Area-wide real-world test scenarios of poor visibility for safe development of automated vehicles

Introduction

Automated vehicles in everyday real-world traffic are predicted to be developed soon (Gasser et al., Rechtsfolgen zunehmender Fahrzeugautomatisierung, Wirtschaftsverlag NW, Berichte der Bundesanstalt für Straßenwesen F83, 2012). New technologies such as advanced object detection and artificial intelligence (AI) that use machine or deep-learning algorithms will support meeting all the maneuvering challenges involved in different degrees of automation (Society of Automotive Engineers - SAE international, Levels of driving automation for on road vehicles, Warrendale, PA., 2014; National Highway Traffic Safety Administration – NHTSA, Preliminary statement of policy concerning automated vehicles, Washington, DC, 2018). For automated series production, these vehicles of course must be safe in real-world traffic under all weather conditions. Therefore, system validation, ethical aspects and testing of automated vehicle functions are fundamental basics for successfully developing, market launching, ethical and social acceptance.

Method

In order to test and validate critical poor visibility detection challenges of automated vehicles with reasonable expenditure, a first area-wide analysis has been conducted. Because poor visibility restricts human perception similar corresponding to machine perception it was based on a text analysis of 1.28 million area-wide police accident reports – followed by an in-depth case-by-case analysis of 374 identified cases concerning bad weather conditions (see chap. 1.3). For this purpose the first time ever a nationwide analysis included all police reports in the whole area within the state of Saxony from the year 2004 until 2014.

Results

Within this large database, 374 accidents were found due to perception limitations – caused by “rain”, “fog”, “snow”, “glare”/“blinding” and “visual obstruction” – for the detailed case-by-case investigation. All those challenging traffic scenarios are relevant for automated driving. They will form a key aspect for safe development, validation and testing of machine perception within automated driving functions.

Conclusions

This first area-wide analysis does not only rely on samples as in previous in-depth analyses. It provides relevant real-world traffic scenarios for testing of automated vehicles. For the first time this analysis is carried out knowing the place, time and context of each accident over the total investigated area of an entire federal state. Thus, the accidents that have been analyzed include all kinds of representative situations that can occur on motorways, highways, main roads, side streets or urban traffic. The scenarios can be extrapolated to include similar road networks worldwide. These results additionally will be taken into account for developing standards regarding early simulations as well as for the subsequent real-life testing. In the future, vehicle operation data and traffic simulations could be included as well. Based on these relevant real-world accidents culled from the federal accident database for Saxony, the authors recommend further development of internationally valid guidelines based on ethical, legal requirements and social acceptance.

Automated research vehicles increasingly show higher levels of automation than present series-production vehicles [1, 2]. Even when using highly automated functions requires reliable reactions of the technology, because the driver only temporarily has to control the vehicle having a safe and collision-free journey [3, 4].

The safety significance to develop a safe system for real-world traffic that reacts safely under all weather conditions is evidently based on the first fatal crash that occurred in Florida 2016 on May 7 while driving with a vehicle in the so-called “Auto pilot” mode. According to the accident report, the driver of a passenger car died in a collision with a tractor trailer:

“Vehicle 01 (V01) was travelling westbound on US-27… proceeded to make a left turn … V02’s roof struck the underside of V01’s trailer … Driver 02 … was pronounced deceased …” [5].

Tesla Motors, the manufacturer of the car, subsequently acknowledged that the car was in “Autopilot” mode. The system failed to recognize a white object (the trailer) against a brightly lit sky (limited visibility), and therefore did not activate emergency braking. Meanwhile the driver was watching a movie when the accident occurred.

A second accident involving a vehicle which reacted inappropriately in automated mode happened on March 18, 2018 in Tempe, Arizona. A 49-year-old pedestrian, who was crossing the street pushing a bicycle, died after she was hit by an automated Uber vehicle. She was crossing the road outside a pedestrian crossing. According to the police, the vehicle was driving in automated mode. A safety driver was sitting behind the wheel. The pedestrian had stepped out of a shadow (limited visibility) on the roadway while the safety driver was watching a video, stated Tempe Police Departement. The National Highway Traffic Safety Administration (NHTSA) also investigated this fatal crash [3]. One assumption is that the sensors on the self-driving Uber car may have indeed detected objects, but evidently the interpretation software decided that no reaction was required (incorrect interpretation). Current software algorithms in the robot car must evaluate “false positive” objects on the road surface – such as plastic bags floating across the road – as harmless to prevent unintended emergency braking. In this case plastic bags hung on the handlebars of the pushed bike. Many years of main author professional experience in consulting automotive development processes show that the minimization of these exemplary above mentioned risks must be considered primarily [4]. Software algorithms must be developed on the basis of ethical and legal aspects. Safety-increasing measures ensure functional safety aspects of electrical and electronic functions. Automobile manufacturers must also take into account limitations how machines perceive, process and react adequately to their surroundings so that automated vehicles will conduct a conflict and collision-free journey [6]. In addition extended concepts for human machine interaction of highly automated functions are arising at takeover situations [7]. This will ensure continuous automation of all driving tasks to maintain vehicle control [4, 8]. Vehicles supported by partially or fully automated systems must – at the very minimum – fulfil the driving abilities of an alert vehicle driver, before considering series development. The measures necessary for ensuring a correspondingly high functional reliability extend from the development stage to the entire life cycle of automated vehicles, and especially its electronic components.

