# Product Development within Artificial Intelligence, Ethics and Legal Risk

Exemplary for Safe Autonomous Vehicles

Product Development within Artificial Intelligence, Ethics and Legal Risk

Image source: Limbach/Shutterstock, Artificial Intelligence, Corporate Social Responsibility, Global Sustainability, Communication, Inner Development, Ethics, Law and Legal Risk

Thomas Winkle

# Product Development within Artificial Intelligence, Ethics and Legal Risk

Exemplary for Safe Autonomous Vehicles

Prof. Dr.-Ing. Thomas Winkle MBA Communication & Leadership IU International University Munich, Germany

This book is a revised version based on research and teaching activities at IU International University as well as TUM Technical University of Munich at the Chair of Ergonomics.

ISBN 978-3-658-34292-0 ISBN 978-3-658-34293-7 (eBook) https://doi.org/10.1007/978-3-658-34293-7

© The Editor(s) (if applicable) and The Author(s) 2022. This book is an open access publication. **Open Access** This book is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this book are included in the book's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the book's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use.

The publisher, the authors and the editors are safe to assume that the advice and information in this book are believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the editors give a warranty, expressed or implied, with respect to the material contained herein or for any errors or omissions that may have been made. The publisher remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Responsible Editor: Stefanie Eggert

This Springer Vieweg imprint is published by the registered company Springer Fachmedien Wiesbaden GmbH part of Springer Nature.

The registered company address is: Abraham-Lincoln-Str. 46, 65189 Wiesbaden, Germany

## **Foreword**

Like any scientific project, the present book owes its form to a large number of suggestions and discussions by and with the scientific community. Thanks go first to Prof. Dr. phil. Klaus Bengler (TU Munich, Mechanical Engineering, Chair of Ergonomics), Prof. Dr. jur. Dr. phil. Eric Hilgendorf (Julius-Maximilian-University Würzburg, Robotics Law Research Centre, Chair of Criminal Law, Criminal Justice, Legal Theory, Information and Computer Science Law) and Prof. Dr. Holger Sommerfeldt (Management and Organization, Rector of IU International University).

New technological changes through Artificial Intelligence are changing our entire world including flexible team work as well as product management within the dilemma of innovation, ethics, legal risks and international conflicts. Every one of us and everything will be intelligently networked. The age of machines with their own consciousness is beginning. Under these conditions, Intelligent AI systems will penetrate all areas of this world, giving rise to a completely new understanding of relationships between humans and machines. These new types of interactions from digital and intelligent agents to humans and machines is the beginning of the age of hybrid intelligence. Artificial Intelligence is already changing the way organizations operate and how sustainable management decisions are made. Consulting Experience of the author in team development increasingly confronts with new hybrid or home working models that change teamwork through digitalization and Artificial Intelligence. Teamwork will increasingly become networked, virtual and collaborative with robotic support using various management approaches. The focus will be centred on intrinsic key human skills, such as solving complex problems or creativity. Furthermore critical thinking, sustainable communication, corporate social responsibility, empathy, mindfulness and curiosity will be more important than ever before (see Annex B: Detailed questions). Managing and shaping this dimension of the digital transformation for a successfully interacting team of diverse personalities as well as disciplines requires sustainable, "turbulence-stable" design principles. Other personal team and leadership skills include knowledge, alertness, agility, trust, decision-making confidence and inner presence. Ultimately, trained mindfulness is required through effective communication between stable attention and perceptive, focused peripheral awareness. This effective communication enables leadership and team members to respond meaningfully to environmental conditions. Enhanced mindfulness, for example, through Mindfulness Based Stress Reduction MBSR, enables effective differentiation between conflicting information in order to extract the essential. As a result, such technological changes also create new opportunities for successful interdisciplinary teamwork within sustainable product development between Artificial Intelligence, ethics and the associated liability risks. Stephen William Hawking former professor of applied mathematics and theoretical physics at the University of Cambridge already pointed out the risks: "Success in creating Artificial Intelligence would be the biggest event in human history. Unfortunately, it might also be the last, unless we learn how to avoid the risks".

Regarding Corporate Social Responsibility and Sustainability, the author refers in Annex B to the United Nations Sustainable Development Goals (SDG) to act for sustainable development on our planet. These topics contain: no poverty, zero hunger, health and well-beeing, quality education, clean water, affordable clean energie, decent work and economic groth, industry innovation and infrastructure, sustainable cities and communities, responsible consumption and production, climate action, peace, justice and strong institutions.

In addition, the author references a nonprofit initiative called the Inner Development Goals (IDG) to accelerate realization of these UN Goals with priorities on:


This dilemma of a sustainable management between Artificial Intelligence, ethics and legal risk is examined in this book using the example of the development of safe Autonomous or Automated Vehicles.

> *Recognize your challenges. Go beyond previous limitations and abilities. Discover where courage and passion can take you.*

*(Erkenne Deine Herausforderungen. Wage Dich über bisherige Grenzen und Fähigkeiten hinaus. Erlebe wohin Dich Mut und Hingabe bringen können.)*

> *Through mindful conscious leadership, everyone can contribute with expertise and dedication to a great team result.*

*(Durch achtsame bewusste Führung kann jeder mit Kompetenz und Herzblut zu einem großartigen Teamergebnis beitragen.)*

Munich April 2022 Prof. Dr.-Ing. MBA Thomas Winkle

## **Acknowledgments**

Prof. Dr. Klaus Bengler: You provided the opportunity to research intensively and teach. Thank you for supporting me with regular expert discussions and inspirations being based on your many years of experience. Prof. Dr. Dr. Eric Hilgendorf: In the past ten years you have supported my research with your professional expert knowledge at conferences and the German Council on Jurisdiction in Traffic during my work at VW, Audi, the Daimler and Benz Foundation "Villa Ladenburg – Autonomous driving" project as well as Mercedes-Benz Research. Thank you very much for your expert support as the owner of the Robotics Law Research Centre, Professorship of Criminal Law, Criminal Justice, Legal Theory, Information and Computer Science Law as well as a member of the European Commission High-Level Expert Group on Artificial Intelligence.

In particular, I would also like to express my gratitude to Prof. Dr. Holger Sommerfeldt and his team at IU International University for the opportunity to conduct application-oriented research while also providing innovative teaching and learning formats within Agile Leadership, Agile Project Management, Design Thinking, Sustainable Communication and Technology Ethics. I would like to thank Mercedes-Benz Group Research with Prof. Dr. Thomas Weber who enabled the project "Villa Ladenburg – Autonomous Driving" along with Dr. Dieter Zetsche and Prof. Dr. Rainer Dietrich within the Daimler and Benz Foundation.

Many thanks also for the professional exchange with the scientific advisory board consisting of the employees of Daimler AG: Dr. Claus Ehlers (vehicle concepts, future trends), Prof. Dr. Ralf Guido Herrtwich (head of vehicle automation, chassis systems), Christoph von Hugo (head of active safety), Dr. Peter Schramm (Senior manager regulatory affairs) and Dr. Eberhard Zeeb (autonomous driving functions) as well as external members: Prof. Dr. Andre Seeck (director, head of department automotive engineering at BASt, president of Euro-NCAP) and Matthias Wissmann (president of VDA).

Within the core team of the project "Villa Ladenburg – Autonomous Driving", Prof. Dr. Markus Maurer (TU Braunschweig), Prof. Dr. Chris Gerdes (Stanford University), Prof. Dr. Barbara Lenz (DLR traffic research, HU-Berlin) and Prof. Dr. Winner (TU Darmstadt) have expanded my horizon by many stimulating specialist discussions and supported me through their feedback.

I thank you for the exchange at "Villa Ladenburg – Autonomous Driving" workshops:


Thank you for the possibility of several research stays at Stanford University, the participation in specialist conferences in the US as well as scientific exchange.

To my Ph.D. students' colleagues at the TU Munich: thank you for the technical and organizational advice within the research in Cooperative Systems, Automation and Artificial Intelligence with Deep Neural Networks. Many thanks for the exchange with students during my lecture "Driver Assistance Systems in Automotive Vehicles" at the Technical University of Munich, "Ethics and Law" at THI Ingolstadt as well as "Agile Project Management", "Sustainable Communication" and "Design Thinking" at IU International University.

Many thanks for more than 3 years of experience in accident research at the Volkswagen Group with Prof. Dr. Robert Zobel and colleagues. I particularly want to thank Head of Audi Product Analysis Eckart Donner for 11 years of professional experience at Audi Accident Research (AARU), Product Defense and Prevention within the Audi Legal Service located in the Technical Development. Finally, I also thank the former Head of Audi Driver Assistance Systems Prof. Dr. Markus Maurer and Dr. Karl-Heinz Siedersberger at the Audi Project House for the professional dialogue during my consulting work in the development of automated driving functions with several Artificial Intelligence methods. Many thanks to Lea Winkle, Stefan Probsteder (Business Data Processing expert) and Rolf Berker (Facilitation and Mediation) for the regular exchange of thoughts.

I want to thank these persons and others who have not been referred by name.

## **Danksagungen**

Prof. Dr. Klaus Bengler: Sie haben mir die Möglichkeit geschaffen, im Rahmen einer Dissertation intensiv zu forschen und zu lehren. Vielen Dank, dass Sie mich mit regelmäßigen Fachgesprächen und Anregungen auf der Basis Ihrer langjährigen Erfahrung begleitet haben. Prof. Dr. Dr. Eric Hilgendorf: Sie haben mich in den vergangenen zehn Jahren mit Ihrem Expertenwissen auf Konferenzen und beim Deutschen Verkehrsgerichtstag während meiner Tätigkeit bei VW, Audi, dem Projekt "Villa Ladenburg – Autonomes Fahren" der Daimler- und Benz-Stiftung sowie der Mercedes-Benz Forschung begleitet. Vielen Dank für Ihre fachliche Unterstützung als Leiter des Forschungszentrums für Robotikrecht, Leiter des Lehrstuhls für Strafrecht, Strafjustiz, Rechtstheorie, Informations- und Informatikrecht sowie als Mitglied der hochrangigen Expertengruppe der Europäischen Kommission für Künstliche Intelligenz "European Commission High-Level Expert Group on Artificial Intelligence".

Ich danke vor allem Prof. Dr. Holger Sommerfeldt und seinem Team für die Möglichkeit, an der IU Internationale Hochschule anwendungsorientiert zu forschen, sowie innovative Lehr- und Lernformate innerhalb von Leadership, Agilem Management, Design Thinking, Nachhaltiger Kommunikation und Technikethik für alle Lernwilligen anbieten zu können, die sich weiterentwickeln wollen.

Ein besonderer Dank gilt auch der Daimler Konzernforschung mit Prof. Dr. Thomas Weber, der über die Daimler und Benz Stiftung zusammen mit Dr. Dieter Zetsche sowie Prof. Dr. Rainer Dietrich das Projekt "Villa Ladenburg – Autonomes Fahren" ermöglicht hatte. Ebenfalls ein Dankeschön für den Austausch mit dem wissenschaftlichen Beirat bestehend aus den Mitarbeitern der Daimler AG: Dr. Claus Ehlers (Fahrzeugkonzepte, Zukunftstrends), Prof. Dr. Ralf Guido Herrtwich (Leiter Fahrzeugautomatisierung, Fahrwerksysteme), Christoph von Hugo (Leiter aktive Sicherheit), Dr. Peter Schramm (Leiter Zertifizierung, regulatives Umfeld) und Dr. Eberhard Zeeb (autonome Fahrfunktionen) sowie den externen Mitgliedern: Prof. Andre Seeck (Direktor Abteilung Fahrzeugtechnik BASt, Präsident Euro-NCAP) und Matthias Wissmann (Präsident VDA).

Im Kernteam des Projektes "Villa Ladenburg – Autonomes Fahren" haben Prof. Dr. Markus Maurer (TU Braunschweig), Prof. Dr. Chris Gerdes (Stanford University), Prof. Dr. Barbara Lenz (DLR, Humboldt-Universität zu Berlin) und Prof. Dr. Winner (TU Darmstadt) meinen Horizont durch zahlreiche anregende Fachdiskussionen erweitert und mich durch ihre Rückmeldungen unterstützt.

Ich danke für den Austausch bei "Villa Ladenburg – Autonomes Fahren" Workshops:


Danke für die Möglichkeit mehrerer Forschungsaufenthalte an der Stanford University, Fachkonferenzen in den USA sowie den wissenschaftlichen Austausch. Meine Doktoranden Kollegen der TU München im Maschinenwesen am Lehrstuhl für Ergonomie. Herzlichen Dank für die fachlichen und organisatorischen Hinweise innerhalb der Forschungsgruppen Kooperative Systeme, Automation und Künstliche Intelligenz mit lernenden Neuronalen Netzen. Vielen Dank für den Austausch mit Studierenden zu Controllability Aspekten von Mensch-Maschine-Interaktionen in meiner Vorlesung "Fahrerassistenzsysteme im Kraftfahrzeug" an der TU München, "Ethik und Recht" an der TH Ingolstadt sowie "Agiles Projektmanagement", "Nachhaltige Kommunikation" und "Design Thinking" an der IU Internationale Hochschule.

Vielen Dank für mehr als 3 Jahre Erfahrung in der Unfallforschung des Volkswagen Konzerns bei Prof. Dr. Robert Zobel und den Kollegen. Mein besonderer Dank gilt dem Leiter der Audi Produktanalyse Eckart Donner für 11 Jahre Berufserfahrung in der Audi Unfallforschung (AARU), Produktverteidigung und -prävention im Audi Rechtsservice innerhalb der Technischen Entwicklung. Schließlich danke ich auch dem ehemaligen Leiter Audi Fahrerassistenzsysteme Prof. Dr. Markus Maurer und Dr. Karl-Heinz Siedersberger im Audi Projekthaus für den fachlichen Austausch während meiner beratenden Tätigkeit bei der Entwicklung und Freigabe automatisierter Fahrfunktionen mit diversen Methoden der Künstlichen Intelligenz. Herzlichen Dank an Lea Winkle, Stefan Probsteder (Wirtschaftsinformatik) und Dipl. Psych. Rolf Berker (Moderation und Mediation) für den regelmäßigen Gedankenaustausch.

Diesen und weiteren, nicht namentlich genannten Personen danke ich vielmals.

## **Abstract**

New working models are transforming how teams in organizations collaborate using digitization and Artificial Intelligence. Managers and employees are confronted with new ethical dilemmas, legal risks, as well as international conflicts. Growing consumer expectations under flexible virtual networked working conditions, an aspired way of working according to concepts of New Work and international conflicts accompanied by Artificial Intelligence lead to high requirements of a sustainable leadership culture and leadership strategies for product development for safe products. Manufacturers must develop as safely as possible according to the state of the art in science and technology, weighing up risks, technical suitability and ethical economic feasibility. Otherwise they can be held responsible for damage caused by the technical system. In this research, the author develops innovative ways to meet this high safety standard in collaboration with interacting experts as part of interdisciplinary development teams (see Fig. 4.13, Fig. 4.14 and Fig. A.19).

Initially, Chapter 2 uses an exemplifying meta-analysis of previous traffic accident data, which have so far only been researched selectively, to document the possibilities and limitations of assessing the safety potential of vehicle systems. The analysis takes into account different levels of automation: both a posteriori as well as a priori.

Following these findings, Chapter 3 documents the first in-depth analysis of 1.28 million accidents covering the entire area of one German state, including 374 crashes with restricted visibility due to weather and light conditions. The comparison between machine and human perception related to accident causes shows the need to include such scenarios in the development and validation for safe automated vehicles.

Chapter 4 describes the growing consumer expectations and the positive development of vehicle safety in recent decades. From the initial idea to development and sign-off, the book presents examples of common standards including tools and method descriptions. Furthermore, there follows a development guide with a checklist for sustainable management and self-reflective work teams with 303 questions on the requirements that contribute to the duty of care in the development of automated vehicles and fulfill the highest court rulings on product liability.

Finally, in Chapter 5, qualitative interviews with engineers, executives and a psychologist from the development departments of automobile manufacturers show perceived risks and wishes for the future. This results in in-depth insights about previous ways of working, the state of knowledge, attitudes, expectations and challenges. The resulting checklist in Annex B supports a structured guideline-based team process with expert feedback loops and criteria for own self-reflection. Elaborated questions promote sustainability and inner development as well as sustainable quality in interdisciplinary teams for customer-oriented usability in terms of safety in use and functional safety.

This book demonstrates that sustainable management, area-wide data, structured guidelines for complete processing within interdisciplinary networking teams and continuous exchange of experts make an essential contribution to successful interdisciplinary teamwork for a sustainable development in the dilemma between innovation and consumer protection.

New innovative developments in the field of Artificial Intelligence should not cause external control using Artificial Intelligence. Expected is a controllable interaction between humans and increasingly intelligent machines.

Mindful corporate and employee management, within new working conditions (such as New Work, Remote Work or Hybrid Work) including Artificial Intelligence is associated with a sustainable orientation for new developments. A sustainable orientation includes the knowledge of the existing objective facts, such as statistical data evaluations. Furthermore, the possibilities and risks including the effects of Artificial Intelligence, as well as the ethical and legal implications have to be included. According to this, political, economic and social decisions must be aligned in an equally sustainable manner. Artificial Intelligence can support managers in linking knowledge and designing complex functions, such as Automated Driving. Furthermore, area-wide information on proven safety methods, production and sign-off processes right through to marketing and product monitoring provide support.

Finally, management must ensure that new innovative product ideas are implemented within interdisciplinary coordinated teams in the sustainable intention of humane use.

For a successful implementation in the responsible teams, a summarized checklist in Annex B suggests appropriate knowledge, tools as well as methods to deepen self-reflection in the context of human-centered skills.

Christopher Columbus (1451–1506) Explorer and navigator

*"Reliable information is essential for the success of a business."*

Henry Ford (1863–1947) US-American groundbreaking entrepreneur, business magnate, founder and developer of the Ford Motor Company

*"Coming together is a beginning, keeping together is progress, working together is success."*

Mother Mary Teresa Bojaxhiu (1910–1997) Albanian-Indian nun and missionary, Nobel Peace Prize 1979

*"… we can do small things with great love and together we can do something wonderful."*

## **Zusammenfassung**

Neue Arbeitsmodelle transformieren die Zusammenarbeit von Teams in Organisationen mit der Unterstützung von Digitalisierung und Künstlicher Intelligenz. Führungskräfte und Mitarbeiter stehen vor neuen ethischen Dilemmata sowie rechtlichen Risiken. Gestiegene Verbrauchererwartungen unter neuen virtuell vernetzten Arbeitsbedingungen, einer angestrebten Arbeitsweise nach Konzepten von New Work und internationalen Konflikten einhergehend mit künstlicher Intelligenz führen zu hohen Anforderungen an eine nachhaltige Führungskultur und Führungsstrategien zur Produktentwicklung für sichere Produkte. Die Hersteller müssen nach Stand von Wissenschaft und Technik unter Abwägung der Risiken, technischer Eignung, wirtschaftlicher und ethischer Zumutbarkeit so sicher wie möglich entwickeln. Andernfalls können sie für Schäden, die das technische System hervorgerufen hat, verantwortlich gemacht werden. In dieser vorliegenden Arbeit entwickelt der Autor innovative Wege, diesen hohen Sicherheitsanspruch fachübergreifend mit Experten interdisziplinärer Entwicklungsteams zu erfüllen (siehe Abb. 4.13, Abb. 4.14 und Abb. A.19).

Zunächst dokumentiert Kapitel 2 mittels einer Metaanalyse am Beispiel bisher nur punktuell erforschter Verkehrsunfalldaten die Möglichkeiten und Grenzen, Sicherheitspotenziale von Fahrzeugsystemen zu beurteilen. Dabei berücksichtigt die Betrachtung verschiedene Automatisierungsgrade: Sowohl a posteriori als auch a priori. Durch eine derartige beispielhafte Analyse erhalten Führungskräfte eine objektive Datengrundlage für nachhaltige Unternehmensentscheidungen.

Darauf aufbauend dokumentiert Kapitel 3 beispielhaft die erste flächendeckende vertiefte Auswertung aus 1,28 Millionen Verkehrsunfällen, darunter 374 bei wetter- und lichtbedingten Sichteinschränkungen. Der Vergleich zwischen maschineller und menschlicher Wahrnehmung als Unfallursache zeigt die Notwendigkeit, solche Szenarien bei der Entwicklung und Validierung sicherer automatisierter Fahrzeuge einzubeziehen. Derartige detaillierte Erkenntnisse unterstützen Führungskräfte und Mitarbeiter dabei, die geplanten Produktentwicklungen mit maschineller Intelligenz so zu gestalten, dass die komplexe Steuerung der Entwicklungsprozesse bei den verantwortlichen Personen bleibt.

Die gestiegenen Verbrauchererwartungen und die positive Entwicklung am Beispiel der Fahrzeugsicherheit in den vergangenen Jahrzehnten zeichnet Kapitel 4 nach. Von der ersten Idee über die Entwicklung bis hin zur Freigabe zeigt die Ausarbeitung Beispiele für gängige Standards inklusive Tools und Methodenbeschreibungen. Im Weiteren folgt ein Entwicklungsleitfaden für nachhaltiges Management und selbstreflektierte Arbeitsteams mit 303 Fragen zu den Anforderungen, die zur Sorgfaltspflicht bei der Entwicklung automatisierter Fahrzeuge beitragen und die höchstrichterlichen Rechtsprechungen zur Produkthaftung erfüllen.

Abschließend zeigen qualitative Interviews mit Ingenieuren, Führungskräften und einem Psychologen aus den Entwicklungsabteilungen von Automobilherstellern in Kapitel 5 wahrgenommene Risiken sowie Wünsche an die Zukunft auf. Daraus ergeben sich vertiefte Erkenntnisse zu bisherigen Arbeitsweisen, dem Wissensstand, Einstellungen, Erwartungen und Herausforderungen. Die daraus folgende Checkliste in Annex B unterstützt einen strukturierten leitfadengestützten Prozess mit Feedback-Schleifen innerhalb der Experten Teams und zur eigenen Selbstreflexion. Der erweiterte Fragenkatalog fördert in interdisziplinären Teams Nachhaltigkeit und innere Entwicklung sowie die nachhaltige Qualität für eine nutzerorientierte Gebrauchs- und Funktionssicherheit.

Dieses Buch zeigt, dass nachhaltiges Management, flächendeckende Daten, strukturierte Leitfäden zur vollständigen Abarbeitung innerhalb fachübergreifend vernetzter Teams und kontinuierlicher Expertenaustausch einen essenziellen Beitrag zur erfolgreichen Zusammenarbeit im Spannungsfeld von Innovation und Verbraucherschutz leisten.

Neue innovative Entwicklungen in Bereichen der künstlichen Intelligenz sollen keine Fremdbestimmung durch künstliche Intelligenz hervorrufen. Erwartet wird eine kontrollierbare Interaktion zwischen Menschen und den zunehmend intelligenteren Maschinen. Dies bestätigt die langjährige Beratungserfahrung des Autors.

Achtsame Unternehmens- und Mitarbeiterführung, innerhalb neuer Arbeitsbedingungen (New Work, Remote Teamwork oder Hybrid Teamwork) einschließlich Künstlicher Intelligenz geht einher mit einer nachhaltigen Ausrichtung für neue Entwicklungen. Eine nachhaltige Ausrichtung schließt die fachliche Kenntnis der bestehenden objektiven Fakten, wie statistische Datenauswertungen ein. Weiterhin sind die Möglichkeiten und Risiken einschließlich der Auswirkungen bei der Nutzung von Künstlicher Intelligenz, sowie der ethischen und rechtlichen Auswirkungen einzubeziehen. Danach sind letztendlich politische, wirtschaftliche und gesellschaftliche Entscheidungen gleichermaßen nachhaltig auszurichten. Künstliche Intelligenz kann Führungskräfte bei der Verknüpfung von Wissen und der Gestaltung von komplexen Funktionen, beispielsweise dem automatisierten Fahren, unterstützen. Weiterhin unterstützen flächendeckende Informationen mit bewährten Absicherungsmethoden, Produktions- und Freigabeprozesse bis hin zur Vermarktung und Produktbeobachtung.

Das Management hat abschließend dafür Sorge zu tragen, dass neue innovative Produktideen innerhalb fachübergreifend abgestimmter Teams in der nachhaltigen Absicht einer humanen Nutzung umgesetzt werden.

Zur erfolgreichen Umsetzung in den verantwortlichen Teams werden in einer Checkliste (Annex B) sowohl entsprechende Kenntnisse, Werkzeuge als auch Methoden zur Vertiefung der Selbstreflexion im Kontext menschenzentrierter Fähigkeiten vorgeschlagen.

Christopher Columbus (1451–1506) Entdecker und Seefahrer:

*"Zuverlässige Informationen sind entscheidend für den Erfolg eines Unternehmens."*

Henry Ford (1863–1947) US-amerikanischer richtungsweisender Unternehmer und Pionier:

*"Zusammenkommen ist ein Beginn, Zusammenbleiben ein Fortschritt, Zusammenarbeiten ein Erfolg"*

Mutter Maria Teresa Bojaxhiu (1910–1997) Indische Ordensschwester und Missionarin, Friedensnobelpreis 1979:

*" … wir können kleine Dinge mit großer Liebe vollbringen und gemeinsam können wir etwas Wunderbares erreichen."*

# **Symbols**


## **Contents**





# **Abbreviations**










# **List of Figures**





# **1 Introduction**

This book on the topic "Product Development within Artificial Intelligence, Ethics and Legal Risk - Exemplary for Safe Autonomous Vehicles" was prepared by the author on the basis of more than two decades of experience at automobile manufacturers (Volkswagen AG, Audi AG, Daimler AG) within the legal department, product analysis and traffic accident investigation in interaction with research, development until market introduction. The professional experience included the joint development of potential and risk assessments for the evaluation of new automated systems using image recognition with Artificial Intelligence based on results from accident analysis. Further expertise was added to the activities for the worldwide clarification of technical cases of product liability claims with fatal personal injury and property damage. Included was the coordination with authorities and development, the consultation of the responsible lawyers as well as the preparations for depositions in court as a company representative.

As a result of these experiences, a tendency can be seen that future developments increasingly raise the question of whether the manufacturer can be held responsible for damage caused by the technical system. The manufacturer is judged on whether he has done everything reasonable for a safe product after weighing the risks. This requires safety measures which (according to the state of the art in science and technology available at the time the product is placed on the market) are constructively possible and appear suitable and sufficient to prevent damage. If certain risks associated with the use of the product cannot be avoided according to the relevant state of the art in science and technology, it must be examined whether the hazardous product may be introduced into the market at all. This considers the type and extent of the risks, the probability of their occurrence and the benefits associated with the product.

1

Final inputs for this book resulted from the work for Daimler Research, Development and the Daimler and Benz Foundation in the project "Villa Ladenburg – Autonomous Driving". During this project, the technical, legal and social aspects of automated driving were investigated.

Using the knowledge resulting from this book, the development of safe automated driving functions is supported, especially with regard to availability, reliability and, above all, risk minimization. Thereby the fulfillment of the valid standards and laws for safety-related product development "between Innovation and Consumer Protection" proves to be a very big challenge for all involved developers. Repeated questions in the author's internal consulting activities within the development departments for safety-relevant and automated vehicle systems at Volkswagen, Audi and Daimler AG confirm these uncertainties. This experience was accompanied by the Audi project management in charge during the preparation of the development guideline "Code of Practice for the Design and Evaluation of Advanced Driver Assistance Systems (ADAS)" with mentoring for the integration and implementation in the VW Group technical specifications. The ADAS Code of Practice definition was prepared in close cooperation with the first drafts of ISO 26262 in the FAKRA Kreis (Facharbeitskreis Automobil). A first meeting of the ISO group took place in 2005 (Ross H–L, 2019). The updated ISO 26262:2018 also refers to the ADAS Code of Practice.

The motivation for this book was the increasing embedding of safety-relevant components with complex electronic and mechatronic vehicle systems as well as man–machine interfaces in new motor vehicles. These new possibilities up to fully automated driving promise time savings due to more homogeneous traffic flow. This reduces the number of traffic jams and obstructions. The time that would otherwise have to be spent at the wheel can now be used for other activities. Furthermore, vehicles can be shared according to the "ridesharing principle" (Lenz B, Fraedrich E, 2016). Several people can be transported at the same time and owning a car is therefore no longer a must, which is why the overall traffic volume becomes less, more sustainable and efficient. Even people without a driving license could drive in a fully automated car. Ultimately, increasing automation of driving functions (apart from the not to be underestimated driving experience of humans) also promises greater road safety as individual, human-related driving errors can be avoided.

Already since the first Benz patent motor car in 1886, individual mobility by motor vehicles has been the subject of controversial discussions, such as environmental or social issues. A sad negative record was achieved in 1970: almost 600.000 injured traffic participants and 21.332 road deaths occurred in Germany alone (Statistisches Bundesamt 2018). Today the automotive industry is confronted with strategic fundamental questions around the world more than ever before, in particular dealing with economic, environmental-friendly and automated driving technologies. Major advances in scientific and technical knowledge are the cause of a fundamental or disruptive change in this sector.

At the beginning of the twentieth century, the Austrian economist Joseph Schumpeter described major extreme changes as "creative destruction". According to Schumpeter, only by destruction new order can take place (Schumpeter, J. A. 1942 and 2017). The Harvard economist Clayton Christensen described these transitions as "disruptive innovations" that involve shocks and the complete reshaping of industries (Christensen, C. M. 2003). Peter Drucker said that innovation, or entrepreneurship, are disciplines with own fairly simple rules (Drucker P, 2014).

Robots are already replacing drivers in pilot and research projects. Image recognition using Artificial Intelligence (AI), Deep Learning and neural networks allow continuous automation of driving tasks in vehicle guidance up to driverless vehicles. Environment sensors can provide the location (coordinates x, y, z or distance, and angle), the dimension (length, width, height) and speed (longitudinal/transverse or relative) of an object. Artificial Intelligence (AI) refers to the performance of human intelligence by computers. Humans have no problems to recognize objects and to form these observations into a mental model of the world. Through Deep Learning with neuronal networks, a learning method in Artificial Intelligence, vehicles are able to "learn" to understand their environment. Data processing by methods such as "real-time scene labeling" is making significant progress. Further technological development of driver assistance systems with powerful sensor and information technologies are a prerequisite for the steady automation of driving tasks in vehicle control. The former chairman of Daimler's Board of Management Dr. Dieter Zetsche said:

Anyone who only thinks of technology has not yet realized how autonomous driving technology will change our society. The car grows beyond its role as a means of transport and is finally becoming a mobile living space (Daimler AG Media, 2019).

Over the next two decades, in addition to technical and legal challenges, questions of responsibility, tolerances, expectations and the relationship between man and machine will have to be redefined for self-driving cars. The best technology will not be perfect, although it will be more faultless than the human being. In the future, the car will do the same as we do: It will learn every day and thus cope with the complex demands of modern private transport ever better (Ernst & Young Global Limited, 2015).

### **1.1 Initial situation**

To meet consumers expectations, development of automated driving – especially fully automated driving – calls for the management of associated risks. On the one hand, there is pressure to introduce connected automated vehicles in the market hoping for a more efficient, comfortable and safe traffic. On the other hand, the automated system performance should be designed in such a way – based on the predefined framework conditions – that no safety issues will arise.

Probably every driver can still remember the exciting practical driving test: to show the driving examiner – after some driving hours such as motorway, city tour or night trip – that the vehicle can be controlled safely in a collision-free and rule-consistent manner. It was clear that only the subsequent practical experience made the driver a safe driver who could control even challenging traffic situations. Sometimes we learn that safe driving does not necessarily have to be compliant with the rules especially if an evasive maneuver could avoid the impending collision.

The question for the future is: how should vehicles with advanced automated systems including driverless vehicles prove that they can handle a sufficient number of traffic situations safely?

Individual test drives as in the past are certainly not enough. Example numbers of typical test kilometers of a new vehicle approval are according to Daimler AG, a total of more than 12 million test kilometers with the W213 series Mercedes E-class (market introduction 2016). In comparison to that 36 million kilometers were covered in the previous series W212 – a model built from 2009 to 2016 (Maurer, Gerdes, Lenz, Winner, 2016). By means of better simulations and a consequent improvement of the prototypes, it was possible to intensively test in detail from the beginning.

While scientists calculated billions of required test kilometers, solutions with much more support of simulation and further safety verification became necessary. It may be assumed that the number of test kilometers will depend on the number of kilometers driven between two fatal accidents. Following this argumentation and the figures from the German Federal Statistical Office for a motorway pilot, this would mean that 662 million kilometers would have to be tested between two fatal accidents. Under the assumption of other influencing factors, the distance will be extended by a multiple. A number of billions would be needed for such a test, which would still take a long time. The problem is even larger: if you make improvements after a test, the test must be repeated afterwards in order to be on the safe side. This should minimize the risk of accidents to a minimum or, ideally, eliminate it as far as possible such as the following:

Potential safety issues indicated a recall of a so-called "Full Self-Driving System" (NHTSA, 2022), as well as the first of several fatal accidents that occurred in Florida back in 2016. The driving system for longitudinal and lateral assistance from a US car manufacturer called "autopilot" was activated, while the driver watched a Harry Potter video instead of paying attention to traffic. This crash showed the limitations of a level 2 automation system (see Fig. 2.1) in combination with the driver's overreliance in the function which was improperly advertised as an "autopilot" (see Ch. 2).

A first fatal crash in fully automated mode with a safety driver killed a woman while crossing the street when she was pushing her bike 2018 in Tempe, Arizona (see Sec. 4.7.1.2).

We know that acceptance of system performance is variable. Nevertheless, regarding further development of automated systems (based on environmental sensors such as radar, lidar, video etc.), different safety issues for the development and validation become evident for the examples described above.

It is generally assumed that when a vehicle is able to cope with critical situations, it probably can also control simple traffic situations. In particular, one aim is to maximize the proportion of simulation and laboratory bench-based tests in order to integrate comprehensive tests into development processes at a very early stage and to limit the effort on test tracks or in the real-world traffic in a justifiable way.

A further question is: where are the limitations of testing via simulation? This becomes challenging, for example, with the complex sensor technology. It is hardly possible to simulate which signals the individual sensor types still perceive under certain weather or lighting conditions and whether they are able to recognize the surroundings adequately. The fatal accident mentioned above is an example due to the fact that supposedly the camera was blinded by the low sun and could not recognize the crossing truck.

