principles of Automobile Cybersecurity”, ACEA Report.
UTO-ISAC (2016). “Auto-ISAC Best Practices”, Report.
Barnard, Y., Chen, H., Koskinen, S., Innamaa, S., et al., (2018). ”Updated Version of the FESTA
Handbook”, FOT-Net Deliverable D5.4.
Bartels, A., Eberle, U., Knapp, A. (2015). ”System Classification and Glossary“, AdaptIVe
Deliverable D2.1.
Bengler, K., Drüke, J., Hoffmann, S., Manstetten, D., & Neukum, A. (2018). UR: BAN Human
Factors in Traffic. In Approaches for Safe, Efficient and Stress-free Urban Traffic. Springer
Wiesbaden, Germany.
Bienzeisler, J., Cousin, C., Deschamps, V. et al., (2017). “Legal aspects on automated driving“,
AdaptIVe deliverable D2.3.
Bosch Media Service (2017). „Bosch und Daimler zeigen fahrerloses Parken im realen Verkehr“,
press report 24.07.2017. http://www.bosch-presse.de/pressportal/de/de/bosch-und-daimler-zeigen-
fahrerloses-parken-im-realen-verkehr-116096.htmlancelliere, R., Ghignone, L., Tango, F. et al.,
(2019). Real-time detection of driver distraction: random projections for pseudo-inversion-based
neural training. Knowledge and Information Systems, Volume 60, Issue 3, pp 1549–1564.
Brilon, W., Regler, M., Geistefeldt, J. (2005). “Zufallscharakter der Kapazität von Autobahnen und
praktische Konsequenzen“. Straßenverkehrstechnik 3(1) and 4(2).
Brusque, C., Bruyas, M. P., Carvalhais, J., Cozzolino, M., et al., (2007) “Effects of system
information on drivers' behaviour”, INERTS Synthesis No. 54.
Campbell, J., Brown, J., Graving, J., Richard, C. et al., (2016). “Human Factors Design Guidance
For Driver-Vehicle Interfaces”, NHTSA report DOT HS 812 360.
Campbell, J.L., Carney, C., Kantowitz, J.L. (1997). Human Factors Design Guidelines for advanced
traveler information systems (ATIS) and commercial vehicle operations CV0), Report No. FHWA-
RD-98-057), Federal Highway Administration, Washington, DC.
CATAPULT Transport Systems (2017). “Market Forecast for connected and autonomous vehicles”,
Report.
Table A1.2: Rating of the suitability of different objective data collection tools (1 of 3) for the
L3Pilot research question by SP3 (: well suited, : moderately suited ,: little suited).
Table A1.3: Rating of the suitability of different objective data collection tools (2 of 3) for the
L3Pilot research question by SP3 (: well suited, : moderately suited ,: little suited).
Field Naturalistic
Evaluation Wizard of
RQ area RQ operational driving
area Oz
test study
How reliable is system
performance in a given driving and
Technical traffic scenario?
performance of
the system How often and under which
circumstances does the ADF issue
a TOR?
How do take-over requests affect
driving?
Table A1.4: Rating of the suitability of different objective data collection tools (3 of 3) for the
L3Pilot research question by SP3 (: well suited, : moderately suited ,: little suited).
Analytic
Analytic
simulation
Evaluation simulation
RQ area RQ Driving
area Traffic
scenario
microsimulation
simulation
How reliable is system performance in a given
Technical driving and traffic scenario?
performance
of the system How often and under which circumstances does
the ADF issue a Tor?
Close-
Open-ended
Evaluation ended
RQ area RQ Observation Focus group interview
area interview
questions
questions
Are drivers willing
to use an ADF?