Vehicle manufacturers or suppliers perform various methods of risk management to increase automated vehicle reliability [9]. Amongst other measures (see Fig. 1) risk management takes real world scenarios based on accident data into account. However, until now mainly random samples of accident investigation have been implemented by different organizations [4, 10].

Feedback from lifecycle of automated vehicles for safe development, validation and ethical testing [4]

Full size image

The current best-known methods for evaluating safety related systems and automated systems are dynamic forward calculations based on real pre-crash scenarios of traffic accidents [11]. These calculations are carried out by using various tools, such as rateEFFECT [12] or PreScan [13]. One of the biggest simulation databases, the VUFO (Traffic Accident Research Institute of TU Dresden GmbH) pre-crash matrix, was first introduced in 2013 and offers a range of about 5000 pre-crash scenarios based on the GIDAS database, which can be used for simulations [4, 14].

Furthermore, other institutions such as the Hannover Medical School, German insurance companies or vehicle manufacturers and some suppliers conduct traffic accidents on their own initiative [4, 15].

Accident databases can be divided into two different kinds: in-depth databases such as GIDAS (Germany), INTACT (Sweden), iGLAD (EU), NASS-CDS (US National Automotive Sampling System - Crashworthiness Data System) or CIREN (US Crash Injury Research and Engineering Network, and second national statistics (e. g. Destatis).

In-depth databases normally contain fewer accidents with many detailed variables (GIDAS in Germany investigates around 2000 accidents per year with up to 3000 variables). Conversely national statistics cover the huge amount of all recorded accidents (e.g. 2.4 million registered accidents in Germany) but only give limited information about these collisions.

In contrast to the two databases above, the scenarios in this publication provide both: a large database and more extensive information from police recording with regard to standardized validation- and testing. For the following analysis 1.28 million area-wide police accident data that was gathered between 2004 and 2014 from the Saxony State Interior Ministry (Sächsisches Ministerium des Inneren - SMI) has been used. The database covers all traffic accidents for the entire road network in Saxony. The Fraunhofer Institute for Transportation and Infrastructure Systems (IVI) provided exclusive access to the corresponding database. The process of this evaluation in cooperation with Fraunhofer IVI is based on 297 standardized accident types (UTYP).

The following questions will be discussed, using the database provided by the SMI:

• Which factors support a safe development, validation and testing under ethical aspects of automated vehicles?

• What is the significance of bad weather conditions, based on a first area-wide analysis of traffic accidents in Saxony, regarding the introduction of automated vehicles?

• Which real world scenarios are relevant for the development, evaluation and testing of automated vehicles?

Developing safe automated vehicles is a central requirement, which also means that the vehicle must make the right choices for its current environment. Safe driver cooperation and take-over interactions [4, 6, 16] have to be analyzed, if necessary [17].

2.1 Recommended feedback from lifecycle of automated vehicles

To fulfill the required safety confirmation, Fig. 1 recommends a working circuit from the development team which can be supported by additional experts, confirmation tests using relevant test scenarios along with monitoring automated vehicles after market introduction up through decommissioning. During the final development steps, the development team must verify that an automated function performs properly as described or otherwise to receive a safe state [4].

Three independent and equivalent ways are recommended to verify the safety confirmation. In the simplest case, a final sign-off can be completed by expert knowledge of the automated vehicle development team itself. Another confirmation can also be obtained through the support of internal or external specialists. The third path to release – which is analyzed in this publication – uses confirmation tests based on relevant traffic scenarios. These actual real world traffic scenarios are combined with weather data (see Chapter 1.3), vehicle operation data, or other verifiable samples from regular observing vehicle operation and service up to a final scrapping [4].

This paper provides selected traffic scenarios to configure and perform confirmation tests for example virtual-, trial area- or field tests on automated vehicles. Starting which chapter 1.3, relevant real-world scenarios with reduced visibility for human and machine perception were considered. The scenarios were analyzed from traffic accident police reports “featuring” difficult weather conditions.