### **1.2 Objective and Research Questions**

Automotive technology must be designed "reasonably safe" and with "duty of care": If certain risks associated with the use of a product cannot be avoided, it must be assessed whether the dangerous product may be placed on the market at all, considering the risks, the probability of their occurrence and the benefits associated with the product. Vehicles have to be designed within the limits of what is technically possible and economically reasonable—according to the respective current state of the art, state of science, and must enter the market in a suitably sufficient form to prevent damage (German Federal Court of Justice, Bundesgerichtshof, 2009).

A practice-oriented understanding of such requested acceptable risks as a basis for decisions on a safe system design is a prerequisite for the corresponding development process. With regard to these requirements developing safe automated vehicles between innovation and consumer protection leads to a more detailed analysis with the following questions:


**Open Access** This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

# **2 Findings from Traffic Accident Analysis**

This chapter starts with findings and limits of accident investigation regarding potential safety-enhancing vehicle systems with low degrees of automation.

Contents of this chapter were already prepublished within the springer book: Autonomous driving – technical, legal and social aspects (Winkle, Safety Benefits of Automated Vehicles: Extended Findings from Accident Research for Development, Validation and Testing, 2016a).

So far, no sufficient experience with series applications of fully automated vehicles has existed. A safety prognosis of such features depends on assumptions regarding market penetration and technological progress.

Therefore, based on his work experience, the author recommends combining area-wide traffic accident-, weather-, and vehicle operation data as well as traffic simulations in order to develop, test and validate safe automated vehicles with reasonable expenditure.

The aim is to focus on the essentials and to validate using a scenario catalogue. Few tests under special conditions replace many simple tests. Taking into consideration human and machine perception, these findings result in a realistic evaluation of internationally and statistically relevant real-world traffic scenarios as well as error processes and stochastic models. These, in combination with virtual tests in laboratories and driving simulators, can be analyzed to prevent critical driving situations.

#### **2.1 Motivation**

Since the beginning of the millennium, automobile manufacturers have made active steering-assistance systems (Lane Keeping Assistance Systems – LKAS) in combination with active distance keeping (Adaptive Cruise Control – ACC) for series production vehicles available. The combined functionality was introduced into the Japanese market for right-hand drive vehicles such as the Nissan Cima (2001) and the Honda Inspire (2003). Since then, partially automated driving (see Ch. 2.2) of up to 20 seconds has been possible under the driver's supervision when using both assistance systems (author's test drives in 2003). German manufacturers, starting with the VW Passat CC (2008), have been selling active steering systems in selected models as an optional feature (Katzourakis, Olsson, Lazic & Lidberg, 2013). In December 2021, the German Federal Motor Transport Authority granted the world's first type approval for an Automated Lane Keeping System (ALKS) from Mercedes-Benz. The basis for the Drive Pilot in the Mercedes S-Class and EQS (2022) is UN Regulation Number 157 (Kraftfahrtbundesamt KBA, 2021).

In times of increasing market penetration of active safety systems statistics by the Federal Statistical Office of Germany have shown a decrease of road accident fatalities: While 21.332 people died in road accidents in Germany in the year 1970, the number was reduced by more than six times to 2020 with 2,719 fatalities (Statistisches Bundesamt 2018). This is even more significant as at the same time driven mileage increased by almost 30 percent (251 billion kilometers in 1970, 736 billion kilometers in 2018 (Kraftfahrtbundesamt). Among the remaining accidents are some that might have been prevented by automated vehicle functions. Potential safety benefits can be determined on the basis of accident data, namely the fall of accident-related fatalities. Examples given in this book demonstrate the possibilities and limits of analyzing this data.

Various organizations carry out traffic accident research all over the world. This encompasses the subfields of accident surveys/statistics, accident reconstruction, and accident analysis (Kramer, 2013). The basis for accident research in Germany is investigation, carried out by the police. Additionally, other institutions carry out their own accident research, such as the Traffic Accident Research Institute of TU Dresden GmbH (Verkehrsunfallforschung, or VUFO) and the Hannover Medical School, as well as vehicle manufacturers and the German insurance industry. A comprehensive source of data is the investigation of accidents at the scene, which are also statistically recorded and evaluated according to certain weighted characteristics. Acquired data can be used for the safety-enhancing further development of vehicle automation. The following chapters exemplarily demonstrate automated vehicles' potential safety benefits, limits of findings and predictions resulting from accident data collections.

The following chapters focus on two questions, using specific examples from accident research:


#### **2.2 Categorizing the Levels of Driving Automation**

To illustrate the potentials and limits of accident data analyses, three categories for levels of driving automation (concerning the degree of vehicle guidance) will be used. This categorization is derived from a BASt-project publication "Legal consequences of an increase in vehicle automation" (Gasser et. al. 2012), which lists two further categories. Their five degrees of automation start with conventional vehicle guidance, called "driver only", where the driver is constantly responsible for the vehicle's longitudinal and lateral motion. The classification continues with driver assistance ("assisted") and partial automation ("partial automated"), with permanent driver supervision. Lastly, the levels of highly automation ("highly automated") and full automation ("fully automated") permit humans to stay out of the vehicle guidance process some or all the time (Gasser et. al. 2012). Vehicles currently on the market are neither highly nor fully automated. As a consequence, no accident data exist regarding these categories, which therefore will play no role in the examples below.

In order to give a complete overview another two classifications are mentioned: Similar to the BAST project, five levels were defined by the American NHTSA agency (National Highway Traffic Safety Administration, 2013). Subsequently, the SAE International (formerly Society of Automotive Engineers) developed six distinctions in its SAE J 3016 standard and describes their minimum requirements. In ISO/SAE PAS 22736, published since 2021, these six levels have been adopted. They have been valid since January 2014 and commonly used today. These levels correspond to the BASt levels published previously in 2012, with two differences. Not only the names of the levels are different but SAE adds level 5 (full automation): at this level the automated driving system performs the complete driving task under all conditions a human driver can manage (Society of Automotive Engineers, 2014); (see Fig. 2.1). The technical definition "fully automation" is also described under the term autonomous driving technology and includes a variety of possible applications and characteristics (e.g. Interstate Pilot, Valet Parking, Vehicle on Demand, Driver for Extended Availability) (Wachenfeld et. al., 2016; Donges, 2016). A total of three instance groups ("internal" e.g. adult or underage passengers, disabled persons, "the driving robot" and "external" e.g. authorities, police) can take over the driving of the vehicle.

Fundamental questions to the developers are:



**Fig. 2.1** Levels of automation according to BASt, NHTSA, SAE J 3016 and ISO/SAE PAS 22736. (Source: BASt, NHTSA, SAE J 3016 and ISO/SAE PAS 22736)

#### **2.3 Accident Data to Demonstrate Potential Safety Benefits and Risks**

Basically, automotive technology has always been considered as a technology with undesired side effects. An unambiguous understanding of acceptable risks that can be taken as a basis for decisions on automated system designs is a prerequisite for a safe development process.

Where do relevant risks caused by automated driving come from?

First of all, safety-related failures caused by hardware (random failures and design errors) are possible. Furthermore, software errors (design errors and inadequate quality assurance) will continue to gain significance for increasing importance. Such issues have been discussed for many years within automotive manufacturers and suppliers. Many new standards have been established to ensure traffic safety over the last years.

Behind all these activities however, a basic question always has to be answered: What is an acceptable risk of automated driving technologies that can be determined and evaluated? People take risks when they have personal control. Is the assessment of risk based on frequencies or probabilities? How is the risk perceived? Will it be accepted or not?

In general, there is a strong tendency to assess risks based on individual cases. A single accident can be an opinion-forming event. On April 26, 1986, a unit of the Chernobyl nuclear power plant in Ukraine exploded. About 25 years later, the reactor cores of three reactors at the Fukushima Daiichi nuclear power plant in Japan melted on March 11, 2011. Although the two disasters are not comparable, both Chernobyl and Fukushima have released massive amounts of radioactive material. Two clearly different reactor types were affected. Block 4 at Chernobyl was a water-cooled and graphite-moderated reactor. A combination that can trigger uncontrolled chain reactions, which occurred in the case of Chernobyl. The accident was caused by an experiment carried out by the operating crew, which got completely out of control. The plan was to simulate a complete power failure in order to show that the turbine would still supply sufficient power even after the reactor had been shut down, so that the time required for the emergency units to start could be bridged.

In Fukushima, the reactors from the Tokyo Electric Power Company (TEPCo) stand on granite foundations. They are surrounded by steel and concrete structures. Trigger of the accident in Japan was a huge earthquake. As a consequence, the subsequent tsunami flooded the coastal nuclear power plant, which caused the power in the high-voltage grids to fail. Therefore, the systems ran on emergency power until the tsunami shut down the emergency diesel engines. Batteries remained, but were exhausted after a few hours. From then on, no more cooling water of the Reactor Coolant System (RCS) was pumped over, so that the reactor cores and the fuel elements stored in the decaying ponds of the piles overheated.

So far, the two accidents have been the only ones to which the highest level on the international INES reporting scale has been assigned. The INES (International Nuclear Event Scale) is used to assess accidents in nuclear facilities.

The Chernobyl and Fukushima disasters mark changes in acceptance with significant turning points in environmental policy and in the discussion about the use of nuclear energy. The assumptions used to evaluate the occurrence of accidents in nuclear power plants can be doubted in view of the short interval of only 25 years between the catastrophes of Chernobyl and Fukushima. It is possible that the risks of nuclear power were systematically underestimated.

In March 2011, in response to the nuclear catastrophe in Fukushima, the German Bundestag decided to phase out nuclear power completely by 2022. (Reinberger, D. et. al., 2016; Filburn T, Bullard S, 2016)

Mathematically, an uncontrolled and prolonged release of radioactivity can occur in any reactor worldwide, with catastrophic consequences for humans and the environment. Individual traffic accidents generally do not have such a dimension—but in total they do.

According to statistics, the absolute frequency of dying in a road accident in 2018 was:


$$\text{Global Trafic Mortality Rate}\_{2015} = \frac{1,272,465}{7,313,015,000} = 17.4 \ast 10^{-5} \frac{1}{\text{a}} \quad (2.1)$$

That means it is equal to 17.4 persons out of 100.000 who died in European road traffic in 2015 (World Health Organization, 2017).

$$\text{Europena Trafic Mortality Rate}\_{EU28,2016} = \frac{25,671}{508,326,680} = 5.05 \ast 10^{-8} \frac{1}{\text{a}} \tag{2.2}$$

This is equal to 5.05 persons out of 100.000 who died in European road traffic in 2016 (European Transport Safety Council, 2017).

In the year 2010, the EU renewed its road safety target to reduce road deaths by 50%. The reduction is based on 2010 until the year 2020. This corresponds to a reduction of 18.7% by 2016 compared with 31,595 people dead in 2010. It followed an earlier target set in 2001 to halve road deaths by 2010. The target was not quite reached because 55,092 people were killed in 2001. But at least the 42.7% achieved were not very far away. Figure 2.2 shows the average age expectancy of women and men compared to traffic mortality per 100,000 inhabitants.

**Fig. 2.2** Global mortality rates: Female, Male and Traffic Mortality (Source: World Health Organization – World Health Statistics 2017, Data Traffic Mortality from 2013, Data Life expectancy female/male at birth from 2015)

Conversely, HIV/AIDS deaths increased from 300,000 in 1990 until 1.5 million in 2010. Non-communicable disease deaths rose by almost 8 million between 1990 and 2010. Cancer alone killed 8 million people in 2010, an increase of 38% over two decades. The number of fatality road injuries grew by 46% from 907,900 to 1,328,500 over 10 years but age-standardized road injury death rates only rose from 18.4 to 19.5 per 100 000.

ISO 26262 requires a significantly higher level of security with regard to the hardware failure rate compared to many other deadly risks accepted in reality. The overview in Fig. 2.3 addresses global mortality rates with exemplary causes

of death for 1990 and 2010 and in addition the Automotive Safety Integrity Level "ASIL D" requirement with a hardware failure rate of less than 1 \* 10–8 1/h.

**Fig. 2.3** Global mortality rates with exemplary causes of death (for 1990 and 2010 in comparison to ASIL D) Data (Source: funded by Bill & Melinda Gates Foundation and ISO 26262:2018)

Considering an agreement for reasonable safety and acceptable risk requires an international approach. These safety relevant challenges are undoubtedly connected to the current accepted "social values" that exist within our society.

In order to quantify automated vehicles' potential safety benefits selected accident data collections will be presented and their respective pros and cons discussed.

#### **2.4 Federal Road Traffic Accident Statistics in Germany**

The Federal Statistical Office of Germany in Wiesbaden publishes monthly statistics on fatalities, injuries, and material damage in accordance with Section 1 of the StVUnfStatG (§1, German law on statistics of road traffic accidents). This data is provided by police stations, which are required to submit standardized records of reported accidents to state-level statistics offices (Statistisches Bundesamt, 2014).

Only extracts of this nationwide data is published online. Police investigations show the drivers' driving errors and therefore a potential for increasing safety through automated driving (see Ch. 3.3). All documented information is categorized into: type of road, age of all parties involved, and type of transport means. No specific documentation on vehicle details, injuries or accident reconstruction is available.

#### **2.5 German In-Depth Accident Study (GIDAS)**

Statistically reliable analysis of road-accident scenarios requires detailed data. In Germany, the GIDAS (German In-Depth Accident Study) database serves this purpose. It is recognized as one of the most comprehensive accident databases worldwide (Kramer, 2013; Zobel & Winkle, 2014). GIDAS has been financed by the Federal Highway Research Institute (BASt) since 1973 and The Research Association of Automotive Technology (FAT) since 1999. These days GIDAS prepare separate databases of approx. 2,000 accidents annually from the Hannover (since 1973) and Dresden survey areas (since 1999). Each documented accident contains up to 3,000 coded parameters: information on the environment (e.g. weather, road type, road condition), the situation (e.g. traffic, conflict, and manner of accident), the vehicles (type, safety equipment), personal details, injury data including accident reconstruction as well as photos (Winkle, Mönnich, Bakker & Kohsiek, 2009; Kramer, 2013; Zobel & Winkle, 2014; Schubert & Erbsmehl, 2013).

For further analyses, many cases are reconstructed with the PC-Crash simulation software by Dr. Steffan Datentechnik (Steffan H & Moser A 2016; Burg & Moser A, 2017; Castro, Becke & Nugel 2016). However, GIDAS data access is limited to car manufacturers and component suppliers taking part in the project. It contains only accidents resulting in personal injuries. Because only the Hannover and Dresden areas are surveyed, the findings have to be transferred to the whole of Germany via extrapolation (i.e. weighting and comparison with federal accident statistics, see Section 2.4).

#### **2.6 Road Traffic Accident Statistics in the USA**

The US National Highway Traffic Safety Administration (NHTSA) introduced the Fatality Analysis Reporting System (FARS) in 1975 and has documented fatal road accidents since then (National Highway Traffic Safety Administration NHTSA, 2014). In addition, the National Automotive Sample System – Crashworthiness Data System (Nass-CDS) has analyzed road accidents involving personal injury or severe damage using interdisciplinary teams, similarly to the German GIDAS since 1979 (O'day J, 1986).

However, unlike GIDAS, in-depth data collections for extended accident analysis in the USA offer no reliable accident reconstruction. For example, emergency braking functions cannot be assessed (Zobel & Winkle, 2014). The drop in US traffic accident fatalities since 1970 has been lower, at around 16%, than in Germany, at around 60% (Statistisches Bundesamt, 2014; National Highway Traffic Safety Administration NHTSA, 2014). This might be, among other factors, because of drowsiness due to longer distances driven in the US.

#### **2.7 International Road Accident Data Collections**

Various national official accident statistics have been merged into the International Road Traffic and Accident Database (IRTAD). Both fatalities as well as road accidents involving personal injury generally are included – they are distinguished by age, location and type of road use. The database is maintained by the Organization for Economic Cooperation and Development (OECD) in Paris. It contains data from: Argentina, Australia, Austria, Belgium, Canada, Chile, Czech Republic, Denmark, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Israel, Italy, Jamaica, Japan, Korea, Lithuania, Luxembourg, Morocco, Netherlands. New Zealand, Norway, Poland, Slovenia, Spain, Sweden, Switzerland, the UK and the USA (Amoros, 2009).

The data is publicly accessible online and is especially useful for comparing the data between member countries. It gives insight into the impact of different regulations and national/regional driving behavior (north versus south, for instance). However, detailed information on how the accident occurred is still missing. Besides, survey methods and data volumes differ in each country.

The Initiative of Global Harmonization of Accident Data (IGLAD) also aims to harmonize global in-depth traffic accident data. In 2010 European car manufacturers started IGLAD in order to improve road and vehicle safety. A standardized data scheme determines the accident data contained. This enables comparison between different countries. Initially IGLAD was funded by the European Automobile Manufacturers' Association (ACEA). In the second phase, which started in 2014, the number of variables was extended to 93 regarding accidents, roads, participants, occupants and safety systems. Until now only limited data (between 50 and 200 cases, data years 2007–2012) from 11 countries (Australia, Austria, China, Czech Republic, France, Germany, India, Italy, Spain, Sweden and USA) have been accessible for research.

#### **2.8 Accident Data Collections of Automobile Manufacturers**

Continuous improvements in the effectiveness of vehicle safety systems currently in use remain a prime aim for car manufacturers and component suppliers. Therefore, interdisciplinary expert teams collect information on accidents involving current vehicles and carry out accident analysis at the scene together with hospitals and the police, thereby also fulfilling product monitoring obligations.

Moreover, manufacturers also analyze complex accident scenarios in order to comply with mandatory duty of care and observe potential product dangers that may arise during operation. According to Section 823 of the German code of civil law (BGB), a car manufacturer is liable for errors of its products' damages resulting from intended or foreseeable use. A manufacturer is therefore obliged to collect and analyze information on vehicle use in conjunction with innovative systems. The more dangerous a product, the greater is the obligation to ensure and monitor a product's safety during and after the development process (Matthaei et. al. 2015), (see Ch. 4).

As far back as 1969, Mercedes-Benz started investigating road accidents involving its Mercedes vehicles in cooperation with the interior ministry of Baden-Württemberg. Mercedes' accident research had access to regular information over the telephone and insight into police accident files. Since at least the 1970s, other manufacturers like BMW have increasingly been studying and documenting accidents involving their own vehicles. Volkswagen (VW) has obtained information from the insurer's association Haftpflicht-, Unfall-, Kraftversicherer-Verband (HUK-Verband) since the late 1960s and from the Hannover Medical School MHH (the predecessor of GIDAS) since 1985. VW accident research has been analyzing its own data since 1995 (Zobel R, Winkle T, 2014).

Detailed, interdisciplinary investigation of accidents by automotive manufacturers especially with the support of function developers involving the latest vehicle safety technology provide clear insights into the potential benefits of automated systems. However, few hundred cases annually which only involve a brand's own vehicles are not statistically valid.

#### **2.9 Accident Data of the German Insurance Association**

The German Insurance Association (Gesamtverband der Deutschen Versicherungswirtschaft – GDV), focuses on damage incidences from motor claims where German insurers have to pay compensation based on their contracts. This information helps the GDV for example in grading insurance contracts, or in determining the potential savings through driver-assistance systems (Hummel, Kühn, Bende & Lang, 2011).

Insurers' accident research has access to motor vehicle liability loss and collision damage waiver (CDW) cases reported to the GDV. Unfortunately, this data is not publicly available. No analysis takes place at the scene. The accidents are not recorded comprehensively. As soon as the question of liability to pay has been answered, the insurer's interest in the particularities of a case ends. Therefore, there is very little detailed information on the accident cause of undisputed cases. In accidents with only one party and one vehicle involved (driving accidents), when a driver loses control of the vehicle, the cause of the accident remains uninvestigated. (Zobel R, Winkle T, 2014).

#### **2.10 Accident Data Collections of Consumer Associations (ADAC)**

In 2005, the German automobile club ADAC started researching accidents involving the ADAC technology center and the ADAC air rescue. Annually, information on around 2,500 serious accidents from rescue flights is collected in the ADAC database. Accident data is supplied from expert reports by motor vehicle assessors, the police, emergency physicians and fire departments (Unger, 2013).

The ADAC accident data lists and describes road accidents with seriously injured persons. They include aerial pictures including a vehicle's final position as well as an in-depth medical diagnosis. Although the files are not publicly accessible, it is possible to access and evaluate the data individually. Unfortunately, the various persons investigating the accident do not compile their respective results for interdisciplinary reflection.

#### **2.11 The Fundamentals of Accident Data Analysis**

#### **2.11.1 Level of Data Collection versus Number of Cases**

The validity of accident data with regard to potential safety benefits depends to a large extent on the collection method. Usually interdisciplinary teams work together to carry out so-called in-depth surveys. Well-founded results can be achieved when function developers, accident analysis experts, doctors, and traffic psychologists are all involved in analyzing individual cases. But this depth of data collection tends to be restricted to a small number of cases, diminishing its statistical validity.

Evaluations from accident databases give an indication which measures are likely to increase traffic safety. A detailed accident analysis including a reconstruction of the accident encompasses a retrograde calculation of speeds based on traces of the accident, an investigation as to how the accident arose, a check for possible accident fraud, consideration to what extent it was avoidable, and biomechanics. An extensive knowledge of the given conditions and framework is necessary for an evaluation of future systems' potential benefits based on these findings.

Currently, promising ideas on improving vehicle safety primarily come from a combination of accident analysis, existing experience and extensive research work. Accident research is one way to review the efficiency of existing automated vehicle functions and the need for further safety-enhancing functions. Below, basic terms of accident data evaluation will be explained.

#### **2.11.2 The Validity of Areas of Action Compared to Areas of Efficiency**

When comparing various accident data analyses, the way in which data is collected and the way it is processed have to be distinguished. Areas of action adopted under optimal conditions are often confused with areas of efficiency under real conditions.

An area of action comprises the accidents which a system can influence. The area of action may vary according to how precisely a system's specification is defined. As a result, this is an initial estimate of the maximum potential of the automation level in question. On the other hand, the actual resulting efficiency of a function is generally significantly lower. Efficiency is defined as the effect that a specified system has in practice. It is either proven by occurring accidents (a posteriori) or predicted by simulations (a priori) (Winkle T, et. al., 2009a).

Determining an area of efficiency therefore requires precise knowledge of two factors:


The level of efficiency describes a function's relative efficiency as a percentage and relates to the unspecified term of the area of action (Schittenhelm et. al. 2008):

$$degree\ of\ efficiency = \frac{area\ of\ efficiency}{area\ of\ action} = \text{x\ [\%]} \qquad (2.3)$$

#### **2.11.3 Potential Safety Benefits Depending on Automation Levels and Degree of Efficiency**

Some analyses of potential safety impacts examine the maximum assumed area of action described above by using accident databases. In contrast, analyzing the degree of efficiency comes closer to reality by evaluating an area of efficiency for its actual benefit (Schittenhelm et. al. 2008). However, the resulting safety benefits of automated vehicles can only be established after all risks have been factored in. The benefit corresponds with the reduction of accident frequency and severity. New risks exist since as yet non-existent accidents may occur with increasing automation.

The theory of inventive problem solving (TRIZ) defines the requirements of an ideal machine, using the formula of an ideal final result with an unlimited benefit, while incurring no costs or damages (Hummel T, Kühn, Bende & Lang, 2011):

$$ideal\ final\ result = \frac{\sum benefits}{\left(\sum costs + \sum damage\right)} = \frac{\infty}{(0+0)} = \infty \qquad (2.4)$$

On the one hand, the safety benefit of connected automated vehicles increases in accordance with the degree of efficiency (proof by accident data analysis and knowledge of functions). On the other hand, the risks may rise in line with an increase in automation ("Driver" versus "Robot"). These in turn lessen the actual safety benefit (see Fig. 2.4). To minimize those potential risks, manufacturers carry out risk management (see Ch. 2) using accident data.

**Risk management Accident data analysis**

**Fig. 2.4** Consumers' evaluation of the potential safety benefits is subjective. They weigh up the risks and benefits in the relevant contexts as they perceive them. Risks grow with the level of automation, benefits with the degree of efficiency. Accident data analysis and risk management will allow these to be seen more objectively and optimized.

#### **2.12 Significance of Possible Predictions Based on Accident Data**

Using exemplary cases, the following meta-analysis shows what conclusions can or can't be drawn about potential benefits based on various accident data. Since there have been no analyses yet of highly and fully automated vehicles, we will look at systems without automation ("driver only"/"no automation") or with low levels of automation concerning the main driving task ("assisted"/"partially automated") first and divide them into a posteriori and a priori analyses.

Section 1.4.1 contains examples of a posteriori statements on accident data. In the definition used here, figures "gained from experience" (Duden, 2014) can be interpreted immediately. In contrast, assumptions "obtained by logical reasoning" (Duden, 2014) must be made in order to assess the potential benefits of future levels of automation when using the a-priori- forecasts defined in Section 1.4.2., which are based on accident- data collections.

#### **2.12.1 A Posteriori Analyses of Accident Data for "Driver Only"/"No Automation"**

Past and present a posteriori analyses of accident data collections involving conventionally (human-) driven vehicles provide insights into accident black spots and changes in real-life traffic accidents. This "driver-only"/"no-automation" category means a lack of warnings and interventions in longitudinal and lateral guidance by environmental sensors.

The change in the number of accident fatalities serves as a first example. The second example is the positive impact of Electric Stability Control, or ESC (see Ch. 2.12.1.1).

#### **2.12.1.1 Traffic Statistics: Accident Fatalities Versus Registered Motor Vehicles**

The rate of traffic accident fatalities per registered vehicle, taken from data of the German Federal Statistics Office shows that death rates have been dropping in Germany since 1970 when 21,332 people died in car accidents (Statistisches Bundesamt, 2020). Since then, the numbers of injuries and fatalities in road accidents have been reduced considerably in Western countries due to measures in road building, legislation, the rescue chain, emergency medicine, and passive and active vehicle safety. These findings are based on large-scale worldwide collected surveys and analyses of road accidents. They are affected by various orientations, different amount of data and based on investigations of varying depth.

**Fig. 2.5** Reduction of traffic fatalities due to enhanced safety measures in spite of increase of registered motor vehicles in Germany

These accident statistics show that, while the number of registered vehicles increased, the number of traffic fatalities dropped from over 21,000 in 1970 to almost 3,000 annually. This was due to various legislative, medical, technological, and infrastructural measures (see Fig. 2.5). Because of the overlapping of all these actions, it is difficult to single out and calculate the effectiveness of any individual measure.

#### **2.12.1.2 Studies on the Effect of "Driver-Only"/"No-Automation" Systems**

Introduced in 1995, Electronic Stability Control (ESC) is a technical evolution of the electronic antilock braking system, which was largely marketed from 1978 with the legally protected term ABS. It uses ABS's wheel speed sensors in conjunction with additional sensors for steering wheel angle, yaw rate, and lateral acceleration. Using this information, ESC can stabilize the vehicle in case of a recognized skid through braking individual wheels independently of each other. With this braking intervention, a lateral collision can be converted into a less vulnerable frontal crash. In 2001, Daimler accident research posited that 21% of skidding accidents led to injuries and 43% to fatalities (Daimler AG Communications, 2011). At that time, the findings of accident research experts investigating individual accidents on behalf of car manufacturers diverged greatly. Later forecasts of potential benefits based on a larger number of cases also differ. Areas of action from the year 2000, for example, show a positive impact of up to 67% for severe skidding accidents (Bengler et. al. 2014). Other studies stated that, second only to the introduction of safety belts as a passive safety system, ESC provides the most effective gain in safety in the "driver-only" category (Zobel et. al. 2010). The proportion of accidents due to driver error and skidding, for instance, decreased after the introduction of ESC as a standard in all Mercedes-Benz cars from about 2.8 involved vehicles (per 1000 registered in Germany) in 1998/1999 to 2.21 involved in 2000/2001. ESC's high effectiveness has also been proven in other brands such as Volkswagen, where statistics show lower accident frequency as well as prevention of critical accident types (Langwieder, Gwehenberger, Hummel, 2003).

In summary, safety benefits have already been established for safety-enhancing "driver-only" functions with quick market penetration depending on suppositions and various data sources. Especially for ESC, the scientific evidence for an increase in safety is well-founded.

#### **2.12.2 A Priori Predictions for Assisted and Partially Automated Driving**

A priori predictions depend on hypotheses and inferences. For example, assisted and partially automated driving functions can keep the driver from imminent danger via acoustic, optic or haptic warnings as well as short braking or steering interventions with a warning character. However, the danger can only be successfully averted if the driver reacts in time and appropriately to the traffic situation.

From a technical viewpoint, these advanced levels of automation, which possess a greater degree of extended computer and sensor technology for environmental perception, result in increasingly capable assistance systems. Some currently available safety-enhancing driver assistance systems warn the driver when there is recognized danger in parallel or crossing traffic. These include collision warning systems such as EBA – Electronic Brake Assist, ACC with FCWS – Adaptive Cruise Control with Forward Collision Warning System, LKA – Lane Keep Assist, LDW – Lane Departure Warning, NV – Night Vision or intersection assistance. Other systems, such as Electronic Brake Assist (EBA) or Autonomous Emergency Brake (AEB), intervene in the longitudinal and lateral vehicle dynamics (see Fig. 2.5).

#### **2.12.2.1 Study on the Potential of Lane Departure Warning**

Using the example of a Lane Departure Warning (LDW) system (Hörauf, Buschardt, Donner, Graab & Winkle, 2006), road accidents were analyzed by doctors, psychologists and development engineers in a cooperative approach in 2006. The results, which were obtained with the participation of the author of this book, a function developer, and a psychologist, were achieved through interdisciplinary research of a car manufacturer, a university hospital, and the police, with support from the Bavarian Ministry of the Interior, Building and Transport (BStMI).

Such interdisciplinary analyses of accident causes and consequences are based on technical, medical, and psychological examinations by experts from each field, which are then integrated collectively. These days, driving-related psychological data is collected more frequently in order to analyze a road accident. With the help of standardized interviews, the collision experience is recorded and evaluated from the driver's viewpoint. The purely technical reconstruction of the accident is now supplemented by a psychological perspective.

Taking the example of Lane Departure Warning, it was explained to all professional teams involved what system design specifications had to be met. The selected accidents were filtered further through specific focused questions from the technological development. This kind of procedure provides insight into what kind of and how many accidents could be avoided through systems currently under development. To achieve this, knowledge of the system's specific technical limits is indispensable. A further outcome may be recommendations for additional functional system enhancements (Hörauf, Buschardt, Donner, Graab & Winkle, 2006).

Therefore, these detailed accident analyses prove the value of comprehensive accident data collection. Experts on technology, medicine, and psychology worked together closely for this study. This interdisciplinary approach produces a large number of new references regarding accident scenes, vehicle details, injury patterns, parties involved in an accident and witness statements. This additional information gives insight into active steering corrections, interventions of the brakes and reactions immediately prior to a collision, since human errors such as inattentiveness, distraction or fatigue are the main causes for lane departure. The various perspectives from which an interdisciplinary team looks at the accident can make computer-aided reconstruction and simulation of an incident highly realistic. However, to achieve representative results, these analyses need to be validated by larger accident data collections.

#### **2.12.2.2 Interdisciplinary Degree of Efficiency Analysis Based on Current River Assistance Systems**

Now that the advantages of interdisciplinary analysis had been proven through the above-mentioned study on the effectiveness of Lane Departure Warning, a further interdisciplinary analysis of the degree of efficiency was conducted four years later. The objective was a comparison of available safety-enhancing driver assistance systems. This project was based on a sample of reconstructed accidents (n = 100). Therefore, an interdisciplinary accident data evaluation was carried out by the author in cooperation with a psychologist and in close consultation with the respective function developers. The study analyzed the effectiveness of various driver assistance systems in avoiding accidents with regard to the accident situation (Chiellino, Winkle, Graab, Ernstberger, Donner, Nerlich, 2010). In early 2010, the range of systems available included Night Vision, Lane Departure Warning, Lane Change Assistant and Adaptive Cruise Control. To calculate the degree of efficiency, accident research data was weighted according to accident statistics for Bavaria. An accident scene was reconstructed for each real-life accident, and the accident cause in terms of human-machine interaction was assessed. This was done according to the human-machine interactions as described in the ADAS Code of Practice definition for the development of Advanced Driver Assistance Systems (ADAS) with active longitudinal and lateral guidance (Donner, Winkle, Walz, Schwarz, 2007). After a six-year involvement (Becker, Schollinski, Schwarz & Winkle, 2003; Becker et. al. 2003), the European Automobile Manufacturers' Association (Association des Constructeurs Européens d'Automobiles—ACEA) published the results in 2009 (Knapp, Neumann, Brockmann, Walz & Winkle, 2009). The potential for preventing accidents was judged to be positive only if every development expert for the relevant system saw its benefits. The results yielded that the examined systems were able to contribute significantly to diminishing the severity of accidents.

The study's prognosis is that the investigated driver assistance systems would prevent a substantial number of accidents. A 27% decrease in the total number of injured persons was predicted, which means that the number of people injured would fall from 126 drivers and 49 passengers (as in the actual data) to 94 and 33, respectively. One must keep in mind that the premise for these results is optimal reactions regarding human-machine interactions. Further studies with test persons are necessary before drawing final conclusions. Moreover, 100% distribution of the investigated systems, operating without errors within the system limits, would need to be ensured.

The study used an injury grading system which was based on the Abbreviated Injury Scale (AIS) (Association for the Advancement of Automotive Medicine, 2005), as also applied in ISO 26262 for functional safety (International Organization for Standardization, ISO 26262–3, 2018). The AIS codes every injury with a value between 1 (light injuries) and 6 (extremely critical or fatal injuries). Thus, the most severe injury of all the injuries one person has contracted is defined as MAIS (Maximum AIS). An uninjured person is classified as MAIS 0.

Looking closely at accident causes revealed that over 60% of them involved information errors, i.e. failures regarding information access and information reception. Therefore, the correspondingly high effectiveness of warning assistance systems is hardly surprising (Chiellino, Winkle, Graab, Ernstberger, Donner & Nerlich, 2010).

In summary, this interdisciplinary study compared currently available driver assistance, with all respective developers being involved in the analysis. Each developer contributed their knowledge of the specific relevant function parameters of their system, thus ensuring more accurate assessment of potential gains in safety. It has to be born in mind that the sample of 100 cases in the study, weighted with representative accident data from Bavaria, is too small to yield statistically reliable statements. However, they show a tendency in which cases these driver assistance systems contribute significantly to road safety.