2.2 Requirements for automated driving functions that minimize risk

The selected scenarios from Chapter 1.3 also support meeting requirements for automated vehicles. One minimum requirement that vehicles must meet is compliance with official directives and legal regulations.

Interdisciplinary coordinated development and approval processes are required for safe automated driving functions which permanently have to be adopted for new technologies. Standards and technical specifications with regard to automated or assisted vehicle functions have grown steadily over the years. As a part of the obligation to ensure traffic safety, new requirements for designing automated vehicles will be developed incrementally and previous approaches will be adapted. In particular minimizing risks, hazards or damage can prevent technical failures. Examples of these requirements in the European Union or the United States can be divided in two categories (see Fig. 2): type approval (grey) and duty of care (blue).

Requirements for Type Approval and Duty of Care to minimize risk, hazards and possible damage of automated driving [3, 18, 20]

Full size image

In general, a risk R can be formulated as a mathematical function F which consists of the severity S of an occurring damage as well as the frequency f a hazardous incident happens [4]:

The frequency f is affected by varying factors. A further consideration, C (controllability), describes whether persons and road users are able to react in time, to avoid incurring potential injury or damage. To control the vehicle by a driver is not relevant here in terms of fully automated or driverless vehicles but for other persons could possibly be involved in an accident with this type of vehicle. One factor E (exposure) is how many times or the period of time a person is exposed to a hazard. The product of E x C is the likelihood that a defect will harm an effect in a specific scenario [4].

In addition the failure rate λ describes hardware random failures or systematic faults which can lead to hazardous events [4].

Furthermore, Failures in Time (FIT) of electronic or technical modules must also be analyzed for functional safety as defined in ISO standard 26,262 according to the International Organization for Standardization (ISO). The unit FIT indicates the quantity of devices that malfunction within 10^− 9 h [17].

Thus one FIT corresponds to:

Probability of occurrence f and – where possible – controllability C yield the Automotive Safety Integrity Levels (ASIL). There are four ASIL levels defined: ASIL A, ASIL B, ASIL C and ASIL D, where ASIL A is the lowest and ASIL D is the highest requirement. Either rating of ASIL B or ASIL C with a recommended probability of occurrence lower than 10^− 7 per hour – corresponds to a rate of 100 FIT) [17].

As already mentioned, the highest requirements are for ASIL D (required probability of occurrence is less than 10^− 8 per hour, which corresponds to a rate of 10 FIT).

Apart from normal vehicle operation, ISO 26262 also takes into account service requirements, including decommissioning the vehicle. In this respect, developers have to consider the consequences of aging when selecting components. Control units or sensors have to be sufficiently protected though robust design. Any single failure must not close down any other safety-related functions (International Organization for Standardization, ISO 26262) [17].

2.2.1 Requirements for duty of care

To demonstrate the duty of care ISO several standards from the International Organization for Standardization (ISO) have to be proven as a state of the art requirement [18]. In the past several years, many ISO standards have been enhanced to accommodate new automated vehicle functions, which include: ACC - Adaptive Cruise Control (ISO 15622), APS - Assisted Parking System (ISO 16787), CSWS - Curve Speed Warning System (ISO 11067), ERBA - Extended Range Backing Aid (ISO 22840), FVCWS - Forward Vehicle Collision Warning System (ISO 15623) and FVCMS - Forward Vehicle Collision Mitigation System (ISO 22839) [6].

The ergonomic design of automated systems is also a key issue. Examples for standards based on ergonomic considerations of control systems as well as transport information are: “Calibration tasks for methods which assess driver demand due to the use of in-vehicle systems” (ISO 14198), “Specifications and test procedures for in-vehicle visual presentation” (ISO 15008) or a “simulated lane change test to assess in-vehicle secondary task demand” (ISO 26022). Central requirements for safe development are considered in standards such as the ADAS Code of Practice [19], ISO 26262 functional safety [20] or ISO/AWI PAS 21448 (Approved Work Item - AWI, Public Available Specification - PAS) [21] to support Safety Of The Intended Functionality (SOTIF).

The demands for automated driving can be ergonomically assigned to all three levels of tasks while driving. The focus is on the capabilities of sensor technology and data processing particularly with regard to those functions that relate to the primary driving tasks (Navigation, Maneuvering and Stabilization). Driving in these corresponding driving sections has changed significantly – especially in terms of supporting the maneuvering task – as compared to previous driving habits [22]. The aim is to focus on global technical harmonization of legislation, ethics, standards and tests (see Fig. 3) [17].