It is noteworthy that there are further possibilities for gaining statistical evidence regarding the predicted safety benefits of braking assistance and automatic emergency braking functions. Moreover, simulations using software-based accident reconstructions are immensely useful for assessing the forecast safety gains (Busch, 2005).

#### **2.12.2.3 GIDAS Database Analysis for Potential Safety Benefits of Connected Vehicles**

Using a larger data volume, the following analysis of the German In-Depth Accident Study (GIDAS) database demonstrates the variety and complexity of several assumptions. In cooperation with a team of experts, the author conducted this analysis in 2009 as part of the Safe and Intelligent Mobility – Test Field Germany (Sichere Intelligente Mobilität: Testfeld Deutschland – simTD) research project with a more significant sample. The aim was an assessment of the potential benefit of future safety-relevant automobile communications systems. The analysis included functions for connected systems with an immediate safety impact on road traffic. The relevant data was gleaned from 13,821 accidents involving personal injury, which had been documented by GIDAS between 2001 and 2008 in the areas of Hannover, Dresden, and their surroundings (Winkle, Mönnich, Bakker & Kohsiek, 2009; Schubert & Erbsmehl, 2013). In order to extrapolate this for the whole country, the data obtained from the statistical sampling scheme was weighted with the help of accident statistics from the German Federal Statistical Office. These official statistics list all accidents registered in Germany in one calendar year which involve personal injury. For example, there were 335,845 road accidents involving personal injury in 2007 (Statistisches Bundesamt, 2014).

In several consultations with the simTD function developers and accident experts from BMW, Audi, Daimler, Bosch and Volkswagen, the precise variables needed for the analysis were agreed on. The project participants decided to start with the analysis of 13 safety-related warning functions. They made a joint decision to consider relevant vehicles such as cars, trucks, agricultural tractors, buses, rail vehicles (including city railways and trams, but no state railway trains) and motorbikes (motorized two-wheelers, three-wheelers, quad bikes from 125 cc) during several workshops. After this, the areas of action using the extensive GIDAS data were determined. Initially this selection was made by using the variables from all accidents relevant to each system as they related to the whole of the accident occurrence. The result was that, ranging from 0.2% to 24.9%, the areas of action for each separately examined function varied greatly. Areas of action can therefore give a fairly certain estimate only of the maximum effectiveness which cannot be exceeded. It should also be noted that due to overlapping functions individual areas of action cannot simply be added up (see Annex Fig. A.18).

In order to analyze degree of efficiency, three assumed function types (electronic brake light, cross traffic assist, traffic sign assist for stop signs) were selected from the GIDAS area of action analysis mentioned above. The corresponding degrees of efficiency were taken from a reduced sample of driving simulator investigations.

For instance, in accidents where cross traffic assists helped the driver to avoid them (see Klanner, 2008), there was a considerable range, from 9.9% to 73.3%. This was due to both different driver reaction times and varying braking intensity after warnings. Thus, three likely reaction times (0.54, 0.72 and 1.06 seconds) and the probabilities for the occurrence of each one were determined. In addition, weak braking of 50% of maximum braking pressure was assumed for unsuccessful reactions and 100% for successful reactions (Winkle, Mönnich, Bakker & Kohsiek, 2009; Schubert & Erbsmehl, 2013).

The objective of this elaborate approach to analyzing degrees of efficiency was to determine and evaluate the potential of future, connected, safety-enhancing driver assistance functions with statistical relevance. However, the wide range of up to 70% which was found decreases the validity and therefore only yields tendencies and outlooks regarding accidents avoided. This vast scattering is a result of the sensitivity of the parameters depicted above and the warning algorithm in question, as in practice drivers' reaction times and braking intensities vary greatly.

#### **2.12.3 Potential Safety Benefits and Test Scenarios for Development of Highly and Fully Automated Driving**

#### **2.12.3.1 GIDAS Database Expert Estimates Until 2070**

From a technical viewpoint, under favorable conditions current automated vehicles can already autonomously carry out many driving tasks in moving traffic. Whereas driver assistance systems merely support the driver, advanced systems like highly and fully automated driving temporarily or permanently take on the task of driving.

Highly and in particular fully automated driving is engineered to approach "Vision Zero": traveling as accident-free as possible. Roads and means of sustainable transportation ought to be planned and constructed in such a way that there are no traffic accident fatalities or severely injured victims. The accident-free vision originated in occupational safety and was first applied to road traffic in the 1990s in Sweden. The EU backed projects for connected automated vehicles like the "Highly Automated VEhicles for intelligent transport" (HAVEit) research project, which it sponsored with 17 million Euros. Car manufacturers such as Daimler, BMW and Volkswagen/Audi are also working on the vision of accident-free driving. Thomas Weber, former Board of Management member of Daimler AG for research and development, asserts in an interview:

*"Unser Weg zum unfallfreien Fahren treibt uns an, die Mobilität auch in Zukunft für alle Verkehrsteilnehmer so sicher wie möglich zu gestalten.*" (Daimler AG Communications, 2011)

*(Our 'path to accident-free driving' also drives us to design mobility as safely as possible for all road users in the future)*

In the first decade of this century, the number of road accidents with a car as the main cause and resulting in personal injury fell in Germany from 266,885 in 2001 to 198,175 in 2010. At 68.7%, cars are still the main cause of road accidents according to the Federal Statistical Office (2010). The accident types can be broken down into the following main categories: Turning at/crossing intersections (58,725), parallel traffic (44,812), turning (33,649) and 30,737 dynamic accidents (Statistisches Bundesamt, 2014) (see Fig. 2.6).

**Fig. 2.6** Passenger cars as main cause and accident types. Data (Source: Federal Statistical Office – DESTATIS, GIDAS)

To date, we don't have empirical proof of the cumulative safety increases of fully automated driving functions. Daimler compiled one of the first comprehensive forecasts in vehicle safety and accident research. It investigated the potential of automated vehicles regarding accident prevention based on assumed deployment and market penetration scenarios. For these they relied on expert estimates, third-party forecasts and GIDAS data. The forecast provides an initial rough estimate and is based on a total of 198,175 preventable accidents caused by cars in 2010 (see Fig. 2.6).

The assumptions include changes within each type of accident (parallel traffic, stationary traffic, pedestrians, turning at/crossing intersections, turning, dynamic accidents). For instance, the pie charts show that accidents involving a car in parallel traffic or losing control will decline by around 15% by 2060 with increasing automation, while accidents when turning at or crossing intersections will proportionately rise by around 10% (Unselt, Schöneburg & Bakker, 2013).

According to Daimler's estimates for increasing automation, an overall decrease of 10% of accidents was achieved by 2020. In the following decades, reductions of 19% could be achieved by 2030, of 23% by 2040, of 50% by 2050, of 71% by 2060 and almost complete prevention by 2070 (Unselt, Schöneburg & Bakker, 2013). The forecast thus predicts that in 2070 an autonomous car will cause nearly no accidents, but may be at risk of being involved in serious collisions. It can safely be assumed that an automated car will be able to prevent some collisions that another vehicle would have caused. However, it should be noted that this study does not include accidents caused by other road users. Potential technical failures (see Fig. 2.9) are also outside its scope. Furthermore, the data stemming from the German Federal Statistical Office, and above all the validity of GIDAS, mainly relies on crash and post-crash statements by injured people (see Schubert, Erbsmehl & Hannawald, 2012).

#### **2.12.3.2 World-Wide Accident Data Evaluation for Relevant Traffic Test Scenarios**

To obtain a comprehensive evaluation of highly and fully automated vehicles' active safety in a development lifecycle (see Fig. 2.7), the author recommends incorporating findings from accident data collections around the world as well as analysis of incidents not resulting in injuries, near collisions, traffic simulations and weather data.

Therefore, a first-time area-wide study based on all police reports has been carried out. The findings can be supplemented with information from hospitals, insurance companies and human behavior models. Once all relevant factors that can lead to a collision are known, virtual simulations based on quantitative and trained neural (e.g. AI) models can be performed. Possible system responses would be classified as true positive/true negative and false positive/false negative. The evaluation of automated safety functions should consider all possible system responses (Helmer, 2015).

The aim is to combine all known accidents by using geographically defined road accident data in conjunction with high-definition geographic digital mapping data (e.g. Google Maps, TomTom, Nokia HERE, OpenStreetMap) as well as traffic flow data from various sources (e.g. vehicles, cell phones, road traffic devices). For example,

**Fig. 2.7** Recommended method with relevant test scenarios from around the world based on comprehensively linked-up, geographically defined accident-, traffic scene-, weatherand vehicle operation data pertaining to human and machine perception using Artificial Intelligence (AI) with trained Neural Networks for Deep Learning (Cordts M et. al., 2016)

SAFE ROAD MAPS (http://www.saferoadmaps.org) provides localized collision data in the US. The UK publishes similar details on www.data.gov.uk; these in turn are integrated into the UK Road Accident Map. German regional accident data can be obtained from police IT applications. These depend on the federal state and include the Geographical Positioning, Analysis, Representation and Information System (Geografisches Lage-, Analyse-, Darstellungs und Informationssystem—GLADIS), the Road Accident Location Map and Analysis Network (Verkehrs-Unfall-Lage-Karten und Analyse-Netzwerk – VULKAN), the Geographical Police Information System for Road accidents (Geografisches Polizeiliches Informationssystem für Verkehrsunfälle – GEOPOLIS V), the Brandenburg Expert System for the Analysis and Documentation of Accident-Heavy Route Sections (Brandenburgisches Expertensystem für die Analyse und Dokumentation von unfallauffälligen Streckenabschnitten – BASTa) or the widely used Topographical Electronic Accident Type Map (Elektronische Unfalltypensteckkarte – EUSka) (Dick, 2011).

Currently, however, there is still a lack of precise specifications for OEM (Original Equipment Manufacturers) mass production solutions that are ready for market launch as well as reliable descriptions of the functional limits of highly and fully automated vehicles. Thus, to date forecasts of potential safety benefits rely heavily on numerous assumptions. Reliable data on market launch and penetration is also not available. Hence current predictions of potential safety benefits, which are solely based on accident data, have limited validity. It is therefore advisable to link in-depth accident data collections (e.g. GIDAS) with all available global accident data collections and analyses, traffic simulations, vehicle operation data and related weather information.

The learning curve in figure 2.8 demonstrates the increasing amount of available real-world data of automated vehicle functions before and after market launch. For the identification of relevant critical scenarios, the author recommends regular monitoring and analysis of all available data of automated functions (see also Annex A.17). These supply knowledge for sensor simulation, image classifications and decision strategies regarding future connected automated vehicles.

**Fig.2.8** Learning curve: Increase of available real-world data before and after market launch of automated vehicle functions to identify relevant critical scenarios for sensor simulation, classifications and decision strategies

### **2.13 Potential Safety Benefits / Risks and Impacts on Testing**

#### **2.13.1 Human Error versus Technical Failure in Full Automation**

Human performance in driving can be increased. The metaphorical example of the interaction of horse and rider shows that in the cooperative guidance of movement (see H-mode) redundant cooperation partners complement each other in their abilities with regard to perception and action, such as experience or tiring situations (Bengler K, Flemisch F 2011). First of all, a fully automated vehicle must reach this safety level. Only fault-free fully automated vehicles will be able to come close to "Vision Zero". On one hand we have to consider the human error in the causes of accidents on the other hand driving experience should not be underestimated. Machines can only handle driving situations that have been programmed. Beyond that, fully automated self-driving cars are restricted due to physical or technical limits.

Based on the GIDAS accident database, the left-hand side of Fig. 2.9 shows the statistical distribution of accident causes. At 93.5%, "human error" is the main reason for road accidents. Compared to that, the impact of unfavorable driving conditions or the environment (for example road surface quality or the weather) is at 4.6% quite low, with technical failure being even lower at 0.7% (Volkswagen/German In-Depth Accident Study, 2010).

Naturally, the possibility of accidents due to driver error is eliminated completely during fully automated driving sections. The "technical failure" category could therefore increase proportionally, with the added technical risks of full automation. As a consequence, the public can be expected to give it more attention (see Fig. 2.9).

In the future, further evaluation and overcoming human error processes in reallife traffic situations (supplemented by global relevant test scenarios which are based on comprehensively linked up and geographically defined accident-, traffic flow- weather- and vehicle operation data collections) will facilitate virtual traffic simulations for safe development, tests and validation of automated cars (Kompass, Helmer, Wang & Kates, 2015).

**Fig. 2.9** Today 93.5% of accidents are due to human error. With full automation, human error would be eliminated. As a consequence, the proportion of technical failure may appear considerably greater in the future. Data (Source: GIDAS)

#### **2.13.2 Potential Safety Benefits – Human and Machine Performance**

Car traffic safety today relies mostly on human skills and their support by safety-enhancing systems. Fully automated vehicles will depend only on machine performance. According to the level of automation, humans' perceptions, experience, judgment and capacity to react will be replaced by technical systems. The potential safety benefits as well as the risks of increasingly automated driving can be attributed to the various strengths and weaknesses of both humans and machines.

For instance, machines can neither react appropriately to unknown situations nor interpret the movements of children (see Dietmayer et. al., 2015; Dietmayer, 2016). On the other hand, people can be inattentive, misjudge speeds and distances and have a more restricted field of vision than machines (Knapp, Neumann, Brockmann, Walz & Winkle, 2009).

#### **2.13.3 Artificial Intelligence versus Human Perception Limits and Consequence**

To demonstrate the limited machine perception and Artificial Intelligence in comparison with human perception, a simplified model of current sensor technologies in use is described below. A vehicle requires sensors in order to collect information about its environment. Sensors can be classified according to their physical measuring principle. Cars mainly use radar, lidar, ultrasound sensors, near and far infrared, and cameras (see Maurer, 2000; Siedersberger, 2003).

The top and center image of figure 2.10 illustrate simplified and color-coded measuring principles that lead to limited machine perception. The bottom image superimposes all the above-named measurements onto what human drivers can see in difficult light- and weather conditions (sun, backlight, wet road surface, spray/splashing water, icing/contamination of windshield/sensors, road markings only partially visible). A closer look shows that the radar reflection point (blue) on the left is a false detection, which has been caused by a reflection in the other lane (see Becker et. al. 2004; Donner et. al. 2004).

Figure 2.10 illustrates that the outcome of machine perception and interpretation of complex traffic situations continues to present development engineers with considerable technical challenges. These include detecting static and dynamic objects, physically measuring them as accurately as possible, and allocating with the correct semantic meaning to the detected objects (see Dietmayer, 2016).

Difficult light- and weather conditions challenge human and machine perception in real traffic situations. For this purpose, area-covering accident data analyses are able to indicate temporally and geographically related accident black spots. To analyze scenarios with reduced visibility due to fog, rain, snow, darkness and glare from sun or headlights, the author carried out a first-of-its-kind area-covering accident study in cooperation with Christian Erbsmehl from Fraunhofer Institute for Transportation and Infrastructure Systems IVI in Dresden (see Ch. 3).

#### **2.13.4 Human Error versus Artificial Intelligence Incertitudes**

Advancing vehicle automation of the main driver tasks result in new research questions. Attentive and vigilant drivers have substantial skills to deescalate dangerous traffic situations. Human's capabilities provide significant input for traffic safety today. Differentiated potential benefit estimates would need to compare the performance of humans and machines. Especially takeover situations

**Fig. 2.10** Machine versus human perception (top image: radar in blue with lidar in yellow, center image: addition with Artificial Intelligence camera image processing in green and red, bottom image: overlay of machine perception with Artificial Intelligence, image recognition and human perception)

between driver and machine involve new challenges for design and validation of human-machine interaction. Initial tests at the chair of Ergonomics at Technical University of Munich (TUM) demonstrate relevant ergonomic design requirements which will be continued (Bengler, 2015).

Fundamental correlations between automation and human performance can be evaluated by many methods. It is possible to identify the probability of a road accident by the use of a fault tree. Amongst others the probability includes human failure, inappropriate behavior and the existence of a conflicting object (Reichart, 2000). The choice of actions to avoid a collision is greater, if the potential road accident is less imminent.

The evaluation of driver behavior requires observations for a longer period. Regarding human failures analyzing the perception process chain provides indepth knowledge. Such analyses draw on evaluations of psychological data from road accidents (Gründl, 2006). In terms of interdisciplinary accident analysis, an error classification of five categories has approved by practical experience in accident research. This five-steps method is a further development of ACASS (Accident Causation Analysis with Seven Steps). It was developed jointly with GIDAS along the lines of the seven-step principle from Jens Rasmussen, former system safety and human factors Professor in Denmark, a highly influential expert within the field of safety science, human error, risk management and accident research (Rasmussen,1982). Using the five-steps method it is possible to identify human errors, define the time during the perception process from accessing the information to operation, and to evaluate the particular type of error (see Fig. 2.11). The associated questions concern: Information access (was the relevant information of the traffic-situation objectively accessible to the driver? Was the field of vision clear?), information reception (did the driver observe the traffic situation properly and perceive/detect the relevant information subjectively?), data processing (did the driver correctly interpret the traffic situation according to the available information?), objective target (did the driver decide appropriate to the traffic situation?), and operation (did the driver carry out his or her decision into operation properly?).

Using this classification, the accident analysis shows that the predominant sources of human error lie in information access and reception (see Fig. 2.11); (Chiellino, Winkle, Graab, Ernstberger, Donner & Nerlich, 2010; Weber, Ernstberger, Donner & Kiss, 2014).

Regarding accident statistics with reference to human driving errors as the stated cause of accidents, the proportion of driving failures is quantified with: 93.5% (source GIDAS). In addition, probabilities are indicated with: evasive stress action to mitigate imminent crash is indicated by p = 0,1 … 1; evasive action with sufficient time gap is indicated by p <sup>=</sup> <sup>10</sup>–1 … 10–2 and trained lane keeping is

**Fig. 2.11** Distribution of human error in road traffic (see Chiellino, Winkle, Graab, Ernstberger, Donner & Nerlich, 2010; Weber, Ernstberger, Donner & Kiss, 2014)

indicated by p <sup>=</sup> <sup>10</sup>–4 … 10–5 (Bubb H, Bengler K, Grünen R-E, Vollrath M, 2015; see also Fig. 4.11).

For Artificial Intelligence perception, Klaus Dietmayer, Professor in Ulm at the Institute of Measurement, Control, and Microtechnology, Expert for Information fusion, Classification, Multi-Object Tracking, Signal processing and Identification (see Dietmayer, 2016) names three essential domains of incertitudes corresponding to human information access as well as data processing. These three are: firstly state-, secondly existence-, and thirdly class uncertainty. All three have a direct impact on machine performance. If the uncertainties in these areas increase beyond a yet to be defined "tolerable limit", errors in the automatic vehicle guidance can be expected. In terms of making forecasts, only an indication of trends is currently possible.

"While the currently known methods for estimating state and existence uncertainties do not enable a current estimation of the capability of the machine perception, in principle it is not possible to predict degeneration in the capability of individual sensors or even a failure of components." (see Dietmayer, 2016)

#### **2.13.5 Potential Safety Benefits of Fully Automated Vehicles in Inevitable Incidents**

When analyzing the potential safety benefits of fully automated vehicles, it is also important to consider persistent risks in the area of complex traffic situations and today's known inevitable incidents. These include accidents at poorly visible and unclear intersections or behind visual obstructions. In a study of individual cases as part of a doctoral thesis at the University of Regensburg, visual obstruction was identified as a contributory cause in 19% of all cases (Gründl, 2006). Examples include trees, bushes, hedges, and high grass. Obstructions for instance may also be the cause of an accident if a child running out suddenly and unexpectedly in front of a car from between parked vehicles or a yard entrance.

This especially includes errors in the sequences of the perception process, in the accessing and reaches its limits.

"*Due to the large number of possible and non-predictable events, especially the reactive actions of other road users, the uncertainties increase so strongly after around 2 s to 3 s that reliable trajectory planning is no longer possible on this basis*." (see Dietmayer, 2016)

Therefore experience-based, internationally valid guidelines with virtual simulation methods for verification of automated vehicles and final testing of the overall system limits in a real environment are recommended. This includes interaction tests with control algorithms and performance verification of real sensors in real traffic situations, particularly at the time just before a collision (Schöner, Hurich, Luther & Herrtwich, 2011; Schöner, 2015).

#### **2.14 Conclusion and Outlook**

The findings from road accident research confirm: human failure is the main cause of road accidents. This especially includes errors in the sequences of the perception process, in the accessing and reception of information.

In order to estimate the potential safety benefits of highly and fully automated vehicles from accident data, a sophisticated comparison of the overall performance of humans and machines is required (see Annex Fig. A.16). This, however, will only be possible when precise knowledge is available concerning the functional characteristics and technical limits of developments planned for mass production.

Statistically verified expert assessments have already proven the potential benefits of future safety-supporting vehicle and driver assistance systems. Even before development begins, the developer can assess potential benefits. Additionally, by analyzing and evaluating traffic accidents after market launch, car manufacturers can fulfill their product monitoring obligations.

Overall, the results of road accident analysis today verifiably show that automating driving tasks from the "driver only", "assisted", up to "partially automated" driving categories are key technologies in contributing to minimizing the consequences of human failure.

Forecasts for highly and fully automated vehicles, generated using traffic accident data, only give results based on numerous assumptions. A forecast of fully automated vehicles' potential safety benefits came from a first Daimler accident research appraisal that is based on several expert assumptions. According to Daimler's estimates, practically complete elimination of accidents is possible by 2070 – assuming successful market penetration. However, according to the definition given in the publication only accidents triggered by cars were looked at, and no consideration was given to physical limits and potential technical defects. This appraisal is thus based on some assumptions still to be refined and validated more detailed in the future.

Above all, the possible technical potential (for example, unknown advances in Artificial Intelligence for machine perception) limits an accurate forecast. In particular, development engineers are faced with considerable technical challenges when perceiving and interpreting complex traffic situations. Furthermore, human performance is often underestimated. According to findings from traffic accident analyses, assistance and partially automated systems are generally capable to compensate weaknesses of human capabilities. They can increase safety in routine human driving situations with supervision, warnings and lateral or longitudinal support. On the other hand, to further reduce the number of traffic accidents, driverless vehicles must at least match the driving skills of an attentive human driver (supported by assistance and partly automated systems) before series development can be considered. Only when these technical barriers have been overcome, can a large-scale rollout of marketable fully automated vehicles be expected.

Until then (as an alternative measure for the assessment of potential safety benefits) assumptions of an assumed technical system configuration and system design have to be made without knowing the system limits or failure rates.

In summary, the following issues limit the validity of the potential safety benefit forecasts from "driver-only" to fully automated vehicles and will have impact for testing:


testing of the overall system limits in a real environment will not be completely eliminated.

Even if the technology of driverless cars never reaches 100% perfection, and a few as yet unknown accident scenarios arise as a result, the vision of area-covering driverless vehicle use in road traffic appears to promise a socially desirable benefit. Research activities that make use of interdisciplinary experts working on vehicle automation should therefore be promoted and strengthened. It is recommended to combine in-depth accident data with all worldwide geographically defined accident data collections, related weather- traffic flow and vehicle operation data information considering data protection measures. This will lead to actual safety benefits and statistically relevant scenarios for development including validation or testing of automated driving pertaining to machine versus human perception.

**Open Access** This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

# **3 Analysis of Poor Visibility Real-World Test Scenarios**

The contents of the following chapter were already published within "European Transport Research Review" (Winkle T, Erbsmehl C, Bengler K, Area-wide realworld test scenarios of poor visibility for safe development of automated vehicles, 2018).

With regard to requirements for system validation and testing of automated vehicles for successful development, market launch and social acceptance, the available information content of all daily traffic accidents has not yet been fully exploited. It goes without saying that automated series production vehicles have to be safe under all conceivable real-world traffic situations. This also applies under all weather conditions or in the case of micro accidents with the slightest damage similar to a near-accidents. In order to develop and validate such vehicles with reasonable expenditure, a first area-wide analysis based on 1.28 million police accident reports was conducted including all police reports in Saxony from 2004 until 2014 concerning bad weather conditions (German traffic accident report: forms and subject areas; see Annex Fig. A.1).

Based on this large database, 374 accidents were found with regard to perception limitations for the detailed investigation. These traffic scenarios are relevant for automated driving. They will form a key aspect for future development, validation and testing of machine perception within automated driving functions.

This first area-wide analysis does not only rely on random checks as in current in-depth analyses but provides real-world traffic scenarios knowing the place, time and context of each and every accident over the whole investigated area.

#### **3.1 Motivation**

Automated research vehicles increasingly show higher levels of automation than present series production vehicles. Even when using highly automated functions, the driver is temporarily only limited to control the vehicle having a safe and collision-free journey (Gasser T, et. al. 2012; Society of Automotive Engineers SAE international 2014; National Highway Traffic Safety Administration NHTSA, 2013).

Despite numerous unknown accident avoidances, the safety significance is evident since the example of a first fatal crash while driving with the so-called "Autopilot" vehicle in Florida 2016 on May 7. According to the accident report, the driver of a passenger car died in this collision with a tractor trailer:

"Vehicle 01 (V01) was traveling westbound on US-27… proceeded to make a left turn … V02's roof struck the underside of V01's trailer … Driver 02 … was pronounced deceased …" (Fulton, D. M, 2016)

Tesla Motors, the manufacturer of the car, subsequently acknowledged that the car was in "Autopilot" mode. The system failed to recognize a white object against a brightly lit sky as a tractor trailer and therefore did not activate an emergency braking. Meanwhile the driver was watching a film.

Measures to reduce such risks and guarantee the functional safety of electrical and/or electronic systems are thus of prime importance. Automobile manufacturers have to consider limitations how machines perceive, process and react adequately to their surroundings so that automated vehicles will conduct a conflict and collision-free journey (Matthaei R, Reschka A, Rieken J, Dierkes F, Ulbrich S, Winkle T, Maurer M, 2015). In addition, extended concepts for human machine interaction of highly automated functions are arising at takeover situations (Bengler K, Flemisch F, 2011; Bengler et. al. 2018). A prerequisite for this is further technological development of assistance systems with more capable sensor and information technologies, allowing for a steady automation of driving tasks in vehicle control, right up to self-driving vehicles (Bengler K, Dietmayer K, Färber B, Maurer M, Stiller C, Winner H, 2014). Vehicles supported by partly or fully automated systems, must – at the very minimum – match the driving skills of an attentive human driver, before considering series development. The measures necessary for ensuring a correspondingly high functional reliability extend from the development stage to the entire life cycle of automated vehicles, and especially its electronic components.

For a safe development through minimizing risks, manufacturers carry out risk management (Donner E, Schollinski H-L, Winkle T, et. al. 2004). Amongst other measures (see Fig. 4.9) risk management takes real-world scenarios based on accident data into account. However, until now mainly random samples of traffic accident research have been carried out by various organizations. Their research encompasses the subfields of accident surveys/statistics, accident reconstruction, and accident analysis (Chiellino U, Winkle T, Graab B, Ernstberger A, Donner E, Nerlich M, 2010).

The currently best-known method for the evaluation of active safety systems and automated systems is dynamic forward calculation based on real pre-crash scenarios of traffic accidents (Erbsmehl C, 2009). It is carried out by means of various tools, for example rateEFFECT (Lutz L S, Tang T, Lienkamp M, 2012) or (PreScan Tass International, 2016). One of the biggest simulation databases, the pre-crash matrix of Traffic Accident Research Institute of TU Dresden GmbH (VUFO GmbH), was first introduced in 2013 and offers a range of about 5,000 pre-crash scenarios based on the GIDAS database, which can be used for simulations (GIDAS – German In-Depth Accident Study). Furthermore, other institutions such as the Hannover Medical School, as well as vehicle manufacturers and the German insurance industry, all carry out their own accident research. Central to this is investigating accidents directly at the scene, statistically recording and analyzing them according to certain characteristics, and, where needed, using this to further develop effectiveness of future vehicle automation (Langwieder K, Bengler K, Maier F, 2012).

Accident databases can be divided into two different kinds: the so-called indepth databases such as GIDAS (Germany), INTACT (Sweden), iGLAD (EU), NASS-CDS (US National Automotive Sampling System, Crashworthiness Data System) or CIREN (US Crash Injury Research and Engineering Network, and secondly national statistics (e. g. Destatis).

In-depth databases normally contain fewer accidents with many detailed variables (GIDAS in Germany contains around 2,000 accidents per year with up to 3,000 variables). Conversely national statistics cover the huge amount of all recorded accidents (e.g. 2.4 million registered accidents in Germany) but only give limited information about these collisions.

In contrast to the two above, the scenarios in this publication provide both: a large database and more extensive information from police recording with regard to standardized validation and testing. For the following analysis 1.28 million area-wide police accident data between 2004 and 2014 from the Saxony State Interior Ministry (Sächsisches Ministerium des Inneren SMI) were used. The database covers all traffic accidents on the entire road network of Saxony. Exclusive access to the corresponding database was provided by Fraunhofer Institute for Transportation and Infrastructure Systems (IVI). The process of this evaluation in cooperation with Fraunhofer IVI is based on 297 standardized types of accidents.

The following questions will be discussed, using the database provided by the SMI:


#### **3.2 Safe Development,Validation and Testing**

#### **3.2.1 Return of Feedback from Lifecycle of Automated Vehicles**

A safe development for safe automated vehicles is a key requirement. It also relates to the interaction between the vehicle and its environment. Using the support of systems with lower automation degrees requires a save driver interaction including safe take-over procedures (Matthaei R, Reschka A, Rieken J, Dierkes F, Ulbrich S, Winkle T, Maurer M, 2015; Bengler K, Zimmermann M, Bortot D, Kienle M, Damböck D, 2012). Development with regard to safe usage of driverless vehicles must ensure ability to recognize the criticality of a situation, decide on suitable measures for averting danger (e.g. degradation, driving maneuver) that lead back to a safe state, and then carry out these measures.

To fulfill the required safety confirmation, Fig. 4.14 recommends a circuit of working methods from the development team which can be supported by additional experts, confirmation tests using relevant test scenarios and monitoring automated vehicles after market introduction up to decommissioning. In the final stages of developing an automated vehicle, the development team has to verify that a vehicle reacts as previously predicted or in other ways appropriate to the situation.

There are three valid methodologies to prove the safety confirmation. A direct sign-off will be carried out through an experience-based recommendation of the automated vehicle development team itself. In addition, final evidence of safety can be passed after corresponding reconfirmation via an interdisciplinary forum of internal and external experts or an objective proof. Evidence of functional safety is possible via means of a confirmation test with relevant traffic scenarios. They are based on real-world scenarios with weather data (see Ch. 3), vehicle operation data, or other verifiable samples from monitoring of operation and service until decommissioning.

This book provides selected traffic scenarios to configure and perform confirmation tests for example virtual-, trial area- or field tests of automated vehicles. Starting from chapter 3, relevant real-world scenarios with reduced visibility for human and machine perception were considered. The scenarios were analyzed from traffic accident police reports with difficult weather conditions.

#### **3.2.2 Requirements for Automated Driving to Minimize Risk**

The selected scenarios from chapter 3 also support the fulfillment of requirements for automated vehicles. A minimum requirement any vehicle must meet—in order to be marketed by a manufacturer – is compliance with directives and regulations.

For safe automated driving functions, interdisciplinary coordinated development and approval processes are required, which permanently have to be adopted for new technologies. Standards and technical specifications with regard to automated or assisted vehicle functions have been growing steadily over the last years. As a part of the obligation to ensure traffic safety, new requirements for designing automated vehicles will be developed incrementally and previous approaches will be adapted. In particular minimizing risks, hazards or damage can prevent technical failures. Examples of requirements in the European Union or the United States can be divided in two categories (see Fig. 3.1): Type approval (grey) and duty of care (blue).

#### **3.2.2.1 Requirements for Duty of Care**

To demonstrate Duty of Care, ISO standards from the International Organization for Standardization (ISO) have to be proved as a state-of-the-art requirement. Over the years, many ISO standards elaborate for new automated vehicle functions (see examples in Fig. 3.1). They include: ACC Adaptive Cruise Control (ISO 15622), APS Assisted Parking System (ISO 16787), CSWS Curve Speed Warning System (ISO 11067), ERBA Extended Range Backing Aid (ISO 22840), FVCWS Forward Vehicle Collision Warning System (ISO 15623), FVCMS Forward Vehicle Collision Mitigation System (ISO 22839), Automotive Cybersecurity (ISO 21434) and ISO TR 4804 following by ISO TS 5083 Safety and cybersecurity for automated driving systems.

**Fig. 3.1** Requirements for Type Approval and Duty of Care to minimize risk, hazards and possible damage of automated driving [3], [16], [18]

The design of automated systems from an ergonomic point of view is a key issue as well. Examples for standards based on ergonomic aspects of transport information and control systems are: Calibration tasks for methods which assess driver demand due to the use of in-vehicle systems (ISO 14198), specifications and test procedures for in-vehicle visual presentation (ISO 15008) or a simulated lane change test to assess in-vehicle secondary task demand (ISO 26022). Central requirements for safe development are considered in standards such as the ADAS Code of Practice definition for Level 0–2 Systems (Knapp A, Neumann M, Brockmann M, Walz R, Winkle T, 2009), Code of Practice for Automated Driving for Level 3–4 Systems (Annex Fig. A.8), ISO 22737 Intelligent transport systems – Low-speed automated driving (LSAD) systems for predefined routes – Performance requirements, system requirements and performance test procedures, ISO 26262 functional safety (ISO 26262-3, 2018) or ISO 21448 (Publicy Available Specification PAS) (ISO/PAS 21448, 2019). Overall, the 2009 SOTIF ISO standard supports the SOTIF Safety Of The Intended Functionality, a part of technical safety that deals with the hazards of technical systems. At the heart of SOTIF is the uncertain question of how to specify, develop, verify and validate an intended function so that it can be considered reasonably safe. Accordingly, the following questions must be considered when designing a driver assistance system with regard to SOTIF:

What are the limitations of the sensors you use?

How do the actuator limits affect the intended function?

How can the driver incorrectly use an assistance system?

Which verification and validation measures have to be taken to test the intended function?

Ergonomically the demands for automated driving systems can be assigned to all three levels of tasks while driving:

Primary tasks include everything that is directly involved in the driving task, such as longitudinal and lateral guidance. Secondary tasks support safe driving, including activating the windshield wipers or headlamps, which today are usually automatically operated by assistance systems. Tertiary tasks to control infotainment systems in the vehicle, such as radio, navigation system, telephone or other information from the internet are increasingly requested. To this day, due to safety reasons the primary driving task should always be at the center of the attentive driver.

The focus of the following schematic representation is on the capabilities of sensor technology and data processing particularly with regard to those functions that relate to the primary driving task (navigation, maneuvering and stabilization). Especially by supporting the maneuvering task, driving in the corresponding driving sections has changed significantly compared to previous driving habits (Bubb H, Bengler K, Grünen R-E, Vollrath M, 2015).

While ISO standards in the EU tend to have more of a minimum requirement character, safety standards set by SAE International in US and Canada are seen as legally binding. SAE International was initially established as the Society of Automotive Engineers (SAE) and coordinates the development of technical standards for engineering professionals in various industries. Currently several SAE Standards for several functions, including Adaptive Cruise Control (ACC) and Pedestrian Collision Mitigation System (PCMS) exist (see Fig. 2.5).

#### **3.2.2.2 Requirements for Type Approval**

In order to introduce an automated vehicle with all its components into the international market, it is necessary to comply with the required market-specific type approval regulations.

#### – **EU market:**

For the EU member states and other contractual partners, harmonized regulations apply. To receive type approval of motor vehicles especially provisions for braking and steering set by the Economic Commission for Europe of the United Nations (UN/ECE) must be fulfilled. Each country that joined the 1958 Agreement or the 1998 Agreement on Global Technical Regulations (GTRs) has the authority to test and approve manufacturer's designs. The Harmonization of Vehicle Regulations starts with exemplary requirements such as ECE R 1 (headlights) and goes up to ECE regulation number R 13 with uniform provisions concerning the approval for braking comply with automated driving systems. In contrast, ECE R 79 (revision 2, chapter 5) construction provisions with regard to steering equipment already have limitations for "low speed maneuvering or parking operations". Other relevant examples are constantly expanding: ECE R 130 and ECE R 152 (Lane Departure Warning System LDWS), ECE R 131 (Advanced Emergency Braking Systems AEBS), ECE R 151 (Blind Spot Information System for the Detection of Bicycles), ECE R 155 (Cyber Security), ECE R 156 (Software Updates) or specifically the ECE R 157 (Automated Lane Keeping Systems ALKS). The UN ECE regulation R 157 allows temporary hands-free driving when a belted driver is available on motorway-like roads under suitable environmental and infrastructure conditions with a maximum speed of up to 60 km/h:

*"Automated Lane Keeping System (ALKS) for low speed application is a system which is activated by the driver and which keeps the vehicle within its lane for travelling speed of 60 km/h or less by controlling the lateral and longitudinal movements of the vehicle for extended periods without the need for further driver input."*

The Vienna Convention on Road Traffic is designed to facilitate international road traffic and to increase road safety by establishing standard traffic rules among the contracting parties. The convention was agreed upon at the United Nations Economic and Social Council's Conference on Road Traffic in 1968. It stipulates that the driver has to control the vehicle under all circumstances.

In 2014, the Convention was supplemented by a paragraph in Article 8:

"*Vehicle systems which influence the way vehicles are driven shall be deemed to be in conformity with paragraph 5 of this Article and with paragraph 1 of Article 13, when they are in conformity with the conditions of construction, fitting and utilization according to international legal instruments concerning wheeled vehicles, equipment and parts which can be fitted and/or be used on wheeled vehicles" …*

*"Vehicle systems which influence the way vehicles are driven and are not in conformity with the aforementioned conditions of construction, fitting and utilization, shall be deemed to be in conformity with paragraph 5 of this Article and with paragraph 1 of Article 13, when such systems can be overridden or switched off by the driver …"*

This means that new systems are also considered to be consistent if they comply with the approval regulations, in essence the ECE directives. If they do not comply with the regulations, they should be considered to be in accordance if they can be overridden or switched off by the driver.

A future goal for fully automated vehicles is the modification that they will be treated like human drivers (United Nations Economic and Social Council's Conference on Road Traffic in 1968).

#### – **US market:**

In order to sell a motor vehicle in the North American market, a vehicle manufacturer must certify that the vehicle meets performance requirements specified in the Federal Motor Vehicle Safety Standards (FMVSS). US and Canadian vehicle safety regulations operate on the principle of self-certification. The manufacturer or importer of a vehicle or item of motor vehicle equipment certifies, asserts and promises that the vehicle or equipment complies with the safety standards.

The FMVSS encompass 73 separate standards that generally focus on crash avoidance, crashworthiness, and post-crash survivability. First introduced through the National Traffic and Motor Vehicle Safety Act of 1966, these standards have been developed with the assumption that vehicles are driven by a human driver. However, a review in 2016 revealed that there are few barriers for automated vehicles to comply with FMVSS, as long as the vehicle does not substantially deviate from a conventional vehicle design. Two standards (theft protection and rollaway prevention FMVSS 114 and light vehicle brake systems FMVSS 135) were identified to be updated for automated vehicles with conventional designs (Kim A, Perlman D, Bogard D, Harrington R, 2016).

#### **3.3 Real-World Scenarios for Development and Testing**

#### **3.3.1 Machine versus Human Perception Limits with Consequences for Testing**

To illustrate the challenge of human perception and furthermore the limited performance of machine perception with Artificial Intelligence under difficult weather conditions, one example has been demonstrated previously. This example results from the comprehensive accident analysis of accidents with restricted visibility described in detail later in this chapter. The real-world situation below (Fig. 3.2) considers the single fatal pedestrian accident which was found in this analysis. The translated police accident report describes the circumstances as follows:

… The pedestrian 01 walked along State Road S 227. He was on the left side of the road. Approximately 100 meters after a branch a collision with the oncoming car 02 occurred. The pedestrian was under the influence of alcohol …

Fig. 3.2 represents the real accident scene before collision including a simplified model of currently available sensor technologies with image recognition and Artificial Intelligence. To be able to collect information about its environment, a vehicle needs sensors, which are classifiable according to their physical measuring principle. The automobile sector mainly uses Radar, Lidar, near and far infrared, ultrasonic sensors, and cameras. Camera sensors have limited perceptual performance in the dark. Lidar and radar sensors are even active sensors. They actively emit laser pulses in the infrared range or radar radiation and measure the distance to objects, their relative speed and their size on the basis of reflections. These sensor principles work quite reliably in clear visibility and darkness without additional weather restrictions like snow in this example.

The upper and center images of Fig. 3.2 show what humans might perceive among difficult light- and weather conditions (rain, snow, backlight, wet road surface, spray/splashing water, icing/contamination of windshield/sensors, road markings only partially visible). In addition, the center and lower images, simplified and color-coded, depict limited machine perception and interpretation of individual measuring principles. The center image superimposes human- and machine perception. Using all these above-named measurements it is revealed in this scenario that the left-hand radar reflection point (blue) is a false detection, caused by a reflection in the opposite lane. The challenge of exclusively limited machine perception and interpretation is demonstrated by the lower image.

Difficult lighting- and weather conditions challenge human and machine perception in real traffic situations. Furthermore, machine interpretation of complex traffic situations continues to present development engineers with considerable technical challenges. These include detecting static and dynamic objects, physically measuring them as accurately as possible, and allocating the correct semantic meaning to the detected objects.

**Fig. 3.2** Example of fatal pedestrian accident in Saxony. Challenge of human and machine perception with image recognition and Artificial Intelligence of a pedestrian. Left side: Pedestrian is visible in the light beam and closer than the oncoming vehicle. Right side: Pedestrian is invisible out of the light beam for human perception when distance is greater than oncoming vehicle lights (upper images: driving scene with human perception, center images: overlay human with machine perception Radar in blue with Lidar in yellow, camera-image processing in green and red, lower images: driving scene with machine perception and interpretation using image recognition and Artificial Intelligence)

To analyze scenarios considering reduced visibility due to fog, rain, snow, darkness and glare from sun or headlights, a first of its kind area-wide accident study with support from Daimler Research, the Daimler and Benz Foundation and the Fraunhofer IVI for Transportation and Infrastructure Systems in Dresden was carried out. This area-wide accident data analysis is able to indicate temporally and geographically related accident black spots.

#### **3.3.2 Relevant Real-World Scenarios for Development and Testing**

Figure 3.3 shows that the current possibilities of such area-wide traffic scenario investigation for developmental requirements offer further insights, for example also with regard to nearly-missing accidents.

**Fig. 3.3** Accident investigations offer further insights, for nearly missing accidents (see also Fig. 3.5). (*Source: Winkle T.*)

Area 1, shown as a globe on the left in Figure 3.3, stands for day-to-day safe traffic scenarios that do not lead to collisions. Most of these scenarios are not known to us.

The small grey area 2 contains the traffic scenarios that have been investigated in-depth, but only partially researched today. Among them are findings from field studies and investigations of traffic accident research, which usually analyze the "worst case". German accident statistics in 2020 show that a fatal traffic accident occurred only every 270 billion kilometers driven. (see Annex Fig. A.13). Restricted accident recording criteria, for example those of OEMs or GIDAS, often limit the number of accidents to either certain locations, times, special collision conditions such as airbag deployment, involvement of injured persons, special pedestrian accidents, vehicle types or other general conditions, and must therefore first be weighted for statistical relevance.

Area 3 contains all previously unknown and unresearched traffic scenarios.

The hatched red overlap as area 4 between areas 2 and 3 represents traffic accidents with fatalities or injuries that are only investigated to some extent or are accessible, for example, via accident type catalogues.

The aim up to sign-off and SOP in the right-hand grey area 2 illustration is to extend selectively investigated traffic situations to cover area-wide all traffic accidents, including the smallest accidents (micro-accidents) with minor touching and traffic violations without damage. This allows conclusions to be drawn about nearly-missing accidents. Also included are accidents only resulting in injuries and only material damage, which account for a significant proportion. In 2020, 327,550 people were injured in road traffic and at the same time less than 2 million traffic accidents with material damage were documented (see Annex Fig. A.14 and A.15). All these scenarios are all described electronically in police databases with the exact location.

As a result, this increases area 2 on the right-hand, while at the same time reducing all limited or unresearched scenarios, as illustrated by the now smaller areas 3 and 4.

In this research, area 2.x is representative for the federal state of Saxony and is recommended as a further piece of the puzzle for the extension of the selectively researched restricted visibility scenarios in area 2. The analysis of poor visibility real-world test scenarios is also generally mentioned in the ISO standard 21448 published in 2019 (ISO/PAS 21448, 2019). According to the standard, each scenario starts with a starting scene. Within these, actions, events, goals and values can be defined in order to describe the chronological sequence within a scenario. In comparison to a scene, a scenario extends over a certain period of time. The official statistics collect more than 100,000 accidents in Saxony annually. This analysis is based on all 1,286,109 police-recorded accidents over ten years starting from the year 2004. Figure 3.4 shows the number of these accidents from 2004 to 2015 and their consequences with regard to personal injury or property damage.

**Fig. 3.4** Area-wide analysis based on 1.286.109 police accidents recorded in Saxony from 2004–2014

The analysis of area-wide traffic accidents with difficult weather conditions and reduced visibility for human and machine perception produces the results below. Through the analysis of all 1.286.109 police reports from the years 2004 to 2014 in Saxony, 374 accidents with the above-mentioned criteria were found.

Fig. 3.5 presents all geographically assigned accident sites with relevant scenarios due to limited visibility. The accident severity ranges from the slightest damage, such as a scratch (similar to a near-miss), to the dramatic fatal pedestrian accident mentioned above.

The knowledge of all area-wide collisions over the complete range of unusual collisions, from micro accidents to the most serious crash, with knowledge of the exact geographical location of the accident, forms the basis for the in-depth accident analysis concerning virtual, trial and field tests of automated vehicles.

**Fig. 3.5** Area-wide geographically related traffic accidents with difficult weather conditions and reduced visibility for human and machine perception. (Geographical data © state-owned enterprise geo basic information and measurement Saxony 2015)

For a deeper insight into the subject, the author conducted a case-by-case analysis of all information given in the police accident reports with the following findings:

#### **3.3.2.1 Categories of Accident Causes With Reduced Visibility**

A total of 374 area-wide traffic accidents with 417 accident causes can be subdivided into seven main categories of difficult weather conditions (see Fig. 3.6). They include 237 collisions (by far the largest part) due to reduced visibility by fog. In addition, there were 61 cases with glare or blinding from the sun, 60 cases due to rain, 22 cases due to snow and eight cases due to blinding of headlights forced by oncoming traffic. Only four cases were primarily connected to visual obstructions.

**Fig. 3.6** Distribution of 374 accidents with fog, glare, rain and snow in Saxony

$$p = \frac{\text{Number of all area wide accidents}}{\text{Number of accidents connected to associated visual observation}} \qquad (3.1)$$

The four accidents provoked by visual obstructions through parking vehicles (pedestrian accident), a garbage can and snow piles are described as follows:

… In height of position … Mrs. … crossed the lane on foot. Thereby she walked from between parking cars right after a passenger car into the driving lane… Because of the rain, she was holding an umbrella in front of her …

… Due to poor visibility (snow piles) and traffic caused, driver 01 had to move further on in … street …

… Driver 01's view of the access road was restricted by a garbage can …

… According to statements by driver 01, the view was restricted by snow piles with regard to 02 …

#### **3.3.2.2 Injuries Caused by Accidents With Reduced Visibility**

In the 374 relevant accidents, 760 people were involved. The majority of these collisions resulted only in property damage. In total, 609 people remained uninjured. 99 people were slightly injured, 51 were badly injured and one person killed (Fig. 3.7).

**Fig. 3.7** Injuries from 374 accidents with difficult weather conditions and 749 participants

#### **3.3.2.3 Accident Types in Connection With Reduced Visibility**

Furthermore, the conflict situations were categorized in accident types. In the context of the cause of the accident that led to the conflict, the accident type (UTYP) describes the initial phase before the damage occurs. On the main level seven types of accidents can be distinguished, which can be further subdivided into a second or third level. The main levels are (Accident Research Department of the German Insurance Association 2003):


As a result, Fig. 3.8 shows that the majority of 71 accidents are related to several accident types in longitudinal traffic (UTYP 199). Furthermore 45 right turn collisions (UTYP 102) occurred. Another 26 collisions were related to bends in the roadway (UTYP 139) and 20 to left turn collisions (UTYP 101).

Further on, 44 wildlife accidents (UTYP 751), 26 collisions with vehicles turning left with oncoming traffic (UTYP 211) and 17 other collisions in oncoming traffic occurred.

**Fig. 3.8** Main areas of accident types (UTYP 101–799) with difficult weather conditions

The large proportion of dynamic accidents (UTYP 1: 101–199) with 49 percent reflects that drivers often lose control over their vehicles under difficult weather conditions (Fig. 3.9).

**Fig. 3.9** Distribution of accident types (UTYP 1xx–7xx) with difficult weather conditions

#### **3.3.2.4 Evasive Maneuvers to Avoid Accidents**

In connection with automated driving systems, evasive driving maneuvers are often discussed from an ethical point of view.

Therefore, this case-by-case real-world analysis provides insights:

The descriptions in this case-by-case analysis point out five collisions, where the drivers were able to reduce the consequences of an accident by evasive maneuvers. Another 13 drivers (4%) tried to prevent the collision but failed with their evasive maneuvers. A major proportion of 356 accidents (95%) confirms no indications of evasive actions (see Fig. 3.10).

**Fig. 3.10** Main areas of accident types with difficult weather conditions

Out of all 374 accidents, some evasive maneuvers are clearly not relevant to avoid collisions in the following cases: 127 accidents caused by lane departure and accidents with moving objects (e.g. 43 animals caused collisions) are difficult to avoid, because it is unknown if the animal will continue running, stop or reverse.

*n(relevant evasive maneuvers to avoid collisions)* = *n(gesamt)* − *n(lanedeparture)* − *n(movingobjects)* = 347 − 127 − 43 = 177 (3.2)

#### **3.3.2.5 Examples for Minor and No Damage to Property**

Two cases of the data set describe only minor damage to the involved vehicles and no injuries. The translated parts of the police accident reports below show two cases with no damage and one with slight scratches:

… 01 parked his car backwards in a parking slot. Because of his limited view, darkness and rain, he slightly touched the parked car at the back … He could not find any damage on either vehicle …

… Driver 02 rule-consistently stopped at the parking lot … to let passengers get off the car. 01 rear-ended 02. The reason for this was snow on the roof which slips on the windshield when braking. Snow blocked the view and 01 reacted too late … There were no obvious damages to determine at car 01. Slight scratches were visible on passenger car 02 …

#### **3.3.3 Integration of Relevant Test Scenarios for Safe Automated Vehicles**

For a complete overall evaluation of highly and fully automated vehicles' functional safety, area-wide real-world accident scenarios with no harm to people, near collisions, traffic simulations and weather data as well as analysis provide the best basis. Knowing all relevant factors that may lead to a collision, virtual simulations can be performed based on detailed and quantitative models. Therefore, this first-time comprehensive area-wide study based on all police reports was carried out (Winkle T, 2015a).

The findings can be completed with information from hospitals, insurance companies and models of human behavior. Especially takeover situations between driver and machine involve new challenges for design and validation of human-machine interaction. Initial tests at the Chair of Ergonomics at the Technical University of Munich (TUM) demonstrate relevant ergonomic design requirements which will be continued (Bengler K, 2015).

#### **3.3.4 Test Scenarios and Requirements in Relation to Legal and Ethical Aspects**

The analyzed test scenarios and requirements also provide information about "allowed" risks and risks accepted by society. Using vehicles with automated functions, unforeseeable reactions have to be expected, which in the worst cases may even cause injuries and fatalities. Due to the growing complexity, highly or fully automated vehicles currently involve risks which are difficult to assess. In addition, there are new liability questions and limited tolerance for technical failure. While over 1.2 million traffic fatalities currently seem to be acceptable to society all over the world, there is likely to be zero tolerance for any fatal accident involving presumable technical failures.

On the other hand, automated driving systems promise considerable potential safety benefits.

So far, many questions remain unanswered such as:


Test scenarios and design requirements will support a safe development and support fulfillment for duty of care. However, in general, creation of risks results in duty of care requirements but not every generation of hazards is forbidden. This occurs if automated functions cause significant social benefits. Risks have to be reduced to a minimal level. Which risks the user reasonably will expect has to be negotiated by society. Levels of acceptable risks will be discussed by the media, society, during development of standards and at court. The question which risks a society is willing to accept should be differentiated from the question how critical traffic scenarios have to be assessed during development. It should be assumed that the developers and programmers are not liable to prosecution for negligence if they act within the permitted risk. In the foreseeable future the driver remains liable.

Dilemma situations will occur until the machine perception or prediction can reliably distinguish for example between old man and young lady or if cyclists wear a helmet. The aim is to reduce risks. Shifting of risks is forbidden (Di Fabio U et. al., 2017).

#### **3.4 Conclusion and Outlook**

Perceiving and interpreting complex traffic situations with difficult weather conditions, development engineers are faced with considerable technical challenges. Therefore, the provided scenarios include representative situations for the transfer to worldwide similar road networks. They will be considered in development standards, both for early simulations as well as for the subsequent real test.

The considered 1,286,109 police-recorded accidents in the exemplary state Saxony over ten years starting from the year 2004 are reduced to 374 real-world scenarios for bad weather condition. A distribution of accident types under these circumstances shows 49 percent of collisions where the driver lost control of his or her vehicle. The cause is presumed to be the reduced friction values on slippery road surfaces. In particular left turn, right turn maneuvers or bends in roadways occur more frequently and have to be considered for testing (see Fig. 3.8).

Finally, the case-by-case analysis points out only five collisions, where the drivers tried to reduce the consequences of an accident by evasive maneuvers. Only 177 cases are relevant due to the general conditions to be considered for evasive maneuvers to prevent or mitigate collisions. These accidents could possibly be prevented by future automation systems. Additional measurements and traffic simulations of the well-known accident locations – which were not examined in this analysis – will support for a deeper understanding.

In summary, the following issues will have an impact for testing:


It is recommended to comprehensively link geographically defined road-accident data and the accompanying high-definition geographic digital mapping data (e.g. Google Maps, Nokia HERE, TomTom, OpenStreetMap) with traffic-flow data from different sources (e.g. cars, mobile phones, road traffic devices). In the future, vehicle operation data and traffic simulations could be included as well.

Based on these relevant real-world scenarios the author recommends further development of internationally valid guidelines – such as the ADAS Code of Practice definition, ISO 26262 functional safety or ISO PAS 21448 to support safety of the intended functionality (SOTIF) – with virtual simulation methods for verification of automated vehicles and final testing of the overall system limits in a real environment. Error processes and stochastic models have to be analyzed (in combination with virtual tests in laboratories and driving simulators) to control critical driving situations. This includes interaction tests with control algorithms and performance verification of real sensors in real traffic situations, particularly at the time just before a collision (Schöner H-P, Hurich W, Luther J, Herrtwich R G, 2011; Schöner H-P 2015).

In general, it is recommended to identify worldwide networks, collaborate with affected partners, engage government representatives, local non-governmental organizations (NGOs) and promote road safety awareness (Feese J, 2016). Many governments and authorities encourage the deployment of new technologies with the potential to save lives. They work with industry, governmental partners, and other stakeholders to develop new technologies and accelerate their adoption in type approval regulations and standards.

**Open Access** This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

# **4 Technical, Legal, and Economic Risks**

The contents of this chapter were already prepublished within the Springer book: Autonomous driving, technical, legal and social aspects (Winkle, Development and Approval of Automated Vehicles: Considerations of Technical, Legal and Economic Risks, 2016b).

### **4.1 Introduction Development**

In the following chapter the author traces the technical improvements in vehicle safety over recent decades, including new sensor technologies with image recognition and Artificial Intelligence, factoring in growing consumer expectations. Through Federal Court of Justice rulings on product liability and economic risks, he depicts requirements that car manufacturers must meet. For proceedings from the first idea until development to sign-off, he recommends interdisciplinary, harmonized safety and testing procedures. He argues for further development of current internationally agreed-upon standards including tools, methodological descriptions, simulations, and guiding principles with checklists. These will represent and document the practiced state of science and technology, which has to be implemented technically suited and economically reasonable.

### **4.2 Motivation**

In the course of new innovations, technical, especially electrical/electronic systems with Artificial Intelligence and sophisticated software are becoming far more complex in the future. Therefore, safety will be one of the key issues in future

automobile development resulting in a number of major new challenges, especially for car manufacturers and their developers. In particular, changing vehicle guidance from being completely human-driven, as it has always been, to being highly or fully automated, raises fundamental questions regarding responsibility and liability. This calls for new approaches: first and foremost new safety and testing concepts (Bengler, Dietmayer, Färber, Maurer, Stiller & Winner, 2014). From the legal point of view, automated vehicles require protective safety measures in the development process (Gasser, et. al. 2012). The remaining risk must be accepted by users. According to a judgment by the German Federal Court of Justice (Bundesgerichtshof, or BGH), such vehicle systems must be designed (within the limits of what is technically possible and economically reasonable) according to the respective current state of the art, state of science, and must enter the market in a suitably sufficient form to prevent damage (Bundesgerichtshof 2009).

Nationwide, it can be seen that product liability claims against large companies continue to rise (see Sec. 4.7.1). Consumer expectations regarding safety rise (see Sec. 4.5) while a general decline in self-responsibility is also becoming apparent in Europe and the eastern world. The social acceptance of destinies decreases with consumer attitudes: "Someone has to be responsible for that and pay me for my damage."

In addition, increased willingness to sue is being caused by increased social cuts and the threat of further economic crises. Payments for compensation of severe injury cases continue to escalate due to increasingly expensive court decisions and a more litigious social environment. In particular, lack of or inadequate social security systems force victims to seek financial compensation for damages in court. This puts insurance companies under pressure and leads to an increase of compensation claims against companies. A "socialization of damages" by large companies occurs. Regional differences are increasingly disappearing. The author's personal experience with regard to product liability cases shows that consumer protection in countries such as China, India and Russia are now at least on a western level. Media diversity, in particular various types of consumer information from the Internet, generates a high level of consumer awareness worldwide. Class actions are now also possible in Europe, for example by means of interest groups via the Internet. The payment of attorneys' fees via success-related results also reduces the risk of legal action by consumers.

The worldwide harmonization of compensation payments settles at a high level (see Sec. 4.7.1). Due to the possibilities of an US electronic discovery in the event of a claim, companies today are more transparent. Similar processes have now been installed in Europe, Australia, Korea, Japan and China. Overall, this increases the potential risk for extended lawsuits.

#### **4.3 Questions of Increased Automation's Product Safety**

Media reports on fully automated research vehicles from car manufacturers, suppliers and IT companies have been predicting for years the series production and market launch of self-driving vehicles. Several things still need to be in place however, before these vehicles can be launched on the market. Increasing automation of vehicle guidance calls for cutting-edge, highly complex technology. Particularly with the use of electric/electronic hard and software, unforeseeable reactions have to be expected, which in worst cases may even be danger to life and limb. Due to the growing complexity, fully automating all driving tasks in driverless vehicles (see Gasser, et. al. 2012) – without a human driver as a backup – currently involves risks, which are difficult to assess. In addition, there are new liability questions and limited tolerance for technical failure.

Assumption: while about 3,000 deaths in road traffic currently seem to be acceptable to society in Germany, there is likely to be zero tolerance for any fatal accident involving presumable technical failure. Although automation in driving – for example at lower speeds – promises considerable safety benefits, the comprehensive commercialization of driverless vehicles can only take place once the questions of who is liable and responsible for damage caused by technological systems have been clarified. Acceptance by society may only be achieved if, among other things, the benefits perceived by the individual clearly exceed the risks experienced.

To date, the following questions, amongst others, remain unsolved:


Further questions also arise beginning from level 3 systems and above to improve product safety:


task or non-driving activity be prohibited? (for example: "Tesla judgement" decision of 27.03.2020 – Reference: 1 Rb 36 Ss 832/19)


#### **4.4 Continued Technical Development of Assistance Systems – New Opportunities and Risks**

From a technical point of view, automated vehicles are presently already able to autonomously take over all driving tasks in some defined areas and traffic situations. Current series production vehicles with an optimized sensor, computer, and chassis technologies enable assistance systems to increase their performance. Some of the driver-assistance systems on the market today give warning when they recognize dangers in parallel or cross traffic (Lane Departure Warning, Collision-, Lane Change-, Night Vision- and Intersection-Assistance). Others intervene in the longitudinal and lateral dynamics (e.g. anti-lock braking ABS, Electronic Stability Control ESC, Adaptive Cruise Control ACC). Active parking/steering assistance systems provide increased convenience by interventions of steering and braking at low speeds. These partially automated vehicle systems, with temporary longitudinal and lateral assistance, are currently offered for seriesproduction vehicles, but exclusively on the basis of an attentive driver being able to control the vehicle. Supervision by a human driver is required. During normal operation at and beyond the system limits, the system limits or failures of these Advanced Driver Assistance Systems, or ADAS, are thus compensated by the proof of controllability due to the driver (see Knapp, Neumann, Brockmann, Walz & Winkle 2009; Donner, Winkle, Walz & Schwarz, 2007).

For fully automated driving systems on the other hand, the driver is no longer available as a backup for the technical limits and failures. This replacing of humans, acting by their own responsibility, with programmed machines goes along with technical and legal risks, as well as challenges for product safety. However, future expectations regarding driverless vehicles – even in a situation of possible radical change – can only be described as using previous experience. Analogies based on past and present expectations concerning vehicle safety will therefore be examined in the following section.

#### **4.5 Expectations Regarding Safety of Complex Vehicle Technology**

#### **4.5.1 Steadily Rising Consumer Expectations for Vehicle Safety**

Fully automated driving vehicles must be measured against today's globally high level of consumer awareness in vehicles' technical failures. Since 1965, critical awareness regarding the car industry has evolved more and more, strengthened by the book *Unsafe at Any Speed: The Designed-In Dangers of the American Automobile* (Nader, 1965 & 1972). In this publication, the author Ralph Nader blamed car makers for cost savings and duty of care breaches at the expense of safe construction and production. With its presentation of safety and construction deficiencies at General Motors and other manufacturers, the book's content scared the public. Nader went on to found the Center for Study of Responsive Law, which launched campaigns against the "Big Three" auto makers, Volkswagen and other car companies. Technical concepts were subsequently reworked and optimized. At the center of Nader's criticism was the Chevrolet Corvair. Amongst other things, Nader criticized the unsafe vehicle dynamics resulting from the rearmounted engine and swing axle. Under compression or extension, it changed the camber (inclination from the vertical axis). By a design modification into an elastokinematic twist-beam or a multilink rear suspension, the inclination remains largely unchanged, which results in more stable driveability and handling. Later, the VW Beetle also came under fire for similar reasons due to its sensitivity to crosswinds. It was also designed with a rear-mounted engine and a swing axle. As a technical improvement VW therefore replaced the Beetle with the Golf, with a front engine and more stable handling (market introduction 1974).

Besides the development of new vehicles that were of better design and drove more safely, a further consequence of this criticism was the establishment of the US National Highway Traffic Safety Administration (NHTSA), located within the Department of Transportation. Based on the Highway Safety Act of 1970 it improves road traffic safety. It sees its task as protecting human life, preventing injury, and reducing accidents. Furthermore, it provides consumers with vehicle-specific safety information that had previously been inaccessible to the public. Moreover, the NHTSA has accompanied numerous investigations of automobile safety systems to this day. Amongst other things, it has actively promoted the compulsory introduction of Electronic Stability Control (ESC). Parallel to NHTSA activities, statistics from the Federal Motor Transport Authority in Germany (Kraftfahrt-Bundesamt, or KBA) also show increasingly sensitive ways in handling safety-related defects, by supporting and enforcing product recalls (Kraftfahrtbundesamt Jahresberichte, 2014). Furthermore, there are now extremely high expectations for vehicle safety. This also can be seen in the extensive safety equipment expected today in almost every series production vehicle across the globe. This includes anti-lock braking (ABS), airbags, and Electronic Stability Control (ESC). The frequency of product recalls has increased, despite passenger vehicles' general reliability and functional safety noticeably rising at the same time. Endurance tests in trade magazines such as *Auto Motor und Sport* show that a distance of 100,000 km can be obtained more often without any breakdowns, unscheduled time in the garage, or defective parts, and no defects at all.

#### **4.5.2 Current Safety Expectations of Potential Users**

Above all the acceptance of automated vehicles depends upon whether the consumers perceive the technologies as safe and reliable.

Consumers are still skeptical about data protection, protection against cybercrime and functional safety with increasing automation. A study on automated driving from the TÜV Rheinland 2018 states: In general, consumers in China, the USA and Germany have a positive attitude towards autonomous driving technology. However, the more driving functions are automated, the lower the feeling of safety. Chinese consumers are little less skeptical.

This was one of the main findings and results received from the study that drivers in Germany, the USA and China are convinced that road safety decreases with increasing automation of cars (Schierge Frank, 2017). According to the author, however, an intelligent controllable automation can increase security.

In the study mentioned above, TÜV Rheinland surveyed 1,000 private individuals aged 18 and over with a car driving license in each of the major markets of Germany, the USA and China using an online questionnaire. The study covered a period of 3 months (August to October 2017). The results confirmed the trend of a representative survey conducted by TÜV in spring 2017 on the acceptance of autonomous driving technology in Germany: Three out of four were therefore positive about higher levels of autonomous driving, but there were still many reservations about the technical implementation. According to the current international study, 78 percent of all respondents want to be able to take the steering wheel themselves at any time in an emergency. More than every second German interviewed (53 percent) would only buy an autonomous vehicle if they were always able to drive it themselves.

Furthermore, the fear of personal data falling into unauthorized hands is widespread: 30 percent of respondents in Germany "fully agreed" with this statement, 28 percent in the USA and 13 percent in China. The lack of customer confidence in cyber security extends so deeply that the majority (Germany 66 percent, USA 61 percent, China 60 percent) would even change the brand of the vehicle after a hacker attack.

In summary, the study showed that there is a need for improvement in the area of safety in the perception of the surveyed persons. To increase the acceptance of autonomous driving technology, consumers in Germany, China and the USA are requesting politics and industry to increase the level of knowledge, to ensure personal intervention in the car, to make data protection and co-determination in data use more transparent and to put in place effective measures to protect against cybercrime (see also Annex Fig. A.6).

#### **4.5.3 Considerations of Risks and Benefits**

Automated vehicles will arguably only gain acceptance within society when the perceived benefit (depending on the degree of efficiency: "driver" versus "robot") outweighs the expected risks (depending on the degree of automation: "area of action" versus "area of effectiveness"). In order to minimize the risks, manufacturers carry out accident data analysis and corresponding risk management (see Fig. 4.1).

– may occur contextually, while consumers weight up the perceived beneficial options and fear for risks in the relevant contexts (see Grunwald, 2013, Fraedrich, 2016). Risks depend on the level of automation, benefits of the degree in efficiency. Risk management and accident data analysis (see Ch. 2, 4) allow for objectivities and optimization.

**Fig. 4.1** Societal and individual user acceptance

For car manufacturers and their suppliers, automated vehicles are an interesting product innovation with new marketing possibilities. Investment decisions and market launches however involve risks that are difficult to assess:


#### **4.6 Legal Requirements and Effects**

Society's and individual expectations of technical perfection in vehicles are rising. Higher demands in vehicle quality and functions also call for corresponding safety measures when rolling out autonomous vehicles. This for example can be seen in the increase of recall campaigns despite increasing technical vehicle reliability or additional requirements and standards, applicable comprehensive safety campaigns, such as the Motor Vehicle Safety Defects and Recall Campaigns or new obligations for documentation by public authorities. One example of the latter is the Transportation Recall Enhancement, Accountability and Documentation (TREAD) Act in the USA (United States of America, 2000), which introduced a series of new and extensive obligations for documentation and report-keeping for the National Highway Traffic Safety Administration (NHTSA). At the same time, human errors in road traffic are sanctioned individually, without bringing the whole road transport system itself into question.

Highly complex technologies and varying definitions slow down any launch of autonomous vehicles. In addition, the interdisciplinary context contains various technical guidelines. Developers used to be able to get their specifications with standards, respectively guidelines such as "generally accepted good engineering practice", "generally recognized and legally binding codes of practice", "industry standards", or the "state of the art." With its decision of 06/16/2009, the German Federal Supreme Court of Justice (BGH) wanted to ramp up requirements for the automotive industry and surprisingly shaped the term "latest state of the art and science". This creates additional challenges for developers. Functions that are currently feasible in research vehicles for scientific purposes are under laboratory conditions far from fulfilling expectations for series production vehicles, e.g. protection from cold, heat, vibrations, water, or dirt.