Standards for different automation levels (high and full automation = outer oval) illustrated based on driving tasks (ADAS = blue oval) [17]

Full size image

While ISO standards in the EU tend to have more of a minimum requirement character, safety standards set by SAE International in the US and Canada are seen as legally binding. SAE International initially was founded as the “Society of Automotive Engineers” (SAE) and organizes the preparation of technical standards for engineering professionals in various industries. Currently several SAE Standards for several functions, including “Adaptive Cruise Control” (ACC) and “Pedestrian Collision Mitigation System” (PCMS) exist (see Fig. 2).

2.2.2 Requirements for type approval

To bring an automated vehicle with all its modules to international market, it is essential to comply with the requirements of specific type approval regulations specific to each market.

Harmonized regulations apply to EU member states and other contractual partners. To receive type approval for motor vehicles, especially in terms of braking and steering as set by the “Economic Commission for Europe of the United Nations” (UN/ECE) must be fulfilled. Each country that joined the 1958 Agreement or the 1998 Agreement on Global Technical Regulations (GTRs) is allowed to test and authorize manufacturer designs. The Harmonization of Vehicle Regulations starts with regulation ECE R 1 (Headlights) and continues through ECE R 130 (Lane Departure Warning System LDWS) and ECE R 131 (Emergency Braking Systems AEBS).

ECE regulation number R 13 with uniform provisions concerning the approval for braking comply with automated driving. In contrast, ECE R 79 (Revision 2, Chapter 5) construction provisions with regard to steering equipment already include limitations for “low-speed maneuvering or parking operations”. Part 5.1.6.1 states: “It should be indicated to the driver and the control action should be automatically disabled if the vehicle exceeds 10 km/h by more than 20 per cent or the signals to be evaluated are no longer received.” To enable automated driving, the current limitation to drive slower than 10 km/h is planned to be removed for automatic steering functions [23].

The 1968 Convention on Road Traffic was introduced to improve safety of international road traffic by harmonizing traffic rules among contractors. It stipulates that the driver must keep the vehicle under control at all circumstances. An amendment in 2014 allows automated systems that the driver can turn off or override at any time. A future goal for fully automated vehicles is the modification that will call them to be treated like human drivers [24].

3.1 Approach for analyzing the police traffic accident database

For the general visual demonstration Fig. 4 shows the locations of area-wide police recorded accidents in Saxony from 2010 to 2016. During this period, 1227 road users were killed (black), continuing with 24,451 seriously injured (red), 68.748 slightly injured (yellow) and 685.353 cases with property damage (green).

Area-wide analysis: Police-recorded accidents in Saxony (Source: Christian Erbsmehl Fraunhofer IVI Dresden)

Full size image

To create real-world scenarios for development and testing in this analysis, 1,286,109 traffic accident reports in Saxony were analyzed using a textual analysis that focused on such phrases as “difficult weather conditions”. In a second step, 374 of these accidents that include such terms as “fog”, “glare”/“blinding”, “rain”, “snow” and “visual obstruction” were analyzed in detail using an in-depth, case-by-case analysis.

New police reports are constantly being added to the database because the police must prepare a road accident report for each traffic accident. The legal basis for the database in Germany is the Road Accident Statistics Act (StVUnfStatG). With the entry into force of these guidelines, the police basically record every traffic accident to which they are called or of which they otherwise become aware. A road accident investigation and an accident report must be carried out if, according to the findings of the police, it is a traffic accident with personal injury or also property damage. Furthermore, traffic accidents must always be geocoded. This made it possible to investigate all traffic accidents which occurred in Saxony between 2004 and 2014 in the analysis below. The official statistics collect more than 100,000 accidents in Saxony annually.

If a traffic accident happens and a road accident report is to be made, all evidence and indications relevant to the accident that may be relevant for criminal proceedings or fines must be saved as far as possible for reconstruction. Of particular importance are the type and severity of injuries, the position of injured persons and their ability to drive or deceased persons. In addition, the vehicle’s condition, damage to property, ascertained accident marks, road condition, light and weather conditions and the current traffic regulations must be recorded or secured. Furthermore, it must be checked whether defects in the traffic area or special weather or lighting conditions contributed to the accident.

The contents of the police accident report are divided into: General identification features (date, time, municipality key), accident characteristics; characteristics for each participant involved in the accident, vehicle technical data and characteristics regarding the passengers involved in the accident (see Fig. 5).

Form for a police road accident report

Full size image

Fraunhofer IVI for Transportation and Infrastructure Systems in Dresden obtained the exclusive special permit to use anonymized police accident records for research. Together with Fraunhofer IVI, 1,286,109 electronic traffic accident reports were evaluated using special software. This software is able to quantitatively and qualitatively assess police records for these in-depth accident analyses that focus on accident data related to visibility limitations.