From a developer's point of view, the fulfillment of legal requirements for a careful development of new complex systems can only be proven by validation tests. These should ideally be internationally harmonized and standardized. The German BGH judgment from 2009 explained these development requirements – excluding economic and technical suitability for production – with *"… all possible design precautions for safety …"* based on "state of the art and science" (Bundesgerichtshof, 2009) on the basis of an expert opinion for the preservation of evidence. This opinion, however, requires ultrasound sensors as redundancy for recognition of critical objects to trigger airbags. It should be possible, *"… to attach ultrasound sensors around the vehicle which sense contact with an object and are in addition verified by existing sensors before airbag deployment …"* (Bundesgerichtshof BGH, 2009).

This expert opinion for the preservation of evidence however from an engineering point of view is more than questionable, as current sensor designs only permit a range of a few meters in series production vehicles. Subject to the current state of the art, the application of ultrasonic sensor systems is limited to detect static surroundings at slow speeds in the scope of parking assistance. The sensors' highfrequency sound waves can be disturbed by other high frequency acoustic sources such as jackhammers or trucks and buses' pneumatic brakes, which can lead to false detections. Also, poorly reflecting surfaces will not lead to a reflection of sound waves. Object recognition is then entirely excluded (Geiger A, et. al. 2012; Noll & Rapps, 2012). Furthermore, the lawsuit finally turned out that the sensor system concerned worked error-free according to the technical specification.

In addition, the previous fundamental BGH judgment requires that risks and benefits be assessed before market launch:

*"Safety measures are required which are feasible to design according to the state of the art and science at the time of placing the product on the market … and in a suitable and sufficient form to prevent damage. If certain risks associated with the use of the product cannot be avoided according to state of the art and science, then it must be verified—under weighing up the risks, the probability of realization, along with the product benefits connected—whether the dangerous product can be placed on the market at all."* (Bundesgerichtshof 2009)

#### **4.6.1 Generally Accepted Rules of Technology**

An interpretation of the term "generally accepted rules of technology" (allgemein anerkannte Regeln der Technik, or aaRdT) as a basic rule was shaped in a German Imperial Court of Justice (Reichsgericht) judgment from 1910 based on a decision from 1891 during criminal proceedings concerning Section 330 of the German Penal Code (§ 330 StGB) in the context of building law:

*"Generally accepted rules of technology are addressed as those, resulting from the sum of all experience in the technical field, which have proven in use, and wherever correctness experts in the field are convinced."*

In various legal areas, they have different meanings. In terms of product liability, generally accepted rules of technology represent minimum requirements. Noncompliance to the rules would indicate the required safety has not been reached. They are described in DIN-VDE regulations, DIN standards, accident prevention regulations, and VDI guidelines, amongst others (Krey & Kapoor 2012).

#### **4.6.2 The Product Safety Law (ProdSG)**

The German Product Safety Law (Produktsicherheitsgesetz, or ProdSG), in its revised version of 11/08/2011 establishes rules on safety requirements and consumer products. Its predecessor was the Equipment and Product Safety Law (Geräteund Produktsicherheitsgesetz, or GPSG) of 01.05.2004, which in turn had replaced the Product Safety Law (Produktsicherheitsgesetz, or ProdSG) of 22.04.1997 and the Equipment Safety Law (Gerätesicherheitsgesetz, GSG) of 24.06.1968. Section 3 GSG describes the general requirements for providing products on the market:

"A product may … only be placed on the market if its intended or foreseeable use does not endanger the health and safety of persons." (Burg & Moser, 2017)

#### **4.6.3 The Product Liability Law (ProdHaftG)**

Independent of its legal basis for a claim, the term "product liability" commonly refers to a manufacturer's legal liability for damages arising from a defective product. A manufacturer is whoever has produced a final product, a component product, a raw material, or has attached its name or brand name to a product. For product liability in Germany, there are two separate foundations for claims. The first basis is fault-based liability, as found in Section 823 of the German Civil Code (BGB) (Köhler, 2012); the second is strict liability regardless of negligence or fault related to the tortfeasor, as contained in the Product Liability Law. Section 1 of the Product Liability Law (ProdHaftG Law Concerning Liability for Defective Products) of 12/15/1989 describes the consequences of a fault as:

*"If a person is killed or his or her body or health injured, or if property is damaged, due to a defect of a product, the manufacturer of the product is thus obliged to compensate the injured parties for any losses."* (European Commission, 1985)

Independently of whether the product defect is caused intentionally or through negligence, a defect is defined in Section 3 of ProdHaftG as follows:

*"A product is defective when it is lacking safety which the public at large is entitled to expect, taking into account the presentation of the product, the reasonably expected use of the product and the time when the product was put into circulation."* (European Commission 85/374/EWG, 1985)

Should damage arise from a defective product, the Product Liability Law regulates the liability of the manufacturer. Firstly, this entails potential claims of civil liability for property damage, financial losses, personal injury, or compensation for pain and suffering. Liability rests primarily with the manufacturer. In justified cases suppliers, importers, distributors, and vendors may also be made liable without limitation. Furthermore, in cases of legally founded criminal liability, there may also be particular consequences for top management or individual employees, if it is proven that risks were not minimized to an acceptable level (see Fig. 4.2). In cases of serious fault or depending on the offense as negligence, this may involve criminal personal proceedings against a developer.

Besides the potential legal consequences, manufacturers must also expect considerable negative economic effects. Negative headlines in the media can lead to substantial loss in profits or revenue, damage to image, loss in trust and consequently loss of market share. Therefore, when developing new systems, both consequences of potentially legal and economic risks must be considered. Figure 4.2 gives an overview of the potential effects of failures in automated vehicles.

**Fig. 4.2** Potential consequences of failures in automated vehicles

#### **4.6.4 Ethics, Court Judgments to Operational Risk and Avoidability**

Furthermore, the ongoing developments in automated driving require politics, society and the legal system to reflect on additional emerging changes.

One aspect is the decision whether the approval of automated driving systems is ethically justifiable or even necessary. At a fundamental level, it depends on how much dependence we want to accept on technical complexes, in the future increasingly on systems that may be capable of learning and based on Artificial Intelligence with trained Neural Networks for Deep Learning (see LeCun Y et. al., 2015; Goodfellow I et. al., 2016; Schmidhuber J, 2015), in order to achieve greater safety, mobility and comfort in return. The following questions arise here:


In Germany, the Ethics Commission for Automated Driving presented the first ethical rules worldwide for autonomous driving technology in June 2017. It states that automatic control to prevent accidents is not ethically programmable without a doubt. In the case of unavoidable accidents, any qualification according to personal characteristics (age, gender, physical or mental constitution) is strictly prohibited (Di Fabio U et. al., 2017).

Legal ethics is an important link between jurisprudence and legal policy on the one hand and ethics on the other. From an ethical perspective, it addresses basic legal questions as well as questions of legal practice. It is therefore excellently suited to identifying and, under certain circumstances, correcting subject-specific viewpoints that are ossified (Hilgendorf et. al., 2018).

The following questions relate to an ethically justifiable development of automated vehicles:


(including dilemma situations in which an automated vehicle is faced with the decision of having to implement one of two evils that cannot be weighed up)

– Has the entire spectrum of technical possibilities been used and continuously been further developed?

(Limitation of the area of operation to controllable traffic environments, vehicle sensors and braking performance, signals for endangered persons up to hazard prevention by means of an "intelligent" road infrastructure)


Regarding Vulnerable Road Users in particular pedestrians is another aspect which was already mentioned in chapters 2 and 3 as a challenge for developing automated functions.

The German legislator has strengthened the rights of non-motorized road users through the law of modification on damages (2nd SchadÄndG) in 1998, including the substitution of the unavoidable event by force majeure. In concrete terms, the law provides for the following major innovations:


A change in the German court decisions took place only a few years later. To this end, the responsibility for pedestrian accidents has been investigated since 2004 on the basis of jurisdiction. Investigations of court decisions demonstrate, that there has been a significant change since the Federal Court of Justice (BGH) ruling of 2014.

The trend shows that in future the responsibility for damage in pedestrian accidents will remain with the owner and, in the case of fully automatic functions, probably with the manufacturer. The recommendation is that future case law should be observed (See Annex A: Change in jurisdiction on the responsibility for pedestrian accidents).

#### **4.7 Product Safety Enhancement in Automated Vehicles Based on Expert Knowledge from Liability and Warranty Claims**

#### **4.7.1 Experience from Product Crises and Traffic Accidents**

In the future safe automated vehicles will further depend on integrated quality management systems (International Organization for Standardization ISO 9001, 2015 & ISO/TS, 2009) and safe interactions (Akamatsu, Green & Bengler, 2013). In the past, advanced and successful vehicles were frequently affected by product crises.

#### **4.7.1.1 Defective Supplier Parts and Systems**

The following examples document how supplier parts and systems triggered extensive product crises.

The Ford Explorer was the worldwide best-selling sports utility vehicle. In the USA in May 2000, the NHTSA contacted both the Ford and Firestone companies due to a conspicuously high rate of tires failing with tread separation. Ford Explorers, Mercury Mountaineers, and Mazda Navajos were affected. All were factory-fitted with Firestone tires. At high speeds, tire failures led to vehicles skidding out of control and rollover crashes with fatal consequences. Firestone tires on Ford Explorers were linked to over 200 fatalities in the USA and more than 60 in Venezuela. Ford and Firestone paid 7.85 million dollars in court settlements. Total compensation and penalties in total amounted to 369 million dollars. In addition to the expensive recall of several million tires, communication errors were also made during the crisis: The managers responsible publicly blamed each other. This shattered friendly business relations between the two companies that dated back over 100 years. Harvey Firestone had sold Henry Ford tires for the production of his first car as long ago as 1895. As the crisis progressed it led to serious damage to the companies' images, with sales collapsing for both parties (Hartley R F, 2011).

General Motors (GM) announced a further example of defective supplier parts in February 2014. As a consequence of the financial crisis, the car company had been on the brink of bankruptcy in 2009. It returned to profit for the first time, and won awards for its new models, after a government bailout. But the ignition switches on some models had seemingly been too weakly constructed since 2001, which meant the ignition key sometimes jumped back to the "Off" position while driving. When this happened, not only did the motor switch off, but the brake booster, power steering, and airbags also became deactivated. GM engineers were accused of having ignored the safety defect in spite of early warnings for more than ten years. Therefore, the company has already been fined 35 million dollars for a delayed recall and now faces billions of dollars of damages claims from accident victims and vehicle owners after mass product recalls (National Highway Traffic Safety Administration, 2014a).

Another huge air bag recall campaign by NHTSA involved eleven different vehicle manufacturers and more than 30 million vehicles in the United States only. Airbag Inflators supplied by Takata ignited with explosive force. In some cases, the inflator housing could rupture under high temperature conditions with metal shards spraying throughout the passenger cabin and thus injured or killed car occupants. Several fatalities and more than 100 injuries were linked to this case. The airbags were installed in vehicles from model years 2002 to 2014. Despite this injury risk the Department of Transportation estimated that between 1987 and 2012 frontal airbags have saved 37,000 lives (National Highway Traffic Safety Administration, 2014, 2015).

#### **4.7.1.2 So-Called Unintended Accelerating, Decelerating or Steering Vehicles**

Vehicles that automatically intervene in longitudinal and lateral guidance hold considerable risks and provide a target for those who assert that vehicles steer, accelerate and decelerate unintended, unexpected or uncontrolled. The accusation of unintended acceleration due to alleged technical defects has already put some car manufacturers in the media's crossfire. Mainly in the USA, unintended accelerations of vehicles were reported causing fatal accidents. Affected drivers have initiated waves of lawsuits lasting for decades.

Examples of extensive lawsuits were allegations against Toyota, a globally successful company known for excellent quality. Toyota came off very well in customer-satisfaction studies by the American market research firm J. D. Power and Associates in 2002, 2004, and 2005. In 2009, however, Toyota was confronted with allegations of unintended and sudden acceleration of its vehicles. These were initially triggered by single incidents of sliding floor mats, which had supposedly been responsible for gas pedals getting jammed. It was then argued that vehicles would have accelerated unintentionally while driving due to the mechanically jammed gas pedals. As Toyota had not responded to the allegations quickly enough in the eyes of the NHTSA, the company was accused of covering up safety problems linked with more than 50 deaths. As well as compensation payments, Toyota had to pay the authority an unusually high fine of 16.4 million dollars in 2010. This was followed by extensive product recalls and claims for damages (National Highway Traffic Safety Administration, 2014b).

A further instance of a proven technical defect that led to unwanted accelerations can be seen in an NHTSA recall action in June 2014. The software problem occurred in some Chrysler Sport Utility Vehicles (SUV). When optional adaptive cruise control was activated and the driver temporarily pressed the accelerator pedal to increase (override) vehicle's set speed more than the cruise control system would on its own, the vehicle continued to accelerate briefly after the accelerator pedal was released again. In this case and according to technical requirements the vehicle has to decelerate to the requested set speed. There were no accident victims to complain about. The short-notice initiated recall was restricted to a mere 6,042 vehicles (National Highway Traffic Safety Administration, 2014c).

Other great challenges already occurred because autonomous braking systems decelerated in some individual cases without a visible reason for the driver and put vehicles at risk of a rear-end collision. However, automatic braking and collision warning systems have great potential in reducing road accidents and saving lives. After recognizing a relevant crash object, they can automatically apply the brakes faster than humans, slowing the vehicle to reduce damage and injuries. Therefore, these systems are recommended to be made standard equipment on all new cars and commercial trucks. Since November 2013 EU legislation mandated Autonomous Emergency Braking Systems (AEBS) in different stages with respect to type-approval requirement levels for certain categories of motor vehicles to cover almost all new vehicles in the future (Juncker J-C, 2015).

According to NHTSA the Japanese car manufacturer Honda Motor Company had to recall certain model year 2014–2015 Acura vehicles with Emergency Braking. The reason was that the Collision Mitigation Braking System (CMBS) may inappropriately interpret certain roadside infrastructure such as iron fences or metal guardrails as obstacles and unexpectedly apply the brakes (National Highway Traffic Safety Administration, 2015a). Furthermore, NHTSA investigated complaints alleging unexpected braking incidents of the autonomous braking system in Jeep Grand Cherokee vehicles with no visible objects on the road (National Highway Traffic Safety Administration, 2015b).

Another recall of Chrysler vehicles from 2015 July 24 was, in accordance with NHTSA the first initiating by a software hack. US researchers brought a moving Chrysler Jeep under their control from afar, which forced the company to recall and ensure cyber-security of their onboard software. The affected vehicles were equipped with Uconnect radio entertainment systems from Harman International Industries. Software vulnerabilities could allow third-party access to certain networked vehicle control systems via internet. Exploitation of the software vulnerability could result in unauthorized manipulation and remote control of certain safety related vehicle functions (such as engine, transmission, brakes and steering) resulting in the risk of a crash (National Highway Traffic Safety Administration, 2015c).

Moreover, Fiat Chrysler Automobiles acknowledged violations of the Motor Vehicle Safety Act in some safety-relevant cases. To remedy its failures, the company agreed to repair vehicles with safety defects or purchase defective vehicles back from owners and pay a 105-million-dollar civil penalty. Until 2015 this was the largest fine ever imposed by NHTSA.

In addition to the threat of civil penalties, the following fatal traffic accident that occurred in Germany represents an important leading case. It transparently demonstrates the criminal liability of manufacturers with regard to automated driving, in order to limit it in a way that can be controlled under the rule of law by means of appropriate preventive measures. (see Fig. 4.3).

On January 8, 2012, a fast passenger car with an activated lane keeping system entered a small town in the district of Aschaffenburg and subsequently crashed into a family having a Sunday afternoon walk in the middle of the village. A woman and her child were both killed immediately. The driver was supposed to have suffered a heart attack at the entrance to the town and lost consciousness as a result. A vehicle conventionally steered exclusively by the driver would have come off the road at the entrance to the town and probably come to a standstill next to the road. However, the Lane Keeping Assist (LKA) kept the vehicle actively on the road. The consequence of this traffic accident was a dead mother (35 years), a dead boy (7 years), a seriously injured father (44 years) and a fatally injured driver (51 years). According to a police officer's report at the Würzburg police headquarters, a heart attack (cerebrovascular stroke) was confirmed as the cause of this accident. This also indicates that no brake markings were visible. According to witnesses, the 51-year-old driver of the passenger car was accelerating in a 30 kilometers per hour speed limit zone before the collisions occurred and had run over the traffic island of a roundabout (see Annex Fig. A.9 and A.10). Due to a following collision at the left vehicle front with a house wall, the vehicle was deflected and finally reached its final position on the opposite sidewalk (see Fig. 4.3). According to witnesses, the car then collided directly with a family during their Sunday afternoon walk on the sidewalk (Krämer K, Winkle T, 2019). It was reported that the father was only partially hit by the car by jumping to the side and only suffered a leg injury. Unfortunately, the mother and her seven-yearold son were completely hit and pulled along over several meters.

Subsequently, an extraordinary technical background in terms of liability law was considered responsible for the collision with the family. The car was equipped with a Lane Keeping Assist, which was allegedly activated before the first collision. As a result, the corrective steering torque would have tried to keep the vehicle on the road while the car with the unconscious driver approached the roundabout. According to the assumption that, without a corrective steering torque, the car might have left the road earlier and the deadly pedestrian collision would not have occurred.

The father who had lost his wife and child wanted justice. Someone should be held criminally responsible for the murder that destroyed his life. His question was to what extent someone could be held liable for a negligent murder. Therefore, he turned to the public prosecutor's office.

The lawyer and expert for robot law Prof. Dr. Dr. Eric Hilgendorf was legally appointed by the public prosecutor's office to analyze the case:

This traffic accident is one of the first cases in which an autonomous assistance system is held responsible for significant personal injury and material damage. Under civil law such a case is covered by the owner's liability in German road traffic law. The owner of the vehicle is liable for all damages caused by the vehicle (§ 7 StVG). Liability insurance (see § 1PflVG) assumes the settlement of claims against the injured party – in this case the surviving father.

From a criminal law perspective, it must be clarified who is a potential perpetrator. Obviously, the vehicle itself cannot be the perpetrator of a crime. The driver cannot be accused of any act causing damage or disregarding duty of care. Only the vehicle manufacturer or an employee who is responsible for negligence in the development, programming or release process of the Lane Keeping Assist remains a punishable offender.

Two possible approaches were considered for the allegation of negligence:


While the first point could be excluded, the criticism remained that the system was not designed or programmed sufficiently safe. The statements of the public prosecutor's office in this regard are therefore trend-setting:

"Bereits aus dem Grundsatz der Sozialadäquanz muss ein Sicherungssystem nicht in der Lage sein, jede technische Möglichkeit auszuschöpfen. Denn dies würde bedeuten, dass zwangsläufig jedes Fahrzeug alle nur denkbaren Sicherungsmöglichkeiten enthalten müsste. Zwar wäre es durchaus wünschenswert, wenn eine Lenkungsunterstützung neben den Daten des Fahrzeugs auch die Gesundheit des Fahrzeugführers überwachen könnte. Es ist technisch möglich, über Sensoren auch die Herzfrequenz oder (was hier zur Vermeidung des Unfalls erforderlich gewesen wäre) die Gehirnströme des Fahrzeuglenkers zu messen und auszuwerten. Allein das Unterlassen solcher Maßnahmen führt jedoch nicht zu Pflichtwidrigkeit, da es hier an einem Schutzzweckbezug fehlt. Denn durch die Lenkungsunterstützung wird das Risiko eines Unfalls nicht erhöht. Sie verlagert allenfalls schicksalshaft den Unfallort." (Hilgendorf E, 2018; Generalstaatsanwaltschaft Bamberg, 2012, AZ 5 ZS 1016/12)

"Even the principle of social adequacy does not mean that a security system must be able to exploit every technical possibility. This would imply that every vehicle would inevitably have to fulfill all imaginable safety measures. It would certainly be desirable if steering assistance could monitor not only the vehicle's data but also the driver's state of health. It is technically possible to use sensors to measure and evaluate the heart rate or (which would have been necessary here to avoid the accident) the brain waves of the driver. However, the failure to take such measures alone does not lead to breach of duty, as there is no reference to the protective purpose here. Because steering assistance does not increase the risk of an accident. At most, it fatefully relocates the location of the accident."

These considerations mean that technology is never absolutely safe. The users of a certain technology have to accept risks. The manufacturer should not be required by law to implement all imaginable hedging possibilities.

Regarding the criminal law assessment of this Aschaffenburg case, the lawyer Prof. Dr. Dr. Eric Hilgendorf tries to further specify the relevant criteria for a non-compliance with the duty of care in the manufacture and market introduction of technical products. He's mentioning here "Fahrlässigkeitshaftung und erlaubtes Risiko" (Negligence liability and permitted risk)

The limitations required in criminal liability for defective technology should not be placed in the context of protective purpose considerations or in the context of an additional category of "objective attribution", but in the context of checking duty of care violations.

Following this argumentation, the examination for the existence of a breach of the duty of care according to Prof. Dr. Dr. Hilgendorf can be structured as follows:


For Prof. Hilgendorf, the legal concept of "permitted risk" is decisive in the assessment of this case. According to Prof. Hilgendorf (with regard to the permitted risk) the production of risky products is not to be assessed as negligent (and thus "permitted") if, according to the current opinion of the legal community, the benefits associated with the technical products are so great that individual harm can be accepted. This principle thus reaches so far that even fatalities by passenger cars are tolerated – the manufacture of vehicles is therefore not qualified as negligent. However, this is only the case if manufacturers do everything reasonable to reduce the risks caused by their products as far as possible (and reasonable). The generation of risks that could reasonably be avoided is therefore not covered by the aspect of permitted risk (Hilgendorf E, 2018).

The criticism against the manufacturer was that introducing the system might have been negligent or careless. However, the manufacturer was able to prove with tests on competition vehicles that the lane guidance assistant corresponds demonstrably to the usual state of the art.

This case shows that it is difficult for a developer to foresee all eventualities. According to the assessment of the lawyers, the manufacturers can only be required to make their products as safe as possible within reasonable limits. Occasional damage must thereafter be accepted due to the benefits associated with the products. Basically, no technology is safe. Therefore, the society has to decide in each individual case which risk it will tolerate or accept.

From today's perspective, a driver monitoring system could have detected the unconsciousness of the driver with corresponding technical measures in order to initiate risk-reducing measures. After this case became known, Prof. Hilgendorf argued that a technical solution for such cases should be considered in further new developments (Hilgendorf E, 2015, 2015b, 2019).

This tragic accident indicates that many new technological risks for automated functions in future may not be visible during development and testing. These issues arise in real-life traffic situations and developers have to make necessary changes to the technology ensuring real-world traffic safety (see Ch. 4).

Another example is the first recorded fatal pedestrian accident with a selfdriving test vehicle in Tempe. The complaint in this case states that the collision avoidance system did not react. An Uber test vehicle collided with a pedestrian and her bicycle in autonomous mode. A 49-year-old woman pushed her bicycle across the road with two main lanes and another two lanes for left turners. The collision occurred late in the evening on 18 March 2018. Neither the automatically driving vehicle nor the responsible safety driver took any measures to prevent or mitigate the consequences of an accident. Thus, the incident raises ethical and legal questions about the sense and responsibility of vehicle automation.

**Fig. 4.3** Aschaffenburg traffic accident, caused by active steering assistant? (Source: Emily Wabitsch, dpa Deutsche Presse Agentur)

On the basis of published photos of the damaged Volvo XC90, the accident site with the end positions and a video of an exterior and interior camera, the author was able to create an accident reconstruction with PC crash. Despite the limited perceptive power of camera sensors in darkness, the pedestrian is clearly visible in the published video more than a second before the collision.

The present accident reconstruction enables further analyses with different assumptions for the potential avoidance of human accidents in comparison to the machine against the background of the installed camera, lidar and radar sensors (see also Annex Fig. A.16).

Detailed information on the accident is provided by the National Transportation Safety Board NTSB in two reports under number HWY18MH010. A preliminary report was published immediately after the crash in 2018 (National Transportation Safety Board 2018). A detailed "vehicle automation report" was published on November 5, 2019 (National Transportation Safety Board 2019).

Thus, according to the preliminary record, the Uber test vehicle collided with a speed of 39 mph. Roughly 6 seconds before the impact, the vehicle drove at 43 mph. Already 1.3 seconds before the impact the system had determined that an emergency braking maneuver is necessary in order to prevent a collision. According to Uber, the test vehicle's emergency braking system was deactivated to prevent unintentional behavior.

According to the data recorder, the modified autonomously driving Volvo XC 90 drove 44 mph (70.8 km/h) when an object was first detected from the Radar sensor 5.6 seconds before the crash. However, it was not recognized as a woman crossing the road, but only as a "vehicle" that was not identified as moving in any direction. Within the next few seconds, this image classification changed continuously. With each new image classification, the previously registered location information was reset. The robotic car thought it was constantly recognizing a new stationary "vehicle", "unknown object" or "bicycle". The object movement in the direction of the driving lane of the Volvo was not foreseen for seconds (see Annex Fig. A.12).

Only 1.5 seconds before the crash at 44 mph (70.8 km/h), an unknown object was detected by the Lidar sensor which partially moved into the lane of the Volvo. The algorithms therefore calculated an evasive maneuver. Exactly 1.2 seconds before the crash at 43 mph (69.2 km/h), the Lidar system then detected a bicycle on its way into the lane, so an evasive maneuver was no longer possible (see Annex Fig. A.12).

Another problem of the software at that time can be seen here: If the system detected such a hazardous situation, it interrupted for a second to give the safety driver time to intervene. A reaction from the Volvo was not designed in the software. Therefore, unintended consequences of a wrong intervention were prevented.

At the end of the one-second interruption, 0.2 seconds before the collision at 40 mph (64.4 km/h), the safety driver did not react. She looked down and had no view on the road. The software was programmed in such a way that it only decelerates to the maximum if a collision can be prevented. Otherwise an acoustic warning was programmed with only a slight braking. In this specific case, the safety driver took over the steering wheel at that moment and thus deactivated the slight autonomous braking. It came to a fatal crash and only 0.7 seconds later, at a speed of still 37 mph (59.5 km/h), the safety driver began to apply the brakes (see Annex Fig. A.12).

This traffic accident had fatal consequences not only because the sensor system was not prepared for people crossing roads unintentionally or against traffic rules (jaywalking), but also because the above-mentioned system design decisions have been implemented by the software developers. For further scientific findings, this pedestrian accident was subsequently investigated in detail by the author with an accident reconstruction and then visually simulated by using the PC-Crash software from DSD-Datentechnik, which is used worldwide.

In the following figure (Fig. 4.4) the accident site in the final received simulation is demonstrated. The point of time directly before the collision, during the course of the accident including the final end positions of the pedestrian, the bicycle and the Volvo XC 90, are visualized.

**Fig. 4.4** Uber self-driving car accident reconstruction and original final position. (Source: Winkle, PC-Crash accident reconstruction software, Google Maps, Tempe Police Station)

The pedestrian speed of 4.8 km/h (1.3 m/s) was determined from the video with the pedestrian pushing her bicycle across the road (Fig. 4.5 illustration top right) and compared with usual pedestrian speeds from expert literature (Bartels B, Liers H, 2014).

A multi-body model supports the visualization of the pedestrian's first contact with the pushed bicycle on the front of the Volvo XC90 (Fig. 4.5 images top left and bottom left). The damaged front of the Volvo after the collision with the bicycle and pedestrian is documented in Fig. 4.5 below right.

**Fig. 4.5** Uber accident impact simulation with PC Crash and multi-body model. (Source: Winkle, PC-Crash accident reconstruction software, Google Maps, Tempe Police Station)

Assuming a speed of 43 mph (69.2 km/h, 19.2 m/s) and an immediately effective emergency braking 1.2 seconds before collision with a deceleration of 8 m/s2, the accident would have been avoided.

$$11mph = 1.609344 \frac{km}{h} = 0.44704 \frac{m}{s} \tag{4.1}$$

$$s = v \ast t = 19.2 \frac{m}{s} \ast 1.2 \, s = 23.1 \, m \tag{4.2}$$

$$a = \frac{v^2}{2s} = \frac{\left(19.2 \frac{m}{s}\right)^2}{2 \ast 23.1m} = 8 \frac{m}{s^2} \tag{4.3}$$

The best braking coefficients of current vehicle types from 100 km/h are between 13.7 m/s<sup>2</sup> for a sports car and 11.5 m/s<sup>2</sup> for the Volvo XC 90.

$$100\frac{km}{h} = 62.1\,mph = 27.8\,\frac{m}{s} \tag{4.4}$$

A Porsche 911 GT3 RS (991 II, production since 2017) came to a standstill after 28.2 meters from 100 km/h with two occupants and warm brakes in the test (Auto Motor und Sport, 9/2018). This corresponds to a deceleration of 13.7 m/s2:

$$a = \frac{\upsilon^2}{2s} = \frac{\left(27.8 \frac{m}{s}\right)^2}{2 \ast 28.2 \, m} = 13.7 \, \frac{m}{s^2} \tag{4.5}$$

In June 2015, the general German automobile club (ADAC) tested the brakes of a comparable Volvo XC90 D5 with a braking distance of only 33.6 meters. The measured braking distances are average values from ten individual braking operations each (ADAC Technik Zentrum, 6/2015). The corresponding deceleration is thus 11.5 m/s2:

$$a = \frac{v^2}{2s} = \frac{\left(27.8 \frac{m}{s}\right)^2}{2 \ast 33.6 \, m} = 11.5 \, \frac{m}{s^2} \tag{4.6}$$

With this average deceleration of 11.5 m/s<sup>2</sup> for the Volvo XC 90, it was theoretically sufficient in the present pedestrian accident with an initial speed of 43 mph (69.2 km/h, 19.2 m/s) if the braking had started 16.1 meters before the pedestrian or slightly more than 0.8 seconds before the collision:

$$s = \frac{\upsilon^2}{2a} = \frac{\left(19.2 \frac{m}{s}\right)^2}{2 \ast 11.5 \frac{m}{s^2}} = 16.1 \, m \tag{4.7}$$

$$t = \frac{\text{s}}{v} = \frac{16.1 \text{ m}}{19.2 \frac{\text{m}}{\text{s}}} = 0.8 \, s (0.837 \, \text{s}) \tag{4.8}$$

This present traffic accident reconstruction and simulation allows the investigation of further assumptions with the corresponding effects on the relationships between distances, times and speeds (see Annex Fig. A.11).

The National Transportation Safety Board (NTSB) cited the following as contributing to the fatal crash: 1. The failure safety driver because she was visually distracted throughout the trip by her personal cell phone. 2. Inadequate safety risk assessment procedures at Uber's Advanced Technologies Group. 3. Uber's ineffective monitoring of vehicle operators. 4. Uber's inability to address the automation complacency of its safety drivers monitoring the automated driving systems. 5. The victim was found to have methamphetamines in her system, and her impairment may have led her to cross the street outside the crosswalk. 6. Arizona's "insufficient" policies to regulate automated vehicles on its public roads were found to have contributed to the crash (National Transportation Safety Board 2019).

The author's own experience of previous product liability cases has shown that interdisciplinary structured and experience-based development is a minimum requirement. In case of damage, the following questions are the key for avoiding civil and criminal claims:


Essentially, besides general type approval requirements, no globally agreed upon and harmonized methods for fully automated vehicles exist today. These can be generated using international legally binding development guidelines including checklists (similar to the RESPONSE 3) ADAS Code of Practice for the Design and Evaluation of Advanced Driver Assistance Systems ("ADAS with active support for lateral and/or longitudinal control") (Knapp A, Neumann M, Brockmann M, Walz R, Winkle T, 2009) linked to ISO 26262 (International Organization for Standardization, ISO 26262, 2018) in Section 3, Concept phase, Table B.6: Examples of possibly controllable hazardous events by the driver or by the persons potentially at risk, page 26/27, Controllability.

Future guidelines will either be orientated towards today's requirements or to a large extend adopt them. The methods for evaluating risk during development (see Sec. 4.7.4) ensure that no unacceptable personal dangers are to be expected when using the vehicle. Therefore, the general legally valid requirements, guidelines, standards, procedures, during development process must at the very least, take into consideration as a minimum requirement:

– Are generally accepted rules, standards, and technical regulations comprehensively checked?

Only complying with current guidelines is usually insufficient. Furthermore, it raises the following questions:


Whether an automated vehicle has achieved the required level of safety or not can be seen at the end of the development process:

– Was a reasonable level of safety achieved with appropriate and sufficient measures in line with state of the art and science at the time it was placed on the market?

Even after a successful market introduction, monitoring of operation is absolutely necessary. This is still the case when all legal requirements, guidelines, and quality processes for potential malfunctions and safe use of the developed automated vehicle functions have been complied with. The duty to monitor is the result of the legal duty to maintain safety as found in Section 823 Paragraph 1 of the German Civil Code (BGB) (Köhler H, 2012), where breach of duty triggers liability for any defect that should have been recognized as such. This raises the concluding question for product liability cases:

– Was or is the automated vehicle being monitored during customer use?

#### **4.7.2 Potential Hazard Situations at the Beginning of Development**

The day-to-day experience of our technologically advanced society shows: Risks and risky behavior are an unavoidable part of life. Uncertainty and imponderables are no longer seen as fateful acceptable events but rather as more or less calculable uncertainties (Grunwald, 2013, 2016). The results of this are higher demands referring to risk management for the producers of new technologies.

A structured analysis of the hazards in consideration of all possible circumstances can help to give an initial overview of potential dangers. Therefore, in the early development stages it makes sense to provide a complete specification of the automated vehicle, to ensure a logical hazard analysis and subsequent risk classification (see Sec. 4.7.4).

On this basis, it is possible for an interdisciplinary expert team (see Fig. 4.11) to draw up a first overview of well-known potentially dangerous situations at the start of a project. This usually leads to a large number of relevant situations. Due to practical considerations, scenarios for expert assessment and testing should later be restricted to the most relevant (e.g. worldwide relevant test scenarios based on comprehensively linked up geographically defined accident-, traffic-flow- and weather data collections, see Ch. 3).

According to the system definition, it is recommended to initially gather situations on a list or table. This should take the following into consideration:


Jointly drawing up a maximum number of dangerous situations relevant to the system makes it likely that no relevant hazard is omitted or forgotten. Summarizing the risks directly which impact safety is recommended as a next step. After cutting the situations down to those that are actually safety-relevant, technical solutions will be developed.