3.2 Machine- and human perception restrictions with relevance for testing

The real-world situation below (Fig. 6) considers the only fatal pedestrian accident which was found in this analysis. This example was used earlier as an example to explain the challenges facing human perception and the limited performance of machine perception under difficult weather conditions. The police accident report describes the circumstances as follows:

Example of a fatal pedestrian accident in Saxony: Challenge of human and machine perception of a pedestrian. Left side: Pedestrian is visible in the light beam and closer than the oncoming vehicle. Right side: Pedestrian is invisible out of the light beam for human perception when distance is greater than oncoming vehicle lights (upper images: driving scene with human perception, center images: overlay human with machine perception. Radar in blue with Lidar in yellow, camera detection in red and green. Lower images: driving scene with machine perception and interpretation)

Full size image

… Pedestrian 01 was walking along State Road S 227. He was on the left side of the road. Approximately 100 m after a confluence into a side street, a collision with the oncoming car 02 occurred. The pedestrian was under the influence of alcohol….

Figure 6 represents the real accident scene before the collision occurred and also shows including a model of available sensor technologies. A vehicle needs sensors to receive information about the surroundings. Vehicle manufacturers commonly use Lidar, Radar, far and near infrared, ultrasonic sensors, and video cameras.

The top image and the image in the middle of Fig. 6 show what humans perceive when faced within limited light- and weather conditions (rain, snow, wet road surface, backlight, icing/contamination of windshield or sensors, spray or splashing water, invisible road markings). In addition, the center and lower image depict restricted machine perception and measuring interpretation. The center image overlaps human- and machine perception. Using all these measurements reveal in this scenario that the left-hand radar detection point (blue) is a reflection from the other lane.

The essential insight of this scenario is that machine perception would have recognized the pedestrian as an object in spite of glare from oncoming vehicles (see illustrations right side – blue radar detection point).

Poor lighting conditions and weather situations challenge humans and machines to properly detect objects/persons in various traffic situations. Therefore a first area-wide accident analysis with support from Daimler Research, the Daimler and Benz Foundation and the Fraunhofer IVI for Transportation and Infrastructure Systems in Dresden was carried out to receive relevant scenarios having regard to limited visibility due to “rain”, “fog”, “snow”, “glare” from sun or headlights and darkness.

3.3 Relevant real-world scenarios for development and testing

This analysis is based on all 1,286,109 police-recorded accidents from Saxony spanning a ten year period starting in 2004. Figure 7 shows the number of these accidents from 2004 to 2015 and their consequences.

Area-wide analysis: based on 1,286,109 police recorded accidents in Saxony between 2004 and 2014

Full size image

The analysis of area-wide traffic accidents that occurred during challenging weather conditions that limited perception for machines and humans results in the following numbers: 374 out of a total 1,286,109 accidents met the above-mentioned criteria after all of the police traffic accident reports that were documented between 2004 and 2014 in Saxony were analyzed.

Figure 8 presents geographically related accident scenes that had limited visibility. It is evident that traffic accidents that occur due to limited visibility frequently occur in urban areas and at frequent traffic locations. Knowing the exact geographical accident site forms the basis for creating relevant proofing ground-, virtual-, and field tests to develop automated functions.

Area-wide locations of accidents that included limited weather conditions and reduced visibility for machines and humans (Data for positions © state-owned geo measurement and information, Saxony 2015)

Full size image

To gain deeper insight into the subject, the authors conducted a case-by-case analysis of all the information given in the police accident reports and came up with the following findings:

3.3.1 Categories of accident causes involving reduced visibility

A total of 374 area-wide traffic accidents with 417 accident causes can be subdivided into seven main categories of difficult weather conditions (see Fig. 9). Among them are 237 collisions (by far the largest number) involving reduced visibility due to fog.

Distribution of 374 accidents in Saxony involving fog, glare, rain and snow

Full size image

In addition, there were 61 cases that involved glare or blinding from the sun, 60 cases involving rainy conditions, 22 cases involving snowfall and eight cases involving blinding from oncoming headlights. Only four cases were primarily connected to visual obstructions.

Another 25 cases are mentioned that involve snow-covered roads, where the surface (lane markings, optical lane boundary) was not visible. It can be assumed that the reduced friction coefficient played a large role in the accident causes. In particular, these limited visibility conditions on the roadway must be taken into account for automated vehicles.

The four accidents provoked by visual obstructions through parked vehicles (pedestrian accident), a garbage can and snow piles are described as follows:

• → … In this position … Mrs. … crossed the lane on foot. In doing so she walked into the driving lane from between parked cars right in front of a passenger car … Because of the rain, she was holding an umbrella in front of her …

• → ... Due to poor visibility (snow piles) and traffic, driver 01 had to move further on in … street …

• → … Driver 01’s view of the access road was blocked by a garbage can …

• → … According to statements by driver 01, the view was blocked by snow piles with regard to 02 …

3.3.2 Injuries caused by accidents with reduced visibility

A total of 749 people were involved in the 374 relevant accidents. The majority of these collisions resulted only in property damage. In total, 598 people remained uninjured. 99 people were slightly injured, 51 were badly injured and one person killed (Fig. 10).