#### **4.7.3 Methods for Assessing Risks during Development**

In discussing phasing out nuclear energy, a German Federal Government publication states that German society, as a "community with a common destiny" and as part of the "global community of risk," wishes for progress and prosperity, but only accompanied by controllable risks (Merkel, et. al. 2011). This is surely only partially transferable to road traffic, where risks of automated vehicles are limited – in contrast to nuclear energy – to a manageable group of people. However, the specific requirements for the methods used in analyzing and assessing risks are similar. Five common methods are outlined below.

#### **4.7.3.1 Hazard Analysis and Risk Assessment**

The hazard analysis and risk assessment procedure (HARA), is described and annotated in ISO 26262 Part 3 for functional safety of complex electrical/electronic vehicle systems as well as in the referring ADAS Code of Practice definition for the development of active longitudinal and lateral functions (Knapp, Neumann, Brockmann, Walz & Winkle 2009; Donner, Winkle, Walz & Schwarz, 2007). Parts of the methods given as examples in the following section (HAZOP, FMEA, FTA, HIL) as well point to the HARA. Aim of HARA is to identify the potential hazards of a considered unit, to classify them, and set targets. This will enable dangers to be avoided, thus achieving a generally acceptable level of risk. In addition, an "item" is judged on its impact on safety and categorized to an Automotive Safety Integrity Level (ASIL). An "item" is defined in ISO 26262 as a complex electrical/electronic system or a function that may contain mechanical components of various technologies. The ASIL is ascertained through a systematic analysis of possible hazardous situations and operating conditions. It also involves an assessment of accident severity levels via Abbreviated Injury Scale (AIS) (Association for the Advancement of Automotive Medicine, 2005) in connection with the probability of occurrence.

Basically, for the assessment of a technical system, the risk is a central term. It is defined as follows:

$$\text{Risk} = \text{Expected frequency of hazard} \ast \text{Potential velocity of harm} \qquad (4.9)$$

For an analytical approach the risk R can be expressed as function F of the expected frequency f whereby a hazardous event occurs, and the potential severity of harm S of the resulting damage:

$$\mathbf{R} = \mathbf{F}(\mathbf{f}, \mathbf{S}) \tag{4.10}$$

The frequency f with which a hazardous event occurs is in turn influenced by various parameters. Another influence on whether a hazardous event occurs, is if monitoring drivers or/and other road users involved in the accident can react with timely response, preventing potentially damaging effects (C = controllability).

$$\mathcal{R} = \mathcal{F}(\mathbf{f}, \mathbf{C}, \mathbf{S}) \tag{4.11}$$

A final proof of controllability should be tested with "naive test persons" in relevant scenarios. "Naive test persons" means that they test the automated system to be assessed and do not have more experience and prior knowledge about the system than a later user would have. Test scenarios have "passed" if the test person reacts as expected before or they respond in an adequate way to control the traffic situation. Controllability is categorized in the Code of Practice definition and ISO 26262 between C0 and C3. In the following, the classes C0 until C3 of the ADAS Code of Practice referring to the ISO 26262 (Fig. 4.6):


**Fig. 4.6** Controllability Classes with Note\* in ISO 26262. (Source: ADAS Code of Practice)

The controllability consideration is always relevant when an average driver or any human road user can intervene in order to avoid an imminent collision. This applies to both mixed traffic and highly automated driving. For professional drivers who are particularly familiar with the vehicle this approach is only suitable to a limited extent.

The practical testing experience shows that a number of 20 valid records per scenario can provide a basic indication of validity. ISO 26262:2018 Part 3 Concept Phase refers to the Classes of Controllability indicated in the ADAS Code of Practice:

*"NOTE 1: For C2, a feasible test scenario in accordance with RESPONSE 3 is accepted as adequate: "Practical testing experience revealed that a number of 20 valid data sets per scenario can supply a basic indication of validity". If each of the 20 data sets complies with the pass-criteria for the test, a level of controllability of 85% (with a level of confidence of 95% which is generally accepted for human factors tests) can be proven. This is appropriate evidence of the rationale for a C2-estimate. …"* (see Fig. 4.7)



**Fig. 4.7** Note\* in ISO 26262:2018, Test scenario is accepted as adequate. (Source: ISO 26262:2018, Part 3, Table B.6)

Controllability via the driver, however, is not present in terms of driverless and fully automated vehicles participating in an accident.

One essential factor to consider is how often or how long a person is in a situation where a hazard can occur (E = exposure). The product E x C is a measure of the probability that a defect has the potential in a certain situation to have a corresponding impact on the damage described.

A further factor (λ = failure rate) can be traced back to undetected random hardware failures of system components and dangerous systematic errors remaining in the system. It gives the frequency of occurrence with regard to E with which the automated vehicle can trigger a hazardous event itself.

The product f thus describes the number of events to be expected during period E, e.g. kilometers driven or the number of times a vehicle is started:

$$\mathbf{f} = \mathbf{E} \times \mathbf{\hat{x}}\tag{4.12}$$

In the ISO 26262 standard, the following is assumed to be simplified:

$$\mathbf{f} = \mathbf{E} \tag{4.13}$$

As a result, the risk R is expressed as a function F of the "probability of exposure E", the "controllability *C*" and the potential "severity of harm S" of the resulting damage:

$$\mathcal{R} = \mathcal{F}(\mathcal{E}, \mathcal{C}, \mathcal{S}) \tag{4.14}$$

The increasing use of complex electronic components in automated vehicles requires to consider them with regard to functional safety-related issues. Therefore, ISO 26262 stipulates that the Failure in Time (FIT) of technical and electronic components must also be considered. The unit FIT gives the number of components that fail within 10<sup>9</sup> hours (see 4.7.6 "proven in use").

$$1\text{ FIT} = \frac{1\text{ failure}}{10^9 \text{hours of device operation}}\tag{4.15}$$

Thus, a FIT corresponds:

$$1\text{ FIT} = 1 \ast 10^{-9} \frac{1}{\text{h}}\tag{4.16}$$

The failure rate λ of a hardware element is variable over time λ(t). This relation is usually represented by a "Weibull distribution" – often also known as the "bathtub curve". It first describes the "early phase" in which the default rate is very high at the beginning due to early failures. Through revisions and improvements, the failure rate λ(t) in the "use phase" only reaches its minimum by random failures. Within the operational lifetime of the components, the failure rate in the "wearing phase" increases due to, for example, aging effects up to uselessness. In relation to the typical course of the "bathtub curve", the failure rate λ is assumed to be constant over time t.

$$
\lambda(\mathbf{t}) \approx konst.\tag{4.17}
$$

Instead of the failure rate as a parameter, a Mean Time to Failure (MTTF) can be assumed. In the case of a constant failure rate, the MTTF represents the reciprocal value of the failure rate:

$$\text{MTTF} = \frac{1}{\lambda} \tag{4.18}$$

For repairable systems, a Mean Time to Repair (MTTR) can now be specified. With this MTTR, the Mean Time between Failures (MTBF) can be specified as the time between two failures:

$$\text{MTBF} = \text{MTTF} + \text{MTTR} \tag{4.19}$$

If no repairable element is present or MTTF > MTTR is valid, it can be simplified with constant failure rates:

$$\text{MTBF} = \text{MTTF} = \frac{1}{\lambda} \tag{4.20}$$

In the context of the assumption of constant failure rates during the utilization phase, an exponential distribution can be derived. The exponential distribution is often used in electrical engineering, since this is characteristic for electronic components. Within the framework of ISO 26262, an exponential distribution is also proposed in the context of the assumption of a constant failure rate (ISO 26262-5, Annex C.1.2).

$$f(t) = \frac{dF(t)}{dt} = \lambda \ast e^{-\lambda \ast t} \tag{4.21}$$

The reliability R(t) in the reverse of the failure probability can be described by:

$$R(t) = 1 - F(t) = e^{-\lambda \ast t} \tag{4.22}$$

Probability of occurrence *f* and – where possible – controllability *C* give the Automotive Safety Integrity Levels (ASIL). Four ASIL levels are defined: ASIL A, ASIL B, ASIL C and ASIL D. Among them ASIL A demands the lowest and ASIL D the highest requirement. In addition to these four ASIL levels, the QM class (quality management) does not require compliance with ISO 26262.

An ASIL will be determined for each hazardous event using the "severity", "probability of exposure" and "controllability" parameters in accordance to the following table (Fig. 4.8).

A classification in ASIL A corresponds to a recommended probability of occurrence less than 10–6 per hour and is equivalent to a rate of 1000 FIT.


**Fig. 4.8** ASIL Determination. (Source: ADAS Code of Practice, ISO 26262)

$$\text{ASIL A} < 1 \ast 10^{-6} \frac{1}{\text{h}} = 1000 \text{ FIT} \tag{4.23}$$

Either rating with a recommended probability of occurrence lower than 10–7 per hour into ASIL B or required into ASIL C – corresponding to a rate of 100 FIT:

$$\text{ASIL B, }\text{ASIL C} < 1 \ast 10^{-\gamma} \frac{1}{\text{h}} = 100 \text{ FIT} \tag{4.24}$$

As already mentioned, the highest requirements exist for ASIL D (required probability of occurrence smaller than 10–8 per hour corresponding to a rate of 10 FIT):

$$\text{ASIL D} < 1 \ast 10^{-8} \frac{1}{\text{h}} = 10 \text{ FIT} \tag{4.25}$$

Beyond normal vehicle operation, ISO 26262 also considers service requirements, including decommissioning of the vehicle. In this respect, developers have to consider the consequences of aging when selecting components. Control units or sensors have to be sufficiently protected by robust design. Any single failure must not close down any safety related functions (International Organization for Standardization, ISO 26262, 2018). The main target is to meet a societal and individually accepted risk applying measures for enhancing safety (see Fig. 4.9).

**Fig. 4.9** Measures to increase safety for social and individual accepted risks

For each hazardous event with an ASIL evaluated in the hazard analysis a safety goal shall be determined. The ASIL, as attribute of a safety goal, will be passed on to each subsequent safety requirement. Similar safety goals may be combined into one safety goal. The safety goal can describe features or physical characteristics as a maximum steering wheel torque or maximum level of unintended acceleration. To comply with safety goals, the functional safety concept includes safety measures for: fault detection and failure mitigation; transitioning to a safe state; fault tolerance mechanisms, fault detection and warning to reduce the risk exposure time to an acceptable interval. The method of ASIL tailoring during the development process is called "ASIL decomposition". A suggested measure is an arbitration logic where for example two working systems override and take over control from the system, which has failed or which generated a contradictory command.

ISO 26262 specifies recommended techniques which move from "suggested" to "required". If a causing failure is detected, an appropriate system state should be transformed by means of a recovery into a system state without any detected errors or faults. This graceful degradation is one way of reducing functionality to continue a minimum performance instead of the occurrence of a failure. A graceful degradation can be activated as a reaction to a detected failure. Since the ASIL decomposition is a very central topic of ISO 26262, it is also dedicated to its own chapter (chapter 9 ASIL). The definition of decomposition is given in chapter 1:

*"Apportioning of safety requirements redundantly to sufficiently independent elements (1.32), with the objective of reducing the ASIL (1.6) of the redundant safety requirements that are allocated to the corresponding elements"*

The correct decomposition can be represented by a simple mathematical formula, in which the following agreements apply:

$$\text{QM}\_{\text{(X)}} \text{ will be replaced by} = \succ 0 \tag{4.26}$$

$$\text{ASIL A}\_{\text{(X)}} \text{will be replaced by} = \succ 1 \tag{4.27}$$

$$\text{ASIL B}\_{(\mathbf{X})} \\ \text{will be replaced by} \\ = \succ \text{ 2} \tag{4.28}$$

$$\text{ASIL C}\_{(\mathbf{X})} \text{will be replaced by} = \succ \text{ 3} \tag{4.29}$$

$$\text{ASIL D}\_{\text{(X)}} \text{will be replaced by} = \succ 4 \tag{4.30}$$

The sum of the decomposed elements must be equal to the value of the original classification. So, these "calculating methods" are correct:

$$\text{ASIL}\_{\text{new1}} + \text{ASIL}\_{\text{new2}} = \text{ASIL}\_{\text{old}} \tag{4.31}$$

$$\text{ASIL C}\_{\text{(D)}} + \text{ASIL A}\_{\text{(D)}} = \text{ASIL D} \tag{4.32}$$

$$\mathbf{3\_{(ASIL\ C\_{(D)})}} + \mathbf{1\_{(ASIL\ A\_{(D)})}} = \mathbf{4\_{(ASIL\ D)}} \tag{4.33}$$

$$\text{ASIL D} = \text{ASIL C}\_{\text{(D)}} + \text{ASIL A}\_{\text{(D)}} \tag{4.34}$$

$$\mathfrak{A}\_{\text{(ASIL.D)}} = \mathfrak{A}\_{\text{(ASIL.C\_{(D)})}} + \mathfrak{1}\_{\text{(ASIL.C\_{(D)})}} \tag{4.35}$$

$$\text{ASIL.C} = \text{ASIL.A}\_{\text{(C)}} + \text{ASIL.A}\_{\text{(C)}} + \text{ASIL.A}\_{\text{(C)}} \tag{4.36}$$

$$\mathcal{B}\_{\text{(ASIL.C)}} = \mathbf{1}\_{\text{(ASIL.A\_{(C)})}} + \mathbf{1}\_{\text{(ASIL.A\_{(C)})}} + \mathbf{1}\_{\text{(ASIL.A\_{(C)})}} \tag{4.37}$$

It must always be considered that, for example, an ASIL A(D) does not correspond to ASIL A:

$$\text{ASIL A}\_{\text{(D)}} \neq \text{ASIL A} \tag{4.38}$$

This means that if the decomposed elements should be equal parts or the same software should be used—then the dependent errors must be analyzed in order to detect systematic errors.

The hardware metrics for the architecture and also the random hardware errors which could lead to a violation of the safety target remain the same for the overall function! For the decomposed elements a sufficient independence must be shown. This applies to the following areas: criteria for co-existence; freedom from interference; cascading failures; dependent failures and common cause failures. The following requirements must also be applied to all decomposed elements with the original requirements of the safety target:


If an ASIL D is to be decomposed, then all decomposed elements must meet the requirements for ASIL C. What is important is the distinction between decomposition and monitoring. During the decomposition, both elements must be redundant in relation to the safety target. Thus, for example, both the main computer and the safety computer must be able to switch into the safe state independently of one another when voltage, current or torque are too high.

On the other hand, in the case of monitoring, the diagnostic element only tells the main computer that something is wrong – but only the main computer can transfer the system into the Safe State. Overall, it is required that the developers must specify and document methodologies, best practices or guidelines for each phase of the development.

It is currently being discussed whether the current standard ISO 26262:2018 can also support using Artificial Intelligence (AI) trained data, which will be used increasingly, and how it can be applied. The safety of Artificial Intelligence, which is being used increasingly, is still considered as an independent field of research. Therefore, the author recommends further developing the current competences for the validation of controllability with regard to the influence other human road users. In the future, the importance of a systematic risk assessment and a systemic approach will increase.

**Fig. 4.10** Further systematic and systemic competencies in the future. (QM = Quality management, A, B, C, D = ASIL A–D requirements)

In contrast to previously two basic risk management dimensions, more expert competence levels will be necessary in the future on the basis of area-wide information, modified systematic and systemic methods in connection with advanced controllability evaluations.

The influence parameter **I** stands for area-wide information. It implies that all data already available area-wide are used (see Ch. 3). That concerns accident, traffic and vehicle operating data. As a result, conclusions can also be drawn about near-accidents. Variable **M** stands for modified methods: This would include an actualization of the ADAS Code of Practice as well as further development for further automation levels corresponding to a Code of Practice for automated driving up to level 2. A controllability competence **C** with experts also enhances the third dimension. Such competence includes in-depth driving simulator studies or road tests with eye-tracking data to observe scanning behavior and cognitive processes including interviews for subjective and additional data. As a result, the variables of the formula for the risk assessment expand as follows:

$$\mathbf{R} = \mathbf{F}(\mathbf{E}, \mathbf{S}, \mathbf{I}, \mathbf{M}, \mathbf{C} \dots) \tag{4.39}$$

In addition to the basis of comprehensive, further systematic and systemic modified methods M (see Fig. 4.10) will be required in the future. The methods of the following subsections (4.7.3.2 to 4.7.3.10), which are already known today, will be further developed in the future to understand the systemic interactions and mechanisms of automated driving levels.

#### **4.7.3.2 Hazard and Operability Study – HAZOP**

A Hazard and Operability Study (HAZOP) is an early risk assessment, developed in the process industry. A HAZOP looks for every imaginable deviation from a process in normal operation and then analyzes the possible causes and consequences. Typically, a HAZOP search is carried out systematically by a specialist team from the involved development units. This is to reduce the likelihood of overlooking any important factors (Knapp A, Neumann M, Brockmann M, Walz R & Winkle T, 2009).

#### **4.7.3.3 Systems-Theoretic Methods – STAMP, STPA and FRAM**

With the STAMP and STPA method (Systems-theoretic accident model and processes STAMP and Systems-theoretic process analysis STPA) the US-American safety researcher Nancy Leveson developed a model-based hazard analysis method, which analyses a safety-relevant system in a structured way using a semi-formal model (the so-called Safety Control Structures).

Objectives of STAMP are the definition of control limits for safe behavior of the safety-relevant system, socio-technical understanding of safety in complex systems, development of strategies for managing dangerous system states, support of optimization and adaptation processes for environmental influences, admission of fault tolerances and ensuring the detection and reversibility of faults. STAMP uses the safety control structures of a system to analyze control loops, to recognize the safety-critical operating processes of a system and to identify insufficient control structures (Ross H-L, 2019). The Functional Resonance Analysis Method (FRAM) is used to explain specific events which, due to coupling and different everyday performances, can lead to unexpected successes and also to failures (Hollnagel E 2012). With the support of FRAM for modelling complex socio-technical systems, mechanisms of road traffic can be differentiated. Additionally, the dependencies between the individual system elements can be identified and presented separately for the human driver or automation (see also Annex Fig. A.16). Subsequently, recommendations for the design of automated driving systems can be derived (Grabbe N, et. al. 2020).

#### **4.7.3.4 Failure Mode and Effects Analysis – FMEA**

Failure Mode and Effects Analysis (FMEA) and the integrated Failure Mode, Effects and Criticality Analysis (FMECA) are methods of analyzing reliability that identify failures with significant consequences for system performance in the application in question. FMEA is based on a defined system, module or component for which fundamental failure criteria (primary failure modes) are available. It is a technique for validating safety and estimating possible failure states in the specified design-review stage. It can be used from the first stage of an automation system design up to the completed vehicle. FMEA can be utilized in the design of all system levels (Werdich, 2012; Verband Deutscher Automobilhersteller, 2006).

#### **4.7.3.5 Fault Tree Analysis – FTA**

A Fault Tree Analysis (FTA) involves identifying and analyzing conditions and factors that promote the occurrence of a defined state of failure that noticeably impacts system performance, economic efficiency, safety, or other required properties. Fault trees are especially suitable for analyzing complex systems encompassing several functionally interdependent or independent subsystems with varying performance targets. This particularly applies to system designs needing cooperation between several specialized technical design groups. Examples of systems where Fault Tree Analysis is extensively used include nuclear power stations, aircraft and communication systems, chemical or other industrial processes.

The fault tree itself is an organized graphic representation of the conditions or other factors causing or contributing to a defined undesired incident, also known as the top event (Knapp, Neumann, Brockmann, Walz & Winkle 2009). As a result, it is a logical diagram which can be either qualitative or quantitative, depending on whether probabilities are supplemented.

Günter Reichart demonstrated the probability of road accidents by the use of a fault tree which presumes both: Inappropriate behavior and the existence of a conflicting object (Reichart, 2000).

Figure 4.11 shows an example for a quantitative FTA which results in an estimation of the probability of the top event (traffic accident with personal or fatal injury), which depends on the probabilities of the root causes. This Fault Tree Analysis demonstrates that traffic accidents result by the coincidence of several causes. A single failure does not necessarily have dangerous impact but series of unfortunate circumstances and inappropriate behavior of traffic participants can worsen the risk situation to be uncontrollable. Human traffic participants are the crucial link in the chain to prevent a car crash (see Ch. 2). Especially automated vehicles will require appropriate safety measures.

Figure 4.11 also demonstrates an excerpt of safety measures for a safe steering in case of a fully automated vehicle.

#### **4.7.3.6 Hardware-in-the-Loop (HIL) Tests**

Increasing vehicle interconnection places particular demands on validating the safety of the entire Electronic Control Unit (ECU) network, e.g. onboard wiring systems safety, bus communication, vehicle state management, diagnosis, and flash application's behavior. Hardware-in-the-Loop (HIL) tests can be used as soon as a hardware prototype of the system or part of it, e.g. an electronic control unit in a vehicle, is available. As the Device under Test (DUT), the prototype is placed in a "loop," a software-simulated virtual environment. This is designed to resemble the real environment as closely as possible. The DUT is operated under real-time conditions (Heising, Ersoy & Gies, 2013).

#### **4.7.3.7 Software-in-the-Loop (SIL) Tests**

The Software-in-the-Loop (SIL) method in contrast to HIL does not use special hardware. The created model of the software is only converted to the code understandable for the target hardware. This code is performed on the development computer with the simulated model, instead of running as Hardware-in-the-Loop on the target hardware. SIL tests must be applied before the HIL.

#### **4.7.3.8 Virtual Assessment**

Virtual assessment verifies prospective, quantitative traffic safety benefits and risks (see Section 2.1.2). They can be quantified using virtual simulation-based experimental techniques. For this purpose, traffic scenarios can be modeled considering

**Fig. 4.11** Fault Tree Analysis (FTA): Functional safety measures prevent traffic accidents caused by technical steering failures with the risk of personal injury. Data Sources: ISO 26262; **\*** Bubb H, Bengler K, Grünen R-E, Vollrath M, 2015; **#** GIDAS; Chapter 3: Poor visibility scenarios

safety-relevant key processes and stochastic simulation using large representative virtual samples. Virtual representations of traffic scenarios are based on detailed, stochastic models of drivers, vehicles, traffic flow, and road environment, along with their interactions. The models include information from global accident data (see Ch. 2), Field Operation Tests (FOT), Natural Driving Studies (NDS), laboratory tests, driving simulator tests, and other sources. Wide ranging, extensive simulations help identifying and evaluating safety relevant situations of automated vehicles.

#### **4.7.3.9 Driving Simulator Tests**

Driving simulator tests use models of vehicle dynamics and virtual driving scenarios. They allow artificial driving situations and repeatable tests with various subjects. Potentially hazardous traffic scenarios can also be tested because in contrast to real driving the virtual scenario is harmless. Different types of simulators, such as mock-up, fixed based simulator, or moving base simulator do exist. Subjective and objective methods can be exploited to measure the performance of test subjects in the driving task. Depending on the kind of potentially hazardous situations controllability can be tested by some of these methods. Typical situations for driving simulator tests are high risk situations, driver take over reactions or interaction between automated driving system environment monitoring and manual human driver mode.

#### **4.7.3.10 Driving Tests and Car Clinics**

Driving tests with different drivers provide useful feedback based on empirical data. Dynamic car clinics allow testing of driver behavior and performance while driving the automated vehicle in defined situations within a realistic environment. In a first step the objective is to identify relevant scenarios and environments (see Ch. 3). This enables to specify and implement virtual tests followed by confirmation via driving tests and car clinics on proving grounds. Finally, before sign off and start of production (SOP) field tests confirm identified scenarios and environments if necessary.

#### **4.7.4 Approval Criteria from Expert Knowledge**

During the approval process, test procedures must be provided. Approval criteria in terms of "passed" and "not passed" are thus recommended for the final safety verification of automated vehicles. Regardless of which methods were chosen for final sign-off confirmation, the experts should all agree on which test criteria suffice for the vehicle to cope successfully with specified situations during a system failure or malfunction. Generally accepted values for achieving the desired vehicle reactions should be used for such criteria. An evaluation can result by using established methods.

Taking the list of potential hazard situations as a basis (see Ch. 3), test criteria for safe vehicle behavior, and if possible also globally relevant test scenarios, are developed by internal and external experts. A team of system engineers and accident researchers is particularly required. The former group offers knowledge of the precise system functions, time factors, and experience of potential failures, while accident researchers bring with them practical knowledge of high-risk traffic situations (see Ch. 2). Every known risky situation that a vehicle can get into must be considered. At least one corrective action with regard to safety requirements should be specified by the developers for the risks identified. In terms of final sign-off confirmation, a test scenario has thus been "passed" when the automated vehicle reacts as expected or otherwise deals with the situation in a satisfactory accepted manner.

#### **4.7.5 Steps to Increase Product Safety of Automated Vehicles in the General Development Process**

To guarantee the product safety of automated vehicles, a thorough development concept is needed that is at least in line with state of the art and science. To this end, a general development process is proposed below, as is principally in use amongst car manufacturers for the development of series production vehicles, partially with small adjustments. For highly automated vehicles the development refers to measures regarding the safety process, activities to ensure controllability and appropriate human machine interaction (see Fig. 4.12).

The generic development process for fully automated vehicle functions focuses on expert knowledge, the safety process and as is represented graphically as a V-Model (see Fig. 4.12). As well as the development stages for the high automation it builds logical sequences of product development phases and selected milestones but not necessarily how long each stage lasts or the time between phases (Knapp, Neumann, Brockmann, Walz, Winkle, 2009).

The process of methods thus forms a simplified representation in the form of a V-Model. This allows for iteration loops within the individual development phases involving all parties. Within this V-shaped process structure (see Fig. 4.13) elements of the safety process are taken into consideration. In addition, early and regular involvement of interdisciplinary expert groups is recommended. From the definition phase until validation, sign-off, and start of production – experts from research, (pre-) development, functional safety, product analysis, legal services, traffic safety, technology ethics, ergonomics, production, and sales should participate in the development process.

In the development steps for advanced automated vehicles, product and functional safety stands out as a key requirement. It relates to the whole interaction between the vehicle and its environment. Save driver interaction and take-over procedures (Bengler, Flemisch, 2011; Bengler K, Zimmermann M, Bortot D, Kienle M & Damböck, 2012) should thus be considered when there is an interface necessary to the use case and functionality. Concerning product safety, fully automated vehicles essentially include five usage situations.

**Fig. 4.12** Development process for highly automated vehicles from the idea until market introduction: involving the safety process, activities regarding controllability and human machine interaction. (Source: Author, ADAS Code of Practice)

Ensuring functional safety of fully automated vehicles


Functional safety should be examined:


Careful development with regard to a safe usage of driverless vehicles must ensure they are able to recognize the criticality of a situation, decide on suitable measures for averting danger (e.g. degradation, driving maneuver) that lead back to a safe state, and then carry out these measures. The requirements to be fulfilled from the above V-model, which correspond to the overall product life cycle, are extensive

**Fig. 4.13** Development process for automated vehicles as a V-Model from the idea until market introduction involving recommended experts and the elements of functional safety.

and necessary for a completely new development. However, most systems are not developed from the very beginning, but on the basis of existing components. Such existing components have been in use for a long time without any problems or errors. A developer does not want to have to carry out a new development for a component that has already proven itself in operation. In this case, a component can be qualified for use in a new automated driving system by verifying proven in use. When demonstrating "proven in use", it must be proven that the development was carried out carefully and meets the relevant requirements. In addition, it must be confirmed that systematically collected data have shown that errors (see 4.7.3.1 "failure in time") have occurred sufficiently rarely (see ISO 26262 Part 8 Paragraph 14). This proof is based on consistent configuration management during development and the evaluation of errors during operation.

Fig. 4.14 gives an overview of a possible workflow regarding final sign-off, up to decommissioning of a vehicle. In the final stages of developing an automated vehicle, the development team decides whether a final safety test for validation is required. This is to confirm that a sufficient level of safety for production has been reached. For this, the development team verifies that a vehicle reacts as previously predicted or in other ways appropriate to the situation. The data used here may come from risk assessment methods used during development, such as hazard and risk analysis. There are three equally valid paths for signing off vehicles. A direct sign-off will be carried out through an experience-based (e. g. proven in use) recommendation of the development team. In addition, final evidence of safety can be passed after corresponding reconfirmation via an interdisciplinary forum of internal and external experts or an objective proof. Evidence of functional safety is possible via means of a confirmation test with relevant traffic scenarios based on accident-, traffic-flow-, weather- and vehicle operation data (see Ch. 3), or other verifiable relevant samples (see Fig. 4.14).

**Fig. 4.14** Recommended sign-off process for automated vehicles

The development team chooses an appropriate path for each individual scenario. A mixed approach is also possible. When the safety team has conclusively confirmed the safety of the system design functionality, the final sign-off can be given (see Knapp, Neumann, Brockmann, Walz, Winkle, 2009).

#### **4.7.6 Product Monitoring After Market Launch**

Subsequently to the careful development, a manufacturer is obliged to monitor automated vehicles after placing them on the market, in order to recognize previously unknown hazards and takes necessary additional safety measures. If necessary, car manufacturers are urged to analyze potential dangers (that can also arise in unintended use or misuse) and react with appropriate measures, such as product recalls, redesign, or user information (see Fig. 4.14).

A judgment of the German Federal Court of Justice (BGH) is often quoted amongst product safety experts as a particular example of the product-monitoring duty for combination risks with third-party accessories. Model-specific motorbike handlebar cladding, from accessories that had first been passed by officially recognized experts from a testing organization in June 1977, were supposed to have been responsible for three spectacular accidents including one fatality. On the day before the fatal accident, the motorcycle manufacturer in question wrote personal letters to warn all the riders of the affected model it had on record. The victim, however, never received the letter. Although the motorbike manufacturer expressly warned of using the cladding, the company was ordered to pay damages. The BGH established a fundamental judgment concerning this matter:

"Eine Pflicht zur Produktbeobachtung kann den Hersteller (und dessen Vertriebsgesellschaft) auch treffen, um rechtzeitig Gefahren aufzudecken, die aus der Kombination seines Produkts mit Produkten anderer Hersteller entstehen können, und ihnen entgegenzuwirken." (Bundesgerichtshof BGH, 1987)

In future, companies will not only be required to monitor the reliability of their products in practice but, above all, to refer their customers to any hazards in daily operation – including those that arise from the application or installation of accessories of other manufacturers.

#### **4.7.7 Steps for Internationally Agreed Best Practices**

Due to their networking and complexity, it will be difficult to get a clear overview about all the risks of automated vehicles in series operation. Therefore, the objective is to establish worldwide agreed best practices for legislation, liability, standards, risk assessment, ethics and tests.

The ADAS Code of Practice as a result of the Response 3 project was a fundamental step towards commonly agreed and legally binding European guidelines for advanced driver assistance systems. ADAS systems were characterized by all of the following properties: They support the driver in the primary driving task, provide active support for lateral and/or longitudinal control with or without warning, detect and evaluate the vehicle environment, use complex signal processing and interact directly between the driver and the system (Knapp, Neumann, Brockmann, Walz, Winkle, 2009).

Primarily ADAS systems operate rule based at the maneuvering level (between about one and ten seconds) and furthermore within parts of the skill-based stabilization level (time spans less than one second). High and fully automated vehicles, on the other hand, intervene knowledge-, skill- and rule-based for more than one second at all driving levels (see Fig. 4.15).

Increasing sensitivity for defects is visible through a significant growth in product recalls worldwide. If unknown failures appear after vehicles have gone into production, appropriate measures have to be taken where necessary according to a risk assessment.

For analyzing and evaluating risks stemming from product defects after market launch (in view of the necessity and urgency of product recalls) the EU and the German Federal Motor Transport Authority (Kraftfahrtbundesamt) use tables from the rapid alert system RAPEX (Rapid Exchange of Information System) (European Union, 2010). To classify risks, first accident severity (extend of damage S according to AIS, for example) and probability of harm are assessed – similarly to the ALARP principle (As Low As Reasonably Possible) (Becker, et. al. 2004), the ISO 26262 standard (International Organization for Standardization, ISO 26262, 2018), and ADAS Code of Practice for active longitudinal and lateral support. The degree of risk is derived from this. Final assessment concerning the urgency of required measures looks at the risk of injury for those at particular risk of being injured (as influenced by age, state of health, etc.) and hazard for a mentally healthy adult, and the use of protective measures as appropriate warnings (see Fig. 4.16).

With regard to the injury risk classification between "vulnerable humans" and "healthy adults" (Fig. 4.17) Kalache and Kickbusch – members of the Ageing and Health Program within the World Health Organization – published a report with a well-accepted concept in 1997. They showed that functional abilities, such as muscle strength and cardiovascular performance, peak in early adulthood and

**Fig. 4.15** Worldwide agreed legislation, standards, ethics, tests for highly/fully automated vehicles with integration of knowledge-based navigation, skill-based stabilization and rule based maneuvering levels (globe = outer circle). Further development of the ADAS Code of Practice for active longitudinal and lateral support or intervention in dangerous situations (ADAS = blue circle).

decrease linearly with age. Furthermore, the physical capacity of the population varies with age.

The illustration Figure 4.17 suggests that every human being in early adulthood has a similar functional capacity, which depends on lifestyle, disposition and environmental factors. The author's many years of experience in road accident research confirm that age-dependent functional capacity has an influence on injury risk.


**Fig. 4.16** Risk assessment and derivation of essential measures in accordance with RAPEX, ALARP and ISO 26262. (Sources: RAPEX, ADAS Code of Practice, ISO 26262, ALARP)

**Fig.4.17** Impact of injury risk by age and functional capacity. (Source: Winkle, T. According to: Kalache A, Kickbusch I. 1997, A global strategy for healthy ageing)

The following questions relate to the activities for functional safety management:


(see Annex Fig. A.3, Example documentation sheet of the ADAS Code of Practice)

#### **4.8 Conclusion and Outlook:**

Automated driving is currently the focus of legal interest. In 2017, the "Automated and networked driving" ethics commission appointed by the German Federal Minister of Transport presented its report. At the same time, the new German Road Traffic Law came into force. In the current version in § 1 b StVG, the passage "The vehicle driver may (…) turn away from traffic events and vehicle control" is inserted. However, he "must remain so attentive" that he can take over control "at any time". In addition the ECE R 157 (level 3) and a further German law create the legal framework for autonomous vehicles (level 4) in defined operating areas on public roads.

In both cases, the main focus was not to hinder any development that could be expected to have a clear potential for damage avoidance and damage minimization. It follows that remaining risks do not stand in contrast to the new technology if they contribute to a fundamentally positive risk balance (BGH decision). Dilemma situations have always served to clarify ethical and legal principles, such as in the famous example of the so-called "trolley case". The answer of the law here is clear: the killing of a human being with the intention of saving others from certain death may be excused in a concrete case, but it remains illegal in any case. The solution is therefore to avoid accidents at any rate by adapting and forward-looking driving.