Injuries in 374 accidents involving difficult weather conditions and 749 participants

Full size image

3.3.3 Accident types in connection with reduced visibility

Furthermore the conflict situations were categorized into accident types, such as accident type (UTYP), which describes the initial phase before the damage occurs. The main level distinguishes among seven types of accidents, which can be further subdivided into a second or third level. The main levels are [25]:

• UTYP 1xx: “dynamic” accidents: They were initiated by loss of control of the vehicle (due to inappropriate speed or incorrect estimation of the course of the road, road condition, etc.), without other road users having contributed to it. However, uncontrolled vehicle movements may have caused a collision with other road users.

• UTYP 2xx: accidents during turning

• UTYP 3xx: turning at/crossing intersections

• UTYP 4xx: pedestrian accidents

• UTYP 5xx: stationary traffic

• UTYP 6xx: “longitudinal/parallel” traffic: Accidents caused by a conflict between road users moving in the same or opposite direction, provided that this conflict does not correspond to another type of accident.

• UTYP 7xx: other accidents

As a result, Fig. 11 shows that the majority of 71 accidents are related to several unspecified types of dynamic accidents (UTYP 199). Furthermore 44 right turn collisions (UTYP 102) occurred. Another 26 collisions were related to bends in the roadway (UTYP 139) and 20 accidents were attributed to left-turn collisions (UTYP 101).

Main areas of accident types (UTYP 101–799) with difficult weather conditions

Full size image

In addition, 45 accidents involving collisions with animals (UTYP 751, 752), 26 collisions involving vehicles turning left across oncoming traffic (UTYP 211) and 17 other collisions in two-way traffic situations (UTYP 682, 689) also occurred.

The large percentage of dynamic accidents (UTYP 1: 101–199) at 49% reflects that drivers often lose control over their vehicles under difficult weather conditions (Fig. 12). Among other things, this loss of control is due to the fact that the friction coefficient is reduced in wet and snow-covered roads.

Distribution of accident types (UTYP 1xx-7xx) with difficult weather conditions

Full size image

3.3.4 Evasive maneuvers implemented to avoid accidents

In connection with automated driving, evasive driving maneuvers are often discussed from an ethical point of view. Therefore this case-by-case real world analysis provides the following insights:

The descriptions in this case-by-case analysis discuss five collisions, where the drivers were able to mitigate the severity of an accident via evasive maneuvers. Another 13 drivers (4%) tried to prevent the collision but their evasive maneuvers failed. The major percentage of accidents – 356 of them at 95% – confirms no indications of evasive actions taken (see Fig. 13).

Main areas of accident types involving difficult weather conditions

Full size image

Out of the 374 accidents, some evasive maneuvers are clearly not relevant to avoiding collisions in the following cases: 127 accidents which were caused by lane departure and accidents involving moving objects (43 animal-caused collisions) are challenging to avoid, because it is unknown whether the animal will continue running, stop or reverse its direction.

3.3.5 Examples for minor and no damage to property

Two cases in the data set describe only minor damage to the involved vehicles and no injuries. The translated parts of the police accident reports below show one case with no damage and one with minor scratches:

… 01 parked his car backward in a parking space. Because of his limited view, darkness and rain, he slightly touched the parked car at the back of his car… He (01) could not find any damage on either vehicle ….

… Driver 02 stopped at the parking lot … to let passengers get out of the car. 01 rear-ended 02. The reason for this was that snow on the roof which slips on the windshield when braking. Snow blocked the view and 01 reacted too late … There was no obvious damage to determine on car 01. Minor scratches were visible on passenger car 02 ….

3.4 Integrating relevant test scenarios for safe automated driving functions

Area-wide real-world accident scenarios provide a basis for evaluating functional safety for highly- or fully automated vehicles, [4]. Furthermore takeover situations and interaction from machine to driver challenge new concepts for partial automation, but are not considered here [26].

3.4.1 Integrating requirements in the development process

All the requirements involved in designing automated functions must be integrated into the generic development process. Apart from the development stages for high automation, the process (see Fig. 14) depicts logical steps.

Generic development-steps within a V-Model supported by real-world scenarios [17]

Full size image

During many years of consulting on development processes at vehicle manufacturers the main author of this paper often discovered that perfectionism or miscommunication among the experts and team members causes delay or disruption. In the chapter, “The Future of Teamwork” the book, “The Power of Being” points out that perfectionism or miscommunication may well be about different energetic competencies. The book’s author suggests that humans are normally truly efficient in only one of three phases. Either we are good starters, executors or terminators (finishers) [27]. This means that if an employee would for example be an efficient executor, he is likely to spend a disproportionate time and effort in the final validation or sign-off phase. The conclusion is that it pays to look beyond the purely technical competencies when putting together efficient teams. An ideal team within all stages of the development process should not only contain good starters and executors, but also excellent finishers, in order to progress more efficiently.

Figure 14 shows the generic development process as a V-Model with elements of functional safety including support from real-world scenarios. Findings from real-world scenarios support the entire development process, particularly with regard to requirements and the functional description in the definition phase. They provide important information about the conditions that the sensor system and system configuration are confronted with during vehicle operation. For example, depending on the sensor technology, a sensor heater is required to prevent the sensors from freezing over. According to the real-world scenarios, a safe shutdown strategy with appropriate warnings must be designed that takes the operating conditions into account. Based on these findings, the development for automated vehicle functions as a V-Model focuses on the efficient exchange of expert knowledge and the safety process, which are depicted in the diagram [17].

3.4.2 Test scenarios and requirements in relation to legal and ethical aspects

The analyzed test scenarios and requirements also provide information about “allowed” risks and risks accepted by society. Unforeseeable responses that can possibly cause injuries or fatalities must be expected when using vehicles with automated functions.

Because of increasing complexity, highly or fully automated vehicles currently involve risks. New liability topics and acceptance issues have to be discussed. Whereas over 1.2 million traffic fatalities, i.e. the ones we have been discussing that occurred in Saxony, seem to be accepted by society in general, there seems to be no tolerance for a single fatal accident due to technical failures. Several product liability cases and recall actions back up this social expectation [17]. On the other hand, automated driving promises several safety benefits [4].

So far, many questions such as the following have to be answered:

• Is the automated function safe enough?

• Is the duty of care fulfilled?

• What will change legally if a machine drives instead of a driver?

Test scenarios and design requirements will support a safe development and support fulfillment for duty of care. However, in general, creation of risks results in duty of care requirements but not every generation of hazards is forbidden. This occurs if automated functions cause significant social benefits. Risks have to be reduced to a minimal level. Which risks the user reasonably will expect has to be negotiated by society. Levels of acceptable risks will be discussed by the media, society, during development of standards and at court. The question which risks a society is willing to accept should be differentiated from the question how critical traffic scenarios have to be assessed during development. It should be assumed that the developers and programmers are not liable to prosecution for negligence if they act within the permitted risk.

The discussion about dilemma situations regarding a decision on the life or death of other road users depending on an evasive maneuver is not due until the machine perception or prediction can reliably distinguish between an old man and a young lady or if cyclists wear a helmet. The aim is to reduce risks. To shift risks on to someone or something is prohibited.

The vehicle of the future will no longer be an isolated means of transport, but rather will be an integral part of an integrated transport system in a connected-mobility world. Developing automated, autonomous and especially self-driving vehicles that drive reliably and safely under all conditions, is seen as an important component of predicted disruptive changes in the automotive industry.

In particular, development engineers working on perception and interpretation of complex traffic situations that involve difficult weather conditions are faced with considerable technical challenges rooted in ethics, legal requirements and social acceptance. Therefore, the provided scenarios include representative situations that can be transferred to similar road networks worldwide. These scenarios will be taken into account in during standards, development for early simulations as well as for subsequent real-world testing.

The 374 real-world scenarios considered that involved bad weather conditions were culled from the 1,286,109 police-recorded accidents that occurred in the state of Saxony over a ten-year period starting in 2004. A distribution of accident types under these circumstances shows that the driver lost control of the vehicle in 49% of the collisions. In particular left- and right-turn maneuvers or curves in roadways have to be considered as contributing factors (see Fig. 11).

Finally, the case-by-case analysis indicates only five collisions, where the drivers were able to mitigate the impact of an accident by implementing evasive maneuvers. Only 177 cases deemed relevant to prevent or mitigate collisions by evasive maneuvers. For a deeper understanding additional measurements and traffic simulations of the well-known accident locations must be analyzed, which were not considered in this paper.

In summary, the following issues will need to be tested:

• The importance of testing higher automation levels in relevant scenarios will increase because traffic participants will to a certain extent be less and less responsible for the controllability of the vehicle.

• Area-wide accident analyses covering all reported accidents will provide important information.

• Further findings should combine area-wide accident data, virtual traffic simulations, weather data and digital geographic maps.

The information covering the examined area-wide accident data in this analysis is limited to the degree of documentation depth in the respective police reports. A combination of traffic flow and detailed weather data for each single known event enables more precise information to be gathered in terms of general conditions related to the cause of each accident.