Shifting responsibility from the driver or holder to the person responsible for the technical systems in the sense of product liability is under discussion. In the sharing of the driving task between a human driver and a technical system, the responsibility must be redefined, as humans and machines occur in a shared driving task. The German liability system ultimately passes the risk of an accident on to the owner of the vehicle. Furthermore, the manufacturers are liable within the framework of mandatory product liability. With this shift in liability, it must also be discussed how much safer a technical system must be statistically seen so that it is accepted by society and which methods lead to a reliable confidence.

On the one hand, society's expectations are understandable as they increasingly require the highest, state-of-the-art levels of safety for new technologies. On the other hand, unrealistic demands for technical perfection and the striving for 100% fault-free operation may hinder automated vehicles from being launched on the market, and thus the chance of revolutionary potential benefits.

The market launch of highly and fully automated vehicles has barriers placed in its path. The first vendors on the market (the pioneers) therefore take on increased risks at the outset, so that the potential total benefit of these new technologies to society can only be achieved together with all parties. Homann describes these decision conflicts during market launch by the decision theory concept. To overcome this dilemma as it pertains to highly and fully automated vehicles, the incalculable risks for manufacturers must be made assessable and determinable through new institutional arrangements (Homann, 2005). Unconditional information and transparent policy encourage and accelerate public discourse across all disciplines.

Due to previous licensing requirements for series production vehicles, drivers almost always have to keep their hands on the steering wheel and permanently stay in control of the vehicle. Automated vehicles and vehicle developments by IT companies, car manufacturers, and component suppliers will also be required to have a human driver as a responsible backup level in complex traffic situations for the nearby future.

Driverless vehicles, on the other hand, signify the beginning of an utterly new dimension. New approaches and activities are essential (Matthaei, et. al. 2015). It is required to orientate ourselves to the future potential of automated driving functions, to learn from previous patterns and within the bounds of what is technically and economically reasonable and adjust old methods to valid state of the art or state of science (Scharmer, Kaufer, 2013).

Besides generally clarifying who is responsible for accident and product risks, new accompanying measures depending on different automation and development levels are also of use for a successful market launch and safe operation. This includes identifying relevant scenarios, environments, system configurations and driver characteristics. Relevant maneuvers of driving robots have to be defined and assessed for example using accident data (see Ch. 2) and virtual methods. Further investigation of real driving situations in comparison with system specifications with tests on proving grounds, car clinics, field tests, human driver training or special vehicle studies are recommended. For the required exchange of information, storage of vehicle data (e.g. Event Data Recorder) and possible criminal attacks protective technical measures are necessary (see Ch. 4). Beside challenging and agreed data protection guidelines (Hilgendorf, 2015), experts in technology ethics will ensure compliance to ethical values. Within this, safety requirements have to be answered in terms of "How safe is safe enough?" Expert experience can also decisively contribute to increasing safety and meeting customer expectations for acceptable risks. In the light of increasing consumer demands, such experience – particularly of previous product liability procedures – makes a valuable contribution to improving product safety during development and approval stages.

Before highly complex automated vehicle technologies – which will additionally be applied in a multi-layered overall system – can go into mass commercialization, interdisciplinary concerted development and sign-off processes are required. A reliable evaluation for sustainable solutions ready for production demands new harmonized methods for comparable safety verification, e.g. by simulating relevant scenarios (Kompass K, et. al. 2015; Helmer, 2015) including the planning of field tests (Wisselmann, 2015) from worldwide available and combined accident-, traffic-flow-, weather- and vehicle operation data (see Ch. 3). This also applies to fulfilling legal and licensing regulations, identifying new options for risk distribution (see Matthaei et. al. 2015), and creating new compensation schemes.

To verify the duty of care in existing quality management systems, it is recommended to further develop experience-based, internationally valid guidelines with checklists built on the ADAS Code of Practice (Knapp et. al. 2009; Becker, Schollinski, Schwarz, Winkle, 2003). These standards will further embody and document state of the art and science within the bounds of technical suitability and economic feasibility. The ADAS Code of Practice was developed to provide safe Advanced Driver Assistance Systems, with active support of the main driving task (lateral and/or longitudinal control, including automated emergency brake interventions – AEB), on the market and published 2009 by the European Automobile Manufacturers Association (ACEA). It corresponds with the ISO 26262 for requirements of electrical, electronic and software components. As a development guideline it contains recommendations for analysis and assessment of ADAS Human Machine Interactions with occurrence during normal use and in case of failure (Knapp et. al. 2009; Donner, Winkle, Walz & Schwarz, 2007). With increasing levels of automation upgrades of functional safety, controllability (ISO 26262, ADAS Code of Practice) and other standardized methods will be necessary such as virtual simulation (Helmer, 2015). Today the standards do not cover functional disabilities for instance misinterpretation of objects, traffic situations and resulting false positive system interventions. An integral, scenario-based approach is recommended because automated systems will be able to control scenarios. In the event of serious malfunctions that threaten severe damage, product experts from the development process should be involved in the study of the causes and be listened to. Motor vehicle experts who are not directly involved in the development should acquire the expertise to be able to provide a specialist appraisal of new technologies in court.

In the development of automated driving, networked thinking covering all disciplines is required with a flexible, yet structured area for action. So far, the development has opened up an unknown world with many uncertainties that may cause reservation and resistance. For a successful launch of automated vehicles ready for production, insights collected *in vivo* from both the past as well as the present, are essential prerequisites. Despite the technical, legal, and economic risks, production readiness will be of benefit to society in this way.

**Open Access** This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

# **5 Qualitative Interviews with Developers**

The previous chapters indicate that development approaches using innovative technology or Artificial Intelligence must be reviewed against the background of the increasing demands on interdisciplinary project teams as well as the growing complexity of automotive functions. As a result, proven management systems and system engineering approaches must be redefined or modified appropriately.

Interviews with engineers, executive managers and a psychologist from the development department of automobile manufacturers show that a structured guided process increases quality in respect of operational and functional safety. The final consulting concept (checklist with 303 questions in Annex B) includes guidelines in addition to the aforementioned requirements. It will support the efficient, user-friendly development of new functions.

In the subsequent empirical part, the previous lessons learned described above are supplemented by feedback from internal consultancy work between car manufacturers. After twenty years of professional experience in consulting and advisory activity on the development of safe, innovative vehicle systems the author conducted structured surveys with responsible developers, top executive managers and group leaders. The interviews were carried out with the aim of examining the need and acceptance of a structured, guided development process using the example of the "Code of Practice for the Design and Evaluation of ADAS". This internationally coordinated development guideline was created for the safe market introduction and reduction of product liability risks concerning advanced driver assistance systems (see Ch. 4).

#### **5.1 Response from a Guided Development Process**

A guided development process has the goal to support all involved developers at each stage with methods and checklists from the concept idea to the release and the market launch. The use of guiding documents, such as the ADAS Code of Practice, ensures that appropriate procedures and specification processes for the development of new systems are applied. As a result, the developer achieves adequate safety. At the same time, by processing checklists for specifying or evaluating, it is ensured that no significant aspects are overlooked during development. Furthermore, compliance with the required due diligence or "Duty of Care" is documented and proved.

Using prepared qualitative interviews, the author received extensive feedback on the conception of a guideline-structured development process from Southern German automotive manufacturers. Ten employees were interviewed from administrative and technical staff up to executive management in the technical development of future assistance systems. Among them were six development engineers, one psychologist within the development and three executive managers.

Four engineers had experience on guideline-supported development through application of the ADAS Code of Practice in the context of development or corresponding preparation. Engineer 6 had superficial knowledge while Engineer 5 was unfamiliar with guided development. The psychologist and the three executive managers were familiar with the content of the ADAS Code of Practice (see Fig. 5.1).

Further background information on the 10 interviewed experts with departmental affiliation and experience with guideline-supported development for specific tasks is provided below (see also Fig. 5.2):



**Fig. 5.1** Overview of the interviewed experts with different experience on guidelinesupported development


The extension to the overview of all interviewees shows that they are mainly active in series development. Two engineers work in research and/or predevelopment (Fig. 5.2).

Executive manager 2 is responsible for the final steps of the development process, in particular the topics of homologation, compliance with regulations, type testing and obtaining final approval from the technical department. Engineers 1 to 4 who have used the ADAS Code of Practice in their development tasks have an average professional experience of between five and fifteen years. In contrast, engineers 5 and 6, as well as the psychologist with a lower level of work experience between 6 and 12 months have no personal experience with guideline-based development work. Engineer 5 has not yet been familiar with the contents of ADAS Code of Practice. The three executives with many years of professional experience of between 20 and 35 years are familiar with the contents and the objective of this ADAS guideline.

The survey focused on the following topics:


An elaborated interview guide (see Annex C) served as a support for the moderation strategy. In order to ensure a smooth conversation, the chronological order of the topics was flexible. The arrangement of the questions in the interview was adapted to the course of the interview. The duration of each interview was between 35 and 70 minutes.

To obtain an overall picture, the survey was taken by both: developers who were in favor of structured guidance support and by those who rather see obstacles


**Fig. 5.2** Interviewed experts with business unit, professional experience and development tasks. (Source: Winkle Interview Analysis)

(see Sect. 5.2 to 5.6). All developers who took the survey had already been in contact with the guide or the checklists. Four of the developers had already worked actively with the ADAS Code of Practice. The three executives surveyed were familiar with the guide, but had not yet used it themselves.

For the detailed evaluation, the interviews were recorded with an audio device and subsequently transcribed. The transliterated results could thus be structured and evaluated (Kuckartz U, 2016). By means of grouped statistics, the frequency of most frequently used topics of the interview feedback reports was emphasized according to their nomination. This makes it possible to recognize the essential subject areas and to evaluate them in comparison with the transcript (Mertens D M, 2019; Scheu A M, 2018). To analyze the words and the graphical representation, general-purpose software Microsoft Word and Excel was used, applying the mixed-method approach (Döring M, Bortz J, 2016).

The transcripts of all interviews contain 50,124 words and include 4444 nouns. All the nouns were evaluated in addition to the further analysis of the interview content. Of the total, 2703 nouns are attributable to the 6 developers, 387 to the psychologist and 1354 to the executives (see Fig. 5.3).

**Fig. 5.3** Transcript Data for analysis: words and nouns. (Source: Winkle T, Interview Analysis)

Initially, this evaluation considers the frequently used topic areas (nouns) of the employees in development. Three groups with six development engineers, one psychologist within the technical development and three executive managers were formed based on meaningful differences between the participants' tasks.

During the interviews, the three groups focused on very different topics. This alone illustrates the complexity of a successful collaboration.

### **5.2 Engineers: Sensible Creativity under Time Pressure**

Of course, it is beyond a doubt that developers are constantly focusing on the functionality of their "system" (60 nominations). Further on, the evaluation of all feedback from the development engineers shows "questions" (52 nominations) together with "question" (48 nominations) as the most frequently cited word, which tells us something about the engineer's approach: first he asks questions and then works on solving the technical challenges.

It goes without saying that particularly amongst engineers "development" (42 nominations) and "developers" (29 nominations) appear as part of their daily work content. The factor "time" (32 nominations) is conspicuous and is mentioned much more frequently amongst the engineers who have to develop the new system than it is by the psychologist and the executives. In particular, the introduction of additional "topics" (34 nominations) or "documents" (29 nominations) raises the question of the "sense" (28 nominations) (see Fig. 5.4).

**Fig. 5.4** Feedback from development engineers, analysis from 2703 nouns with minimum 19 nouns used. (Source: Winkle T, Interview Analysis)

A clear reply from the interviews is that daily development activities are subject to colossal time pressure. A wide range of different work contents demands flexibility. It is only on rare occasions that the developers are able to plan for a long time in advance. The developers are subject to a tight schedule and have to deal with a lot of documentation, instructions and tools. This is why current work orders are prioritized by urgency.

#### **5.3 Psychologist within Development: Priority to Driver's Needs**

The task of the interviewed psychologist within the technical development who works in the area of chassis/driver assistance systems is to continue the development of a controllable driver assistance system that is already in series production. He plans to work with a guideline and checklists in the future.

Within the scope of these interviews, the psychologist's focus is on the functionality of the "system" (24 nominations). He frequently mentions the noun "clinic" (10 nominations) which may be interpreted as an expression of his commitment to carry out scientific tests. Topics such as "driver" (11 nominations), "development" (9 nominations), and "item" (7 nominations) are also mentioned more frequently than was the case with the surveyed development engineers (Sect. 5.2) and executives (Sect. 5.4). This confirms the expectation that the psychologist mainly considers the drivers from the point of view of their different driving behavior, expectations, abilities and limitations.

Thus, the needs of the drivers have top priority:

*"(…) dass man sich insgesamt bei der Entwicklung mehr Gedanken drüber machen muss, was macht der Fahrer, was braucht der Fahrer, und was braucht der Fahrer nicht." (… that in development you have to worry about: what is the driver doing, what does the driver need, and what doesn't the driver need.)*

In this process he considers it extremely important to insure the controllability of the driver assistance or automated system through use of a "clinic" to deliver final proof of a safe "development".

With the help of a process consultant, their aim is the preparation of a car clinic:

*"(…) dass man eben sagen kann, wir wollen eine Studie machen, und dann haben wir da Leute, mit denen wir da immer sprechen können und die uns erklären, wie so eine Studie aussehen könnte." (… you could say that, we want to carry out a clinic and* *now we have people available, who we can always talk to, and who can explain to us what format the study should have.)*

Moreover the topics "standard" (6 nominations) and "code of practice" (6 nominations) are frequently mentioned in connection with guideline-based development.

At this point the psychologist takes particular care to ensure that sufficient design flexibility remains without restrictions during development of the system. To receive an honest evaluation in respect of observed requirements, he considers that an external consultant is needed – someone from outside the development department who could impartially assess the system. Consequently, he uses the word "department", with 6 nominations, remarkably often. He points out that the opinion of experts within their own department is not easily changed by external opinions originating from outside the department. In addition, the psychologist considers the business policy scope. Different business units need to cooperate closely to achieve a successful company result (see Fig. 5.5).

**Fig. 5.5** Feedback from the psychologist within the development department, analysis of 387 nouns with a minimum 5 nouns used. (Source: Winkle T, Interview Analysis)

#### **5.4 Executives Focus on Responsibility for Duty of Care**

Firstly, for the executives surveyed in this study (from the areas of chassis, bodywork and total vehicle management) it shows that their reasoning is based on the "topic/s" (46 nominations) they consider important within their scope of responsibility.

Below are some examples:

*"Eine Möglichkeit wäre, dass man das Projekt spezifisch mal durchgeht und überprüft, sind alle "Themen", die darin sind für dieses Projekt notwendig." (… One possibility would be to go through the project specifically and check if all the "topics" it contains are necessary for this project… )*

*"…Das "Thema" Sensibilisierung. Am sinnvollsten mit irgendwelchen eklatanten Beispielen. Mir fällt so das Thema Toyota ein …" (… The sensitizing "topic". Most meaningfully clarified with some spectacular examples. The Toyota topic springs to mind …)*

*"… wurden entsprechend auch über das Tool alle wichtigen "Themen" ausgefüllt – alles sichergestellt? …" (… were accordingly all important "topics" appropriately filled out using the tool, everything assured? …)*

The sample question mentioned is representative of the correspondingly high number of "question/s" (37 nominations) in relation to liability.

Furthermore, the terms "sign-off" (29 nominations) and "standards" (24 nominations) illustrate the main areas of interest. In addition, "responsibility" (13 nominations), "law" (12 nominations) and "State of the Art" (10 nominations) are often used. This indicates that managers in particular seem to worry about the political-judicial situation. Mainly the responsibility – particularly with regard to the "sign off" of the "system/s" (34 nominations) to be developed – is of central interest. The term "State of the Art" is mentioned significantly frequently. This is an indication of their responsibility for a safe system development (see Fig. 5.6).

Executives know about the legally binding nature of system releases and thus recognize the need to further establish the use of guideline-based checklists. However, as already mentioned, they do not regard it as an objective to force through the binding application based on pressure from disciplinarians above – or by establishing a standard. As a long-term goal, the independent and selfresponsible processing of checklists is seen as sufficient, without the need for additional regular checks during system development. The acceptance is to be achieved by the credible commitment of the executives and the increased involvement of the developers, through which they change "from stakeholders to parties" (Osmetz, D. et. al. 2004). Findings from studies confirm that the credible commitment of top management, together with the involvement of the employees, is decisive for successful changes (Claßen M, Kyaf F 2010).

This way of involving the employees would make it easier for managers to share responsibility for sign-off. They could rely on the fact that relevant checklists had been compulsorily completed and promptly filled out. This also confirms that all relevant requirements had been considered during development.

Comparing the word-nominations of the executives with the development engineers, it can be seen that "topic/s" (15 nominations per executive vs. 6 nominations per development engineer) are more clearly in the foreground. By contrast "question/s" are more often raised by the development engineers (17 nominations).

Therefore, it can be concluded that executives are more accustomed to thinking about "topic/s" or "solutions" rather than open questions (see Fig. 5.7).

**Fig. 5.6** Feedback from executive managers analysis from 1354 nouns, with minimum 19 nouns used. (Source: Winkle T, Interview Analysis)

**Fig. 5.7** Comparison of nominations of 3 executives and of 6 developers. (Source: Winkle T, Interview Analysis)

#### **5.5 Advantages of Guideline-Based Development**

Among all the interviewees, there is a general open-minded constructive attitude towards guideline-based support as an orientation aid with suggestions for the approach to the development of new innovative vehicle systems. In particular, less experienced engineers or developers from different disciplines can benefit from included reminders and the documentary support. Competent support with an internationally accepted document is preferred to a transfer of personal experiences among colleagues. Support with assistance of accompanying documents – such as Codes of Practice, which are binding not only inside the organization but also for all international automobile manufacturers and suppliers – is greatly appreciated. In the opinion of the interviewees, such a binding character leads to a higher level of care and increased motivation to adapt the new system to valid standards or to meet the requirements for system approval requirements.

None of the developers have continuously used the Code of Practice guideline during the development stages through their own initiative. A reason for the non-application was partly the opinion that a guideline is not necessary because of already existing adequate intra-departmental experience or that the fulfillment of relevant standards, approval regulations or sign-off tests from other departments suffices. Corresponding checklists were only processed if active support was provided. The respondents considered working together with a consultant to be easier and more effective. In the short term, it was possible to eliminate any uncertainties that arose. A further important advantage was seen by the interviewees as being the dual control (four-eyes) principle at the end of the development process, which acts as a check to see that all main issues were considered.

Overall, it can be seen that guideline-based development work as illustrated by the example of the Code of Practice has so far encountered a number of obstacles. The major barriers are currently the lack of awareness and oversized scope. Only a few developers are aware of colleagues or departments that use the Code of Practice. Moreover, as only a few are informed about the importance on the need for guideline-based development work by their own initiative, it is necessary to initiate the process by a responsible person. A more user-friendly form, together with intensive consultation work, promises a significant increase in practical application. For the integration of a binding application into the daily development routine, close cooperation between the responsible executives and developers is required. The greater their personal responsibilities within the development of new systems, the more the surveyed person considered the guideline to be useful. Regular application will therefore depend on the guide being perceived as an advantage which will then provide motivation for its use.

#### **5.6 Conclusion: Structured Expert Communication Improves Quality**

In individual interviews, a guideline-based development structure in the research and development centers of German automobile manufacturers was examined. The investigation was inspired by the practical application of the approach based on the guideline-supported example of the ADAS Code of Practice.

This identified a lot of information about the development staff´s perspective in relation to the sustainable development of safe vehicle systems and also their acceptance of structured, guideline-oriented development work.

For evaluation of the feedback, the interviewed development staff was grouped into six engineers, one psychologist and three executives. Amongst other things, the evaluation revealed that engineers are looking for meaningful creativity when developing a new system under time pressure. On the other hand, the feedback from the psychologist within the development department confirms his prioritizing of the needs of drivers and the proof of the controllability of the new system. Executives, on the other hand, focus more strongly on the responsibility for signoff, thus completing the requirements for safe and fully documented development work.

Overall, it is apparent that development engineers, psychologists and managers are looking at the development of a new system with different perspectives, interests and attitudes – while in general, all of them welcomed the tool. Each expert contributes to the development of a reliable system through their special field of expertise. As explained in previous chapters, these views are important – since, for example, technical system limits or operating errors for end users could potentially lead to dangerous situations and accidents, which could lead to a harmful loss of image for manufacturers.

A guideline with supportive advice "forces" all participants involved in the product development process to sit around a table introducing and discussing their different aspects in a structured way.

Through the surveys, the developers were sensitized to the advantages of a guideline-based sustainable team development process. Often the employees themselves are the best advisors. The developers concerned are the most aware of the weaknesses and can initiate innovations in companies from the "bottom-up".

As a team developer, the author repeatedly observes disruptions in the selforganization of a team that result in a lack of communication or conflicts between individual employees. Within the team development measures carried out for this purpose, the author conveys the values of the Inner Development Goals (IDG), considering the Corporate Social Responsibility and sustainability principles of the United Nations Sustainable Development Goals (SDG) for sustainable development on our planet (see Annex B questions 103 to 303, see also Fig. A.19).

**Open Access** This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

# **6 Consulting Concept to Develop New Systems**

The above-mentioned interview outcomes and the resulting strong interest in supporting consulting-services point to a great need for structured advice during the development process of new systems. The following questions supplement some requirements for duty of care which are exemplary listed in sections 3.2.2 and 6.2 from the first idea until marketing.

### **6.1 Intrinsic Motivation**

From the engineer's perspective time and effort are the basis for the acceptance, which is necessary for the successful use of a guideline or checklists. In general, the developers must be convinced of the advantages of a guideline. Only if checklists can be integrated into the daily development routine with little loss of time is there a motivation for their use. For this purpose, user-friendly solutions for editing as well as clear, quickly recognizable questions with little scope for interpretation are required. The results of the interviews clearly show that the value of complete documentation within the product development in the event of a customer complaint was largely recognized. Some developers do not see any added value in completing the provided Excel lists in their daily work. Therefore, complete documentation is only possible through increased motivation or more pressure from the outside. It is revealed that a positive attitude towards encompassing process documentation is linked to responsibility. According to these developers with a high sense of responsibility, consistent documentation leads to an experience-based work process and therefore less expenditure of time.

An obligation to produce documentation based on additional pressure from the hierarchy above will discourage both the developers and the managers. This would lead to simple checking-off relating to all the items on the checklist rather than responsible and reflective processing of all work tasks.

Therefore, competent supervision from an independent consultant from outside the respective area is recommended for achieving continuous documentation throughout the development process according to the duty of care. Most of the respondents want a point of contact or personal contact person, who will always be on hand with competent technical or legal advice and assistance for any questions or problems that arise. In the case of a developer, guidance, sense and purpose for the benefit of the individual developer are primary motivations. This means that a structured guideline will only be used with conviction if it is perceived as an advantage.

Thus, the demonstration of the potential for optimization and increase of safety by means of a guide-supported development process represents a significant step.

In addition, the survey found that the employees in the development departments are satisfied with their work and tasks. In particular, the variety of the day-to-day work is perceived as particularly enjoyable and motivating by many developers. The work on the development of innovative driver assistance and automated systems requires innovation processes, which, in addition to the administrative tasks of the employees, require corresponding open space for creativity (Schleuter W, von Stosch, J, 2009). As well Ekkehard D. Schulz, also a member of the Supervisory Board of MAN SE, writes in his book (55 reasons to become an engineer) as follows: "Creativity and courage are the characteristics that every engineer needs" (Schulz, E-D, 2012).

According to the statements of the surveyed developers, they are also given plenty of freedom to develop new ideas and exploit their creativity. This gives the interviewed developers an intrinsic motivation for their work. A particularly pronounced motivation is developing the best possible new systems, something which occurs when developers accompany the entire development process right up to the start of production.

This is also shown by the example of Carl Benz: current developments without a passion for technology are unimaginably. Despite all negation, rejection and mockery in response to his work for days and nights – with the support of his wife – Carl Benz bravely believed in the future of his patent car. After further optimizations and due to the increased public interest, countless press articles subsequently dealt with the industrial success of the automobile in the first decades of the twentieth century. They show that these initial forecasts have been more than exceeded (Benz, Carl Friedrich, 2014).

#### **6.2 Consulting Questions to Fulfill Duty of Care**

An overview of all generated consulting questions to comply with duty of care is attached. In the manufacture of vehicles with innovative systems, general consideration must be given to the strict liability, that the manufacturer or distributor of a product is liable for its proper functioning without any faults (see Ch. 4). Liability also exists for individual defective systems. The author's experience in connection with the processing of product liability cases lead to the following general questions as a consultant to the development process:


As well as these questions, most of the quality standards are formulated relatively generally. For vehicle manufacturers, this means that concrete measures for product safety must be developed on their own. Furthermore, it should be noted that the comprehensive measures extend to several areas of responsibility within the company. These relate to design, production, technical documentation, purchasing, sales and service. In this respect, the management is centrally responsible for the overall process.

Many different systems exist on the market that are based on different technologies and assume different functions. The challenge is that the current safety level of development in respect of automated driving systems is difficult to characterize. The developer has to check the duty of care, the current standards or the state of knowledge as a general state of the art. He has to decide "how safe is safe enough".

Other accompanying development guides like a code of practice also relate to elements of safety enhancement (see Fig. 6.1). In particular, the ADAS Code of Practice proposes methods for verifying the controllability of new systems. The application of appropriate confirmation paths for system approval is included in chapter 4.

In addition, numerous other checklists and design recommendations must be considered for the system-specific applicability of the system that will be developed. These include for instance: the ESoP-specifications for In Vehicle Information Systems (IVIS), internal company checklists or lists such as the "Safety guidelines for mobile services in automotive use from the Mobile Automotive Cooperative Service (MACS-) MyNews-Services".

While ISO 26262 addresses the potential threats of a system with regard to functional safety as malfunctions, the specification of the safe target function is not considered. This is the basis of functional safety (Kriso, 2014). Nevertheless, the question arises as to how the target function is to be specified or developed so that it can be regarded as sufficiently safe. Additionally, for this purpose the ISO/PAS 21448 Road vehicles: Safety of the Intended Functionality (SOTIF) was developed. The consideration of this question in ISO 26262 has so far been limited to the topic of controllability with reference to the ADAS Code of Practice. These Guidelines can be structured in three primary driving tasks (see Fig. 6.1).

**Fig. 6.1** Guidelines and related primary driving tasks. (Source: Winkle T, Based on ADAS Code of Practice (2010) p. 20 Figures: Prof. H. Bubb TU München (2005): Chair for Ergonomics)

A topic to be discussed is to what extent predictable or unforeseeable manipulations can lead to safety-critical effects: especially with regard to automotive functional safety (Kriso, 2014).

In addition to systematic errors and random hardware errors, the enemy image of conscious manipulation must also be considered. With regard to automotive security the guideline SAE J3061 "Cybersecurity Guidebook for Cyber-Physical Vehicle Systems" was published in 2016 which among other things deals with the interaction between safety and security.

Volume 2 of the updated standard (ISO 26262, 2018) already includes a loose coupling to security:

"The organization shall institute and maintain effective communication channels between functional safety, cybersecurity and other disciplines that are related to functional safety, if applicable." (ISO 26262, 2018) Ch. 5.4.2.3.

Therefore, the main purpose is about combining organizational communication channels with neighboring disciplines. In particular, the link to security is taken up again in the informative ISO 26262 Annex F (Guidance on potential interaction of functional safety with cybersecurity). However, the indications given here are at a quite general level.

#### **6.3 Conclusion: Structured Guidelines Support a Safe System**

The survey in the development departments shows a great need for structured advice during the development process including a strong interest in supporting consulting services. Additional suggestions from established standardized processes such as the Toyota Production System (TPS) can be used. In order to maintain the general quality, the TPS describes the prevention of hazards. Failures due to information deficiencies and product designs that do not meet customer requirements can be considered as defects. Product quality should be monitored constantly and not only by random sampling. To achieve this, all employees in production and logistics must be appropriately trained and sensitized. This approach is also taken into account when applying the method Total Quality Management (TQM). Another method is called Poka Yoke, which means "avoiding unintentional errors".

Only when employees in organizations register that sustainable management is interested in their daily problems in the process and actively supports them in solving these problems do they realize that continuous process improvement is indeed desired. An exclusive result orientation causes demotivation. On the other hand, a supportive and flexible process-oriented sustainable management will motivate employees and achieve organizational sustainability. Additional investment in employee qualification is the decisive competitive advantage for safe products in successful corporations during changing requirements within the fight for quality and costs along the supply chain management (Benn S et. al., 2014; Hahn T et. al., 2014; Chopra S et. al., 2007).

Within this consulting concept carried out to develop new innovative systems, the author conveys the values of the Inner Development Goals (IDG), considering the Corporate Social Responsibility and sustainability principles of the United Nations Sustainable Development Goals (SDG) for globally sustainable development.

The 17 United Nations Sustainable Development Goals are further guidelines within this consulting concept to achieve better and more sustainable new systems for everyone. They focus on the global challenges we are confronted with, including poverty, inequality, climate change, environmental degradation, peace and justice. As a support, the Inner Development Goals (IDG) serve as a guide to the skills, qualities and capabilities people need to achieve the 17 Sustainable Development Goals (SDG). In doing so, they aim to educate, inspire and empower people to be a positive force for change in society and to take a more purposeful view of our lives and the lives of those around us. These are compatible with the questionnaire in Annex B (see Annex B questions 103 to 303, see also Fig. A.19).

**Open Access** This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

# **7 Summary and Discussion**

### **7.1 Current agile management changes**

From the author's observation, increasing economic pressure is requiring leadership and employee teams to become more innovative, faster, efficient, highly profitable and more prepared to take risks. It is no longer sufficient to work effectively or goal-oriented.

This will give rise to concerns that new innovative developments using Artificial Intelligence could lead to external control by Artificial Intelligence. This focuses on ensuring controllable collaboration between humans and increasingly intelligent machines. Approaches to the challenges of new developments and development teams in the dilemma between Artificial Intelligence, ethics and the legal risks are considered in more detail here using the example of Automated Driving.

The automotive industry, for example, is in the progress of a fundamental change, as they no longer meet mobility requirements, especially in urban areas. As a result, many predict a disruptive change. Responses to this are new innovative developments (Dudenhöffer, 2016). One answer to this are automated driving systems that offer great potential for increasing safety, comfort, environmental pollution and efficiency in road traffic. In the long term, fully automated or autonomous vehicles offer many useful advantages: While driving, non-driving activities can be done and so this time is used efficiently. Older or physically handicapped people can also become mobile again. It also supports new business areas, especially in the area of car sharing.

The business models differ radically. The approaches of Google, Apple, Facebook or Tesla do not aim for profit margins from the sale of automobiles, but for security and expansion of data competence, a new level of networking. The

customer of the future is increasingly looking for new mobility services to get from A to B.

Until now, the German road traffic regulations (Straßenverkehrsordnung StVO) had firmly established the permanent controllability of a vehicle. According to § 3 Section 1 StVO, for example, the driver may only drive so fast that he is able to control the vehicle at all times. Initiatives at UN level are continuing to drive forward the "ALKS - Automated Lane Keeping System" with future speed extensions. Similarly, the German Bundesrat has passed a law on autonomous driving in 2021. As described in section 4.7.1, some cases are already known and published, where unexpected or missing reactions of automated systems occurred. However, after fatal traffic accidents (for example Tesla "Autopilot" 2016/2018, Uber self-driving vehicle, 2018) automated vehicles must face the discussion of the dilemma between innovation and consumer protection, which leads to a deeper need for research according to the Requirements to Develop Safe Automated Vehicles.

Previous safety methods will no longer be sufficient for the verification of complex automated driving functions. Therefore, the requirements to develop safe automated vehicles between the dilemma of innovation and consumer protection were examined in more detail in this study.

The following topics have been processed:


#### **7.2 Findings**

This book demonstrates that both professional knowledge with sustainable leadership decisions and concepts of psychological development with mindfulness are growing in importance. It further confirms that development work using the example of automated driving functions with Artificial Intelligence will be successful through close structured support and a sustainable Leadership between teams of experts. Such close teamwork including the knowledge from area-wide accident data in addition to other field studies (Driving Simulator, Natural Driving Studies, Field Operational Studies), legal framework conditions with liability cases and validation methods will support the development of safe automated vehicles. In the future, the main focus will be on developing the level of safety that automobile manufacturers have to ensure. Finally, court decisions will decide on the permitted risk in concrete cases. A definition of a permitted risk would be suitable to structure and limit the criminal liability of manufacturers of automated systems appropriately in the future.

The usage of the final consulting concept (including feedback from the development departments and the checklist in Annex B) developed in this book is a way to reduce the risk of criminal consequences for the company plus the threat of prison punishments for individual employees. The concept supports the development of an automated vehicle (in the context of what is technically practicable) as safely as possible.

With the support of this checklist concept, the developers have resources and common understanding to reduce criminal consequences to an absolute minimum. It demonstrates that the most appropriate procedures have been applied in development, including risk identification, risk assessment, and assessment methodology.

Initially, the exemplary findings of traffic accident research in chapter 2 indicate that human error – with mainly information reception limits of almost 60 percent – seems to be the main cause of road accidents. In the first instance, this raises great expectations for the benefit of automated vehicles. However, estimating the actual safety potential of highly and fully automated vehicles from accident data, therefore, requires a differentiated comparison of the overall performance of man and machine. Subsequently, this calls for detailed information about functional characteristics and technical limits, planned for mass production.

Before series development is considered, driverless vehicles, supported by automated systems, must at least correspond to the driving ability of an attentive human driver to further reduce the number of road accidents.

For example, development engineers are particularly faced with technical challenges regarding complex traffic situations. This applies, for instance, to technical limits and time-critical situations, such as a child running suddenly in front of a vehicle or difficult weather conditions. Only when these technical challenges have been overcome is a large-scale rollout of marketable, fully automatic vehicles likely to be realized.

The potential of information from traffic accident data is not yet completely used. Previous accident analyses are usually not nationwide and limited by criteria. Predefined analysis criteria of accident research teams are usually limited to certain locations, times, special collision conditions (such as airbag deployment, involvement of injured persons, special pedestrian accidents, vehicle types or other general conditions) and must therefore first be weighted for statistical relevance. For example, area-wide minor accidents with minimal contact and minimal damage to property (see Sect. 3.3.2.5 Examples for minor and no damage to property), or traffic violations that come very close to "near misses" are not investigated in depth.