Furthermore, apart from actual accidents critical incidents involving successful evasive maneuvers must also be analyzed based on road-, traffic conditions and NDS data. It is recommended that geographic digital data from maps such as Tom-Tom, Google-Maps, OpenStreetMap or HERE be comprehensively linked with area wide accident collision and traffic-flow data that is based on mobile devices, vehicles or road traffic information. In the future, vehicle operation data and traffic simulations could be included as well.

Based on these relevant real-world scenarios the authors recommend further development of internationally valid guidelines such as ISO 26262 “functional safety”, the ADAS Code of Practice or ISO PAS 21448 to support the safety of the intended functionality (SOTIF). Additional virtual simulation techniques, driving simulations in virtual surroundings and Deep Learning methods to train automated systems will be included in final tests [28, 29].

In general, it is recommended to identify worldwide networks, collaborate with affected partners, engage government representatives, local non-governmental organizations (NGOs) such as European Association for Injury Prevention and Safety Promotion (EuroSafe, http://www.eurosafe.eu.com), European Automobile Manufacturers Association (ACEA, http://www.acea.be), European Commission – Road Safety, European Traffic Police Network (TISPOL, https://www.tispol.org), European Transport Safety Council (ETSC, https://etsc.eu), Fédération Internationale de l’Automobile (FIA, https://www.fia.com), National Highway Traffic Safety Administration (NHTSA, https://www.nhtsa.gov), National Safety Council (NSC, https://www.nsc.org), Network of Employers for Traffic Safety (NETS, http://trafficsafety.org), United Nations Road Safety Collaboration (WHO, http://www.who.int/roadsafety), US Department of Labor – Occupational Safety and Health Administration (OSHA, https://www.osha.gov) or the US Department of Transportation (DOT, https://www.transportation.gov). These organizations promote, spread and deal with road safety awareness. Many governments and authorities encourage the deployment of new technologies with the potential to save lives [30]. They work with industry, governmental partners, and other stakeholders to develop new technologies and accelerate their adoption in type approval regulations and standards [31].

Thanks to the Daimler Research, Daimler and Benz Foundation as well as Fraunhofer Institute for Transportation and Infrastructure Systems (IVI) for funding and supporting this research.

Authors and Affiliations

1. Technical University Munich, Boltzmannstraße 15, 85747, Garching, Germany

   Thomas Winkle & Klaus Bengler

2. Fraunhofer Institute for Transportation and Infrastructure Systems, Dresden, Germany

   Christian Erbsmehl

Contributions

TW was the main initiator and author. His experience as an employee in accident research, legal affairs, product liability expert assessment, development and risk management of safety relevant systems at Volkswagen, Audi and Daimler Research supported the methodology of this analysis. The background of this analysis is based on TW's participation for process-safe development and series introduction of new radar- and camera-based safety relevant systems with emergency brake functions and steering interventions (pre sense 360, adaptive cruise control, active lane assist on the way to piloted or autonomous driving). TW's further influence came from many research projects, such as the Audi project management in the EU project "RESPONSE", "AKTIV" (Adaptive, cooperative technologies for intelligent transport), "sim-TD" (safe intelligent mobility - test field Germany), "Villa Ladenburg - autonomous driving" of the Daimler and Benz Foundation and Daimler Research along with the German In-Depth Accident Study (GIDAS). CE contributed with its seven years of experience as an employee of traffic accident research at the TU Dresden GmbH (VUFO). As current group leader of vehicle and traffic safety at the Fraunhofer Institute for Transport and Infrastructure Systems IVI, CE provided access to all police traffic accident reports from Dresden and analyzed these digital data together with TW for this topic. CE – in agreement with the head of Fraunhofer IVI, Prof. Matthias Klingner – assisted with new test corridors for automated driving in Dresden. KB has been a regular supervisor for TW as Professor at the Chair of Ergonomics in Mechanical Engineering within the Technical University of Munich. KB supported with his experience as an employee of BMW in the projects PROMETHEUS and MOTIV. KB contributed as head of the German Technical Standards Committee for the Automotive Industry (FAKRA) AK-10, the membership in the ISO TC22 SC13 WG8 "Road vehicles - Ergonomic aspects of transport information and control systems" and in the VDI working group "Human reliability". KB's additional input was based on his membership of the Round Table on Automated Driving of the Federal Ministry of Transport, Innovation and Technology (BMVI) and the heading of the Human in Transport project column of the research initiative URBAN. All authors read and approved the final manuscript.

Corresponding author

Correspondence to Thomas Winkle.

Competing interests

The authors declare that they have no competing interests.

Publisher’s Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Open Access This article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.

Reprints and Permissions