To receive real-world test scenarios for the first time 1,286,109 state-wide police-recorded accidents were analyzed concerning challenging information reception limits in chapter 3. The results indicate 374 scenarios with bad weather traffic conditions (fog, glare/blinding sun, rain, black ice (snow/ice), snowfall, blinding oncoming traffic, visual obstruction) that are also relevant for testing automotive sensor systems.

In particular, a fatal pedestrian accident scene was examined at the accident site under similar conditions concerning the perception capabilities in comparison of human and machine. The situation shows that such indicated scenarios have to be considered for sign-off testing after the careful selection of sensor concepts and the development of algorithms.

Consumers require the highest, state of the art levels of safety for new technologies but those demands for technical perfection are unrealistic and 100% fault-free operation is not possible. A market introduction of automated vehicles accompanies the risk that court decisions will be passed more frequently to design faults since a certain risk of accidents can never be completely excluded. However, the liability of the manufacturer is excluded if the defect could not be detected according to the state of science and technology at the time when the manufacturer placed the product on the market. The manufacturers are obliged to observe their products. This can be supported by the analysis of accident events as described in chapters 2 and 3.

Thus, the results of chapter 4 show, that interdisciplinary coordinated development, and sign-off processes are necessary. A reliable evaluation for productionready solutions requires comparable risk assessments and safety proofs, e.g. by simulating relevant scenarios including the planning of field tests from globally available and combined accident, traffic flow, weather and vehicle operating data.

This also covers compliance with legal and licensing regulations, the identification of new ways of risk distribution and the creation of new compensation systems, because, with the increasing use of automated vehicles, the manufacturer's liability may also increase. Today the standards do not cover functional disabilities for instance misinterpretation of objects, traffic situations and resulting false positive system interventions.

Qualitative interviews in development departments of German automobile manufacturers show that structural, legal and regulatory support by independent experts in conjunction with sustainable leadership as well as a guideline-based structure can make a significant contribution to the safe development of new innovative systems using Artificial Intelligence. The results of this survey in chapter 5 show that the main challenge for the employees of the development departments is to develop these new systems in a customer-oriented, safe and controllable manner for the vehicle users:

It turns out that engineers are looking for meaningful creativity although they work under tremendous time pressure when developing a new system. In contrast to that, executives are primarily focused on the responsibility for liability and a timely sign-off. They expect the fulfillment of the safety requirements and a completely documented development process. This is presumed because they are afraid to be sued for dangerous situations and accidents due to technical system limits or operating errors at the end-user, which can also lead to a painful loss of image for the manufacturer.

In particular, the survey showed that a structured guideline with supporting advice forces the parties to come together on an interdisciplinary basis, to clearly present and discuss their diverging aspects and to decide according to the duty of care.

One effect of the survey was that it sensitized the interviewed development departments to the advantages of a guideline-based development process. The interviews also show that usually, the developers themselves with their technical expertise develop safe automated vehicle systems when they are motivated to engage in interdisciplinary exchange with other experts from neighboring disciplines. Design engineers know the weaknesses of their new technical system best and can initiate innovations "bottom-up" in companies.

Additionally, the interviews confirm that a guideline-based approach enables the affected developers to clearly and neutrally point out risks with corresponding proposals for measures because they know the limitations of their new technical system best.

A selection of 303 key questions (Annex B) from technical requirements, sustainability, Corporate Social Responsibility, up to criteria for communication, team work, leadership qualifications as well as Inner Development Goals supplemented by a consulting concept in chapter 6 supports the establishment of standardized processes and consulting-services.

#### **7.3 Integration of findings**

A mindful corporate team management, within new working conditions (New Work, Hybrid Work, Flexible Work) including Artificial Intelligence, must show a sustainable orientation for new developments. A sustainable orientation includes knowledge of the existing objective facts, the possibilities and risks of Artificial Intelligence, as well as the ethical and legal implications. According to this, political, economic and social decisions must be aligned in an equally sustainable manner. Artificial Intelligence can support managers in linking knowledge and designing complex functions, such as automated driving. In this context, management must ensure that new innovative product ideas – with the help of comprehensive information on secured development methods, production and release processes, through to marketing and product monitoring – are carried out with the intention of humane use.

This book also demonstrates using the example of automated driving that successfully interacting teams can reduce the criminal consequences for the company and the individual developer to a minimum if guideline-based checklists with relevant standards and methods are applied. By integrating the findings, it will be supported in dealing adequately with the new challenges facing automobile manufacturers and their developers in the field of functional safety of complex electrical/electronic systems and software topics to prevent from the criminal law punishments of a "defective product":

#### **1. Successfully self-reflected teams benefit from a guideline-based work process including requirements and consumer expectations:**

The basic prerequisite for successful teams are self-reflective team members who work together successfully (see checklist in Annex B from question 102 with inner development goals). Only in a successfully interacting team of experts Original Equipment Manufacturers can cope with new technical developments, legal developments on product liability, international conflicts, ethical and social requirements in connection with economic risks. This means that very high demands for quality and safety are placed on the development from product idea to marketing, whereby customer expectations on the functionality and safety of use with a correspondingly strong influence on traffic safety are of primary importance. Events in recent years have publicly shown that failure to comply with specifications can result in legal responsibility for developers and executives.

Predictions according to the ADAS Code of Practice and current questionnaires of more than 3000 people in Germany, the USA and China confirm that the expectations for functional safety are rising with an increasing level of automation (see Annex Fig. A.2 and A.4 to A.6). Therefore, an extension of the established test procedures is necessary to enable automated driving levels and at the same time to consider the entire range of possible traffic situations as comprehensively as possible in the safety tests.

For the development process from the first idea to the development, this elaboration recommends interdisciplinary, harmonized safety and test procedures. In this context, the further development of current internationally agreed standards including tools, methodological descriptions, simulations and guidelines with checklists is recommended. These will represent and document the practiced state of science and technology, which must be implemented in a technically suited and economically reasonable way.

#### **2. Successfully development teams benefit from the implementation of comprehensive measures for product monitoring:**

Opportunities for product monitoring must be used. This includes, for example, the monitoring of operational data, road accident events, and internet forums. A judgment of the Federal Court of Justice (BGH) as early as 1987 stated that in future companies must not only monitor the reliability of their products in practice, but above all draw their customers' attention to risks in daily operation – including those arising from the use or installation of accessories from other manufacturers.

The potential of information from nationwide databases and traffic accident data is far from fully explored. Previous accident analyses are mostly limited by criteria. Certainly, traffic accidents only represent a part of the traffic situation, but they play an important role in terms of consumer protection with civil and criminal law implications. Furthermore, small accidents with minor contact come very close to "near-accidents". An analysis of traffic violations, which has not been discussed here, could also provide valuable information.

For the development and validation of safe automated vehicles with reasonable effort, the author recommends test methods that consider a combination of worldwide traffic accidents, weather-, vehicle operating data and traffic simulations. This enables a realistic evaluation of internationally prospective traffic scenarios with statistically relevant real traffic scenarios as well as fault processes and stochastic models for controlling critical driving situations. These must be combined with virtual laboratory or driving simulator tests.

A representative driving situation catalogue including challenging and bad weather situations is recommended, which is simulated for all manufacturers according to the same specifications and the results are made available to the official institutions. This procedure ensures transparency of the overall effect of new automated driving functions in real traffic.

When designing driving strategies for behavioral decisions, the focus should be on completely avoiding dilemma situations, for example by designing vehicles for a correspondingly low-risk driving strategy.

#### **3. Successful teams are advised to engage an independent consultant beyond the respective development area:**

The interview partners would like to have a neutral face-to-face contact person outside of the development department who is always available to provide competent technical or legal advice in the event of questions and arising problems.

Competent support by an independent consultant from outside the respective area is recommended by all developers being interviewed. This adviser should support decisions and the accompanying documentation during the entire development process in conformity with the duty of care regarding to the central question:

"Is the developed system safe enough for market introduction?"

#### **4. Successful interacting development teams benefit from constant monitoring of social, ethical and legal issues**

The author's consulting work within corporate groups shows: Boards of directors and managing executives have recognized that Corporate Social Responsibility (CSR) and sustainable management have a positive impact on corporate success worldwide. The Sustainable Development Goals (SDGs) of the United Nations, including the Inner Development Goals (IDGs), are a valuable contribution to this.

For example, changes in responsibilities regarding road traffic are indicated by the analysis of German court decisions on pedestrian accidents since 2004 (See section 4.6.4 and Annex A: Change in jurisdiction on the responsibility for pedestrian accidents). The liability for damages in pedestrian accidents increasingly lies with the owner and therefore in the case of fully automatic functions in the future probably with the manufacturer. As a result, our current risk awareness in road traffic with regard to risk acceptance in automated driving levels must be called into question. An example for this is the child running between parked vehicles. In this context, it must be questioned whether speeds of 50 km/h or more are appropriate in traffic areas with visual obstructions, such as parking vehicles.

Conventional dynamically adapted interactions of today's mobility can also be questioned in terms of whether fully automated vehicles must always behave in accordance with traffic regulations. Today's mobility is based on the fact that in some traffic situations, human pragmatism makes decisions that are weighed up against traffic rules in order to maintain the flow of traffic. An example of this is the continuous road lane marking line that needs to be crossed to overtake a bike or a broken vehicle.

Traffic would probably come to a complete standstill in some places if rules were not broken. Therefore, the challenge is to program the vehicle software in such a way that it considers the illegal behavior of other road users and possibly breaks its own rules to reactivate the traffic flow. This leads to the recommendation that in the future the developers make their ethical decisions regarding the programming of the software within society more transparent, because this is where the opinion is formed which system reactions with corresponding risks are accepted. As long as not all rules for behavioral decisions have been made concerning how automated vehicles should behave in specific situations (when, how, why (or not) warn, steer, brake), the intensive dialogue between developers and system providers with society is recommended. This applies in particular to the performance of Artificial Intelligence self-learning systems. Deeper Neural Networks (DNN) with a depth of more than 150 layers are increasingly easier to optimize today and can improve their precision due to a significantly increased depth with errors of less than 4% in the classification task. As a result, the object recognition data set improves significantly (He K et. al., 2015, 2016).

So far, not all general requirements have been defined as to how a vehicle should behave in specific situations. The discussion about the safe state raises new questions too. Furthermore, it should be mentioned that automation, combined with connected networking, Artificial Intelligence and Deeper Neural Networks, offers new opportunities for cybercrime, another topic that is not discussed in detail here.

The concluding outlook on the current state of science again points to the limits of testability. While trivial systems can be tested, the challenge increases for complex systems. The Department of Motor Vehicles (DMV) in the USA, which is comparable to German road traffic authorities, publishes annual "Disengagement Reports". This includes, among other things, how often humans had to take corrective action during testing of fully automated vehicles or when the system returned control to the safety driver.

These results indicate on one hand the successful commitment of the Google subcompany Waymo and on the other hand the need to optimize the robustness of fully automated vehicles. While Apple's test drivers had to intervene a total of 871.65 times per 1000 miles traveled (one intervention per 1.1 miles), Waymo's test drivers only intervened 0.09 interventions per 1000 miles (one intervention every 11,154 miles), (see Annex Fig. A.7).

**Open Access** This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

# **Annex A: Change in Jurisdiction on the Responsibility for Pedestrian Accidents**

According to Germany § 3 Abs. 2 a StVO (the vehicle driver has to behave towards children, people in need of help or elderly people, especially by reducing the driving speed and by being ready to brake, in such a way that a danger to these road users is excluded) an earlier reaction or slowing down is required.

In the following, the jurisdiction on the responsibility for pedestrian accidents has been researched on examples since 2004. There has been a significant change since the Federal Supreme Court (Bundesgerichtshof – BGH) ruling of 2014. The trend shows that the liability for damage in pedestrian accidents could in future rather remain with the owner and, in the case of fully automated functions, probably remain with the manufacturer. It is recommended to pay attention to the further jurisdiction.

#### **1. Regensburg Regional Court (Landgericht – LG) Reference number: 1 O 1708/04, dated October 28, 2004:**

In the event of an accident involving a pedestrian or cyclist, the operational risk can be reduced to the fault of the non-motorized road user, even if there was no force majeure.

Note: Old common jurisdiction (the responsibility lies with the pedestrian) the operational hazard is receding

#### **2. Kammergericht (KG) corresponds to the Oberlandesgericht (OLG) Berlin Reference number: 12 U 138/05, dated June 06, 2006:**

Pedestrians who wish to cross a roadway outside pedestrian crossings or the markings of traffic lights must carefully ensure that the roadway is clear. If the crossing pedestrian collides with a motor vehicle, this indicates gross fault on the part of the pedestrian, in particular insufficient observation of the traffic situation, behind which the operational hazard of the motor vehicle regularly recedes.

Note: Old common jurisdiction (the responsibility lies with the pedestrian) the operational hazard is receding

#### **3. Kammergericht (KG) corresponds to the Berlin Higher Regional Court (OLG) Reference number: 12 U 143/08, dated February 26, 2009:**

The pedestrian must pay attention to the privileged traffic on the road and may not try to cross the road in front of an approaching vehicle. In any case, if there is heavy traffic, pedestrians must expect that vehicles approaching in the right lane will also approach in the left lane. If the pedestrian nevertheless takes a fast step onto the road, he acts with gross negligence and the result is that the operational hazard of the vehicle from which he is approached in the left lane is completely receded from the pedestrian's own fault.

Note: Old common jurisdiction (the responsibility lies with the pedestrian) the operational hazard is receding

#### **4. Kammergericht (KG) corresponds to the Berlin Higher Regional Court (OLG) Reference number: 12 U 178/09, dated June 24, 2010:**

If a vehicle driver injures a 16-year-old pedestrian who is on the roadway when reversing into a parking space with the left side of the vehicle swinging out (who had previously crossed a barrier in violation of § 25 Section 3, 4 StVO to cross the roadway at an unauthorized point and had also noticed that the vehicle would reverse into the parking space) the liability for operational risk is subordinated to the gross negligence of the pedestrian.

A duty of a motorist parking backwards, who had checked the space behind him before starting to reverse (to check the space to the left of his vehicle again before entering the parking space to ensure that there is no other road user there) does not apply to a pedestrian acting in gross violation of traffic regulations, which he should not have expected.

Note: Old common jurisdiction (the responsibility lies with the pedestrian) the operational hazard is receding

#### **5. Köln Higher Regional Court (Oberlandesgericht – OLG) Reference number: 7 U 103/10, dated November 25, 2010:**

The possible slight fault of a motor vehicle driver and the operational hazard of the vehicle completely recede behind the gross own fault of a heavily drunken pedestrian, who lies darkly dressed on the dark road in the dark.

Note: Old common jurisdiction (the responsibility lies with the pedestrian) the operational hazard is receding

#### **6. Düsseldorf Higher Regional Court (Oberlandesgericht – OLG) Reference number: I-1 U 255/10 dated November 15, 2011:**

The fact that pedestrians at an intersection controlled by light signals may only cross the road under green light is an elementary rule of behavior. Running onto the road in red is highly negligent. The operational hazard of the vehicle entering the intersection at green is secondary to the gross negligence of the pedestrian.

Note: Old common jurisdiction (the responsibility lies with the pedestrian) the operational hazard is receding

#### **7. Regional Court Essen (Landgericht – LG) Reference number: 3 O 358/10 dated February 27, 2012:**

If a pedestrian inattentively crosses the road without paying attention to approaching vehicles and is covered by a preceding vehicle for the claimed driver, the accident is unavoidable for the driver and the operational hazard of the vehicle driven by him behind the fault of the pedestrian completely recedes.

Note: Old common jurisdiction (the responsibility lies with the pedestrian) the operational hazard is receding

#### **8. Federal Supreme Court (BGH)**

#### **Reference number: VI ZR 308/13 dated August 19, 2014:**

According to § 9 StVG, § 254 BGB, the compensation claim of the pedestrian, who is not subject to strict liability, may only be reduced if it is established that the pedestrian has caused or contributed to the damage through his or her conduct. This requires the conviction of the court according to the standard of proof of § 286 ZPO. The burden of proof for a misconduct of the pedestrian lies with the driver and owner of the vehicle.

Note: Change in jurisdiction from Federal Supreme Court – the responsibility lies with the driver and the holder of the vehicle and may only be reduced

#### **9. Regional Court (Landgericht – LG) Berlin Reference number: 41 O 174/14 dated July 02, 2015:**

If an 11 years and 9 months old girl enters the road without paying attention to any approaching motor traffic and an accident occurs with an approaching motor vehicle, the proof of the first appearance speaks for a gross fault of the pedestrian with the result that the operational risk of the motor vehicle is less than the fault of the girl.

Note: Again, old common jurisdiction (the responsibility lies with the pedestrian) the operational hazard is receding

#### **10. Higher Regional Court (Oberlandesgericht – OLG) Munich dated January 12, 2018: 10 U 1616/17**

1. According to the constant jurisdiction of the BGH (compare e.g. decision from 19. August 2014, Case Number: VI ZR 308/13, Legal Weekly Magazine NJW 2014) the claim for compensation of the pedestrian, who in contrast to the defendants does not meet any liability for danger, may be shortened according to § 9 StVG, § 254 BGB only if it is certain that he or she caused the damage by his or her behavior or was partly to blame.

(2) Full liability, without considering the operational risk, shall be taken by the driver and the holder of the vehicle even if it remains unclear how the traffic light was switched when the pedestrian crossed the road.

Note: With reference to change in jurisdiction from BGH 2014 – the responsibility lies with the driver and the holder of the vehicle and may only be reduced.

#### **11. Higher Regional Court (Oberlandesgericht – OLG) Düsseldorf: Reference number: I-1 U 196/14 dated April 10, 2018:**

In the event of a pedestrian accident, ignoring the operational risk only comes into consideration in exceptional cases. Even gross negligent behavior is not sufficient. In the absence of further worsening circumstances, it must also be considered whether the accident was unavoidable for the driver. If even an ideal driver could not have prevented the accident with a more forward-looking and extra cautious driving style, this suggests that the liability from § 7 StVG should be completely ignored.

Note: With reference to change in jurisdiction from BGH 2014 – a more forward-looking and extra cautious driving style is necessary.

# **Annex B: Summarized Questions for Developers**

#### **The following questions are fundamental for consulting the general development process:**


#### **General Questions for safe automated vehicles are covered in the respective chapters:**


#### **Further questions also arise beginning from level 3 systems and above to improve product safety:**


#### **The following two questions focus on specific examples from accident research:**


#### **An unambiguous understanding of acceptable risks is the basis for decisions on automated system designs:**


#### **The questions for testing automated vehicles:**


#### **Information Access:**


#### **Information Reception**


#### **Data Processing**

50) Is the sensor and information processing system able to correctly interpret the traffic situation according to the available information?

#### **Objective Target**

51) Is the system able to react appropriate to the traffic situation?

#### **Operation**

52) Is the information processing system able to carry out the decision into operation properly?

#### **Questions according to the system definition:**


#### **Questions for legal risk assessment:**


#### **Questions to avoid civil and criminal claims:**


#### **Central Question for Validation:**

66) Did we build what we promised? (Validating and testing during or at the end of the design process is to determine whether it meets customer expectations and specified requirements)

#### **Essential questions from previous product liability cases:**


#### **Questions arising in an ethical context:**


#### **Questions related to the activities for functional safety management:**


#### **Detailed questions on team communication practices regarding Sustainable Development Goals (SDG) and Inner Development Goals (IDG):**


#### **Detailed questions regarding the skills and behavior of team leaders:**


#### **Detailed questions regarding team development and organizational development support from an internal or external consultant:**


#### **Detailed questions regarding the personal and developmental skills of all individuals:**


#### **Ethics-related practical questions for all managers and employees**


#### **Questions regarding an ecologically economical, sustainable management approach (Corporate Social Responsibility – CSR)**


#### **Checklist for the selection of project managers:**


#### **In-depth questions regarding your self-reflection or each individual person**


Regarding Corporate Social Responsibility and Sustainability, the author refers to the United Nations Sustainable Development Goals (SDG) at www.un.org. The United Nations defined 17 goals as a call to act for sustainable development worldwide. These 17 topics were accepted by all UN member states in 2015 as being part of the 2030 Agenda for Sustainable Development:


A nonprofit initiative added the Inner Development Goals (IDG) to accelerate the realization of these UN Goals (www.innerdevelopmentgoals.org):

1. Being (relationship with self): Cultivating our inner life, our development and relationship to our thoughts, our feelings to be present, acting with intention and non-reactive when confronted with complexity.


# **Annex C: Questionnaire for Qualitative Interviews with Developers**

For qualitative interviews in the development departments, an interview guide for general orientation was prepared.

#### **1. Preparation for conducting interviews**

These interviews were conducted in the development departments of two South German automotive manufacturers.

The following was introduced in advance:


#### **2. Implementation of the questions and welcome 2.1 Procedure**

	- Which function do you develop?
	- What are your responsibilities?

#### **2.2 Framework Conditions**


#### **3. Special questions for experienced executives and leaders (Excludes questions from point 4!)**

Assuming that experienced executives and leaders have no experience with structured development processes having regard using specific standards or guidelines the survey initially differs somewhat.

#### **3.1 Questions Regarding Knowledge and Experience of Structured and Guided Development**

#### **3.1.1 Awareness of guidelines, such as a code of practice**

a) Do you know development guidelines?

If there is no previous knowledge:

*If no examples are mentioned at this point, a brief explanation is given about the possibilities of a guideline and checklist supported development process*

b) How do you rate the possibility of an application in your development sector?

If there are already experiences:


e) How do you generally see the development of new systems based on a guide or checklist?

#### **3.1.2 Experiences with development guides**

At which points in the development process do you consider a development guide particularly useful or worthwhile?

#### **4. Survey of developers (Excludes questions from point 3!)**

#### **4.1 Questions on the experiences of the development process supported by 4.1.1 Knowledge of guidelines**

How is your basic opinion about developing assistance systems with guide or checklist support?

#### **4.1.2 Experience with checklists and guidelines**


#### **4.2 Questions about findings from work with guidelines**


#### *With regard to the development of driver assistance systems, I would have further questions:*


#### **4.3 Questions about advantages and disadvantages of guidelines 4.3.1 Advantages**

a) What strengths do you see in a structured guideline-based development?

If strengths are mentioned:

b) Where could you see strengths in the application?

#### **4.3.2 Perceived general weaknesses**

a) What is bad about guidelines from your point of view? Do you see weaknesses?

If weaknesses are mentioned:

b) How was your experience with the weaknesses?

If no weaknesses were identified:

c) Where do you see potential for improvement?

#### **4.3.3 Perceived special challenges**


#### **4.4 Questions about using a guideline e. g. Code of Practice**

*Note: The following questions will only be asked if a guideline has been applied!* **4.4.1 Opinion on actual application**


*If the importance / usage is low:*


#### **4.4.2 Comprehensibility of checklists (Example: Code of Practice for Advanced Driver Assistance Systems)**

a) Have you started the processing of checklists yourself without assistance? What did the support look like? (If advise was given in advance)

*Moderation: If no advice was given:*


#### **4.4.3 Questions for missing or dispensable content (Example: Code of Practice for Advanced Driver Assistance Systems)**


#### **4.5 Questions about the future of structured and guided development**


*Moderation: Finally, general questions about your daily work routine:*

#### **4.6 Questions about work motivation**


If not:


*Moderation: Thank you very much for your acceptance and readiness to provide information!*

### **Suggested online questionnaire on guided development**

#### **Suggestion for a quantitative online survey about the potentials and hindrances of a guided development process**

Dear participant,

First of all, I would like to thank you very much for your participation in this study. The survey will take between 10 and 15 minutes. A specially selected group of people is asked, whereby their opinions are considered for the response of many.

Of course, your information will be treated confidentially and evaluated anonymously. Thus, it is impossible to draw conclusions about your person afterwards. The strict scientific principles of market and social research are applied. I guarantee the security of your data and thus the compliance with data protection law.

In the following survey you will find some questions about guidance-based development. This concerns only your personal opinion; there is no "right" or "wrong". Please click on the appropriate box or write your answer in the field provided.

Thank you very much!

#### **Contents of the Online Survey**


#### **A. Knowledge and personal use of guided development**


#### **B. Attitude to and evaluation of guided development**


#### **C. Attitude to the own work**


#### **D. Demography Finally, a few questions about yourself:**


**Thank you for your time and feedback!!**

# **Additional Figures**

See page 180 to 182:



#### *Verkehrsunfallanzeige Personen-/Sachschaden*




**Fig. A.1** German Traffic Accident Report "Verkehrsunfallanzeige Personen-, Sachschaden". (Source: The Bavarian Ministry of the Interior and Integration)


**Fig. A.1** (continued)


**Sachverhalt** 

IBP 043c (2003-05-22) Ort, Name, Amtsbezeichnung, Unterschrift

**Fig. A.2** User expectations and level of automation. (Source: ADAS Code of Practice)


**Fig. A.3** Example Documentation Sheet. (Source: Knapp A, Neumann M, Brockmann M, Walz R, Winkle T (2009) ADAS Code of Practice)

How do you think road safety will change as a result of the following levels of automation?

**Fig. A.4** User safety expectations with increasing level of automation. (Source: Schierge Frank (2017) Sicherheit autonomer Fahrzeuge, Ergebnisse der Verbraucherbefragung in Deutschland, USA und China, TÜV Rheinland Kraftfahrt GmbH, Innovations- und Marktforschung, Köln)

Question: To what extent do you agree with the following statements on the safety of autonomous vehicles on the road? "In an autonomous vehicle, humans should always have the opportunity to intervene in an emergency."

**Fig. A.5** Rating of safety in relation to the automation level. (Source: Schierge Frank (2017) Sicherheit autonomer Fahrzeuge, Ergebnisse der Verbraucherbefragung in Deutschland, USA und China, TÜV Rheinland Kraftfahrt GmbH, Innovations- und Marktforschung, Köln)

Question: To what extent do you agree with the following statements on the safety of autonomous vehicles on the road? "In an autonomous vehicle, you should always have the opportunity to intervene in an emergency."

**Fig. A.6** Agreement of opportunity to intervene in an emergency. (Source: Schierge Frank (2017) Sicherheit autonomer Fahrzeuge, Ergebnisse der Verbraucherbefragung in Deutschland, USA und China, TÜV Rheinland Kraftfahrt GmbH, Innovations- und Marktforschung, Köln)

**Fig. A.7** Interventions required per 1000 miles from test-drives for the period from December 2017 to November 2018 (all organizations in California that had a license to operate autonomous vehicles). (Source: Department of Motor Vehicles (DMV), Autonomous Vehicle Disengagement Reports 2018)

**Fig. A.8** Levels of Automation with Scope ADAS and AD Code of Practice. (Source: Winkle T., Bengler K. (2020), Level 3 pilot EU Project, ADAS Code of Practice, https://www.ace a.be)

**Fig. A.9** Aschaffenburg/Alzenau traffic accident site: accident possibly caused by active steering assist? (Source: Police Headquaters Unterfranken Würzburg)

**Fig. A.10** Aschaffenburg/Alzenau traffic accident site overview. (Source: Bayernviewer, BayernAtlas and GeodatenOnline, Bayerische Vermessungsverwaltung, Bavarian Agency for Digitization, High-Speed Internet and Surveying, https://www.geodaten.bayern.de)

**Fig. A.11** Uber test vehicle: Relationships between distance/time/speed from accident simulation. (Source: Winkle T, Data: National Transportation Safety Board. Vehicle Automation Report (2019))


**Fig. A.12** Uber data recorder: time, speed, Artificial Intelligence sensor classification, trajectory prediction. (Source: Winkle T, Data: National Transportation Safety Board. Vehicle Automation Report 2019)

**Fig. A.13** Total annual mileage in Germany. (Source: Statistisches Bundesamt (2021), \* Until 1990 former federal state of Germany, until 1952 without Saarland, until 1952 fatalities on the day of the accident, from 1953 fatalities within 30 days after the accident)

#### **Kilometers driven in Germany without fatalies**

**Fig. A.13** (continued) Kilometers driven in Germany without fatalities. (Source: Statistisches Bundesamt 2020), \* Until 1990 former federal state of Germany, until 1952 without Saarland, until 1952 fatalities on the day of the accident, from 1953 fatalities within 30 days after the accident)

**Fig. A.14** Kilometers driven in Germany without injuries. (Source: Statistisches Bundesamt (2020), \* Until 1990 former federal state of Germany, until 1952 no Saarland)

**Fig. A.15** Kilometers driven in Germany without property damage. (Source: Statistisches Bundesamt (2021), \* Until 1990 former federal state of Germany, until 1952 without Saarland, until 1952 fatalities on the day of the accident, from 1953 fatalities within 30 days after the accident)

**Fig. A.17** Image classification error rates: Artificial Intelligence models versus human error rates. (Data Source: ImageNet ILSVRC Top-5 (2020), Statista 2020, He K et. al. (2015) Surpassing Human-Level Performance on ImageNet Classification (2015), Russakovsky O et. al. (2015) ImageNet Large Scale Visual Recognition Challenge, Dodge S, Karam L (2017))

**Fig. A.18** Maximum total area of action (car to x communication). Data Source: Winkle T, et. al. (2009) Accident data analysis - GIDAS area of action analysis: simTD use cases

#### **1. Ensure a stable and flexible self**


#### **4. React moderately**

	- calm and steady. Do not fall into reactive behavior.
		- Remain engaged, even when your counterpart is acting "crazy". Nevertheless, do not postpone necessary reactions.

#### **2. Open your heart, be mindful**

	-
	- - Face your challenges, be willing and able to suffer pain, discomfort, disappointment and frustration with a passion to achieve specific goals.

**Fig. A.19** Aspects of inner balance in interdisciplinary teams. Data Source: Winkle T (2021), Snarch D (2018). (Source: Elnur/Shutterstock)

**Fig. A.20** Implications of Deep Neural Network Image Recognition on ethics and law in product development

# **Glossary**


such as "full potential for autonomous driving", "Autopilot: included" and "By the end of the year: autonomous driving in urban areas" were considered misleading for consumers by the Landgericht München I.

(see decision of 14.07.2020, Reference number 33 O 14041/19)

**Avoidability:** (Vermeidbarkeit) The avoidability of an accident is given to a person involved in an accident if they could have prevented the collision by observing the maximum permissible speed or the locally appropriate speed or if he could have reasonably been expected to react. A distinction is made between geographical and time-related avoidability.




can drive in a true-to-life scene with automated components. They can be conducted on a public road or a test track.


the new technical aspects (forms of crime caused by computer networks, the Internet); (Hilgendorf E, Valerius B, 2021)


(1st Stanford University) and 2007 (1st Tartan Racing, 2nd Stanford Racing Team).


always remains with the driver. ADAS represent a subset of driver assistance systems and provide active support for lateral or/and longitudinal guidance with or without warnings. They recognize and evaluate the vehicle environment, using complex signal processing and direct interaction between the driver and the system, with main focus on the maneuvering level (ADAS CoP).


**Functionality:** A series of functions connected with software and/or hardware.


It is defined by transport policy and guiding principles, such as environmentally friendly transport or a city designed for human needs (Bratzel S et al., 2020).


specific criteria for proven use are not defined exactly the same in various industries. Definitions can be found, for example, in the IEC 61508, IEC 61511, DIN EN 5028, DIN EN 5029, ISO/SAE 21434, ISO 22737, ISO 26262, EN 13849, ISO 13849, DIN 50116 and DIN 50600.


the usual, historically developed standard, there is, according to the current opinion, no improper violation of the law.


# **References: Collaborations out of research groups**

Insights from the author's 17 years' automotive research experience have been incorporated into this book. During his work at Volkswagen, Audi, Daimler Research as well as the Daimler and Benz Foundation, the author has participated in the following research projects and jointly published the corresponding results:

### **European Commission Project RESPONSE 2**


#### **European Commission Project RESPONSE 3**

Knapp A, Neumann M, Brockmann M, Walz R, Winkle T (2009) Code of Practice for the Design and Evaluation of ADAS, Preventive and Active Safety Applications, eSafety for

© The Editor(s) (if applicable) and The Author(s) 2022 T.Winkle, *Product Development within Artificial Intelligence, Ethics and Legal Risk*, https://doi.org/10.1007/978-3-658-34293-7

road and air transport, European Commission Integrated Project, Response 3, European Automobile Manufacturers' Association – ACEA, www.acea.be, Brussels

Donner E, Winkle T, Walz R, Schwarz J (2007) RESPONSE 3 – Code of Practice für die Entwicklung, Validierung und Markteinführung von Fahrerassistenzsystemen (ADAS). In Technischer Kongress 2007, Verband der Automobilindustrie (VDA), pp. 231–241, Sindelfingen

#### **German Research Project simTD (Safe intelligent mobility – Test Field Germany)**

Winkle T, Mönnich J, Bakker J, Kohsiek A (2009) Accident data analysis – GIDAS area of action analysis: Selected simTD use cases to represent a maximum area of action (Unfalldatenanalyse GIDAS-Wirkfeldanalyse ausgewählter simTD-Anwendungsfälle zur Darstellung eines maximal anzunehmenden Wirkfeldes), Deliverable simTD, funded and supported by: Federal Ministry of Economics and Technology (BMWi), Federal Ministry of Education and Research (BMBF), Federal Ministry of Transport, Building and Urban Affairs (BMVBS), Berlin

#### **Research with Fraunhofer IVI and TU Munich**

Winkle T, Erbsmehl C, Bengler K (2018) Area-wide real-world test scenarios of poor visibility for safe development of automated vehicles, European Transport Research Review Extended Findings. Springer Nature, Berlin, Heidelberg

# **References of the author**


# **List of References**


© The Editor(s) (if applicable) and The Author(s) 2022

T.Winkle, *Product Development within Artificial Intelligence, Ethics and Legal Risk*, https://doi.org/10.1007/978-3-658-34293-7

and Evaluation of ADAS, RESPONSE 2, European Commission Public Report, Project Deliverable D3, Brussels


and macroscopic socioeconomic evaluation, RESPONSE 2, European Commission Public Report, Project Deliverable D2, Brussels


Filburn T, Bullard S (2016) Three Mile Island, Chernobyl and Fukushima, Springer International Publishing Switzerland


Chrysler Limited Liability Company LLC, NHTSA Action Number: PE15021, Date: June 01, 2015, http://www.nhtsa.gov


Recognition Challenge, International Journal of Computer Vision 115, 211–252. https:// doi.org/10.1007/s11263-015-0816-y

