As more and more functions for automated driving find their way into vehicles these days we have to take a look at the existing Functional Safety Standards, especially ISO 26262:2011 for Automotive. The question is, whether they provide enough guidance and cover all necessary aspects or not. For an answer we need to look at one of the recent accidents with automated driving functionality.
We will take the example of the fatal accident in Williston, Florida, USA on May 7th, 2016. All facts stated here are publicly available. The accident happened with a Tesla Model S, equipped with an autopilot feature based on a mono camera, radar and some ultrasonic sensors. The autopilot feature is still in a public beta phase of introduction and has limitations. Therefore, drivers are required to always keep hands on the steering wheel and be prepared to take over control at any time. Referring to the levels of automated driving according to SAE J3016, this is considered a level 2 Partial Automation.
In this accident the autopilot had been switched on. The driver supposedly was not having his hands on the Wheel and not observing the traffic. When a truck with a trailer made a left turn in front of the vehicle the system did not brake and crashed.
So far, it seems that neither the autopilot camera nor the driver noticed the white side of the trailer against a bright lit sky and therefore the brakes were not put on. Furthermore, the radar seems to have mistaken the high trailer with an overhead road sign and therefore did not recognize any dangerous situation either.
What went wrong here? What is the root cause?
Considering the public information available at that time, it seems that multiple root causes are possible:
- The driver was ignoring his obligation not to rely on the automatic driving feature.
- The object detection algorithm was not able to analyze the situation correctly, therefore a malfunction occurred. However, the electronics had no fault at that point in time. In special situations the present day’s object detection algorithms do by far not have the same reliability as our human detection abilities.
Who takes over the responsibility for what has happened?
According to the Vienna Convention on Road Traffic from November 8th, 1968, “every driver shall at all times be able to control his vehicle….” and the driver is required to observe the traffic. Therefore, the driver is at least partially responsible for the situation. Whether further parties can be held responsible will most likely be one of the outcomes of the investigations of the National Highway Transportation Safety Administration (NHTSA) currently ongoing.
Is this a Functional Safety issue addressed by ISO 26262? If not, is it addressed by any other Standard?
This is a safety issue since a person died. Yet the root cause of the accident, however, is not addressed by ISO 26262: “ISO 26262 does not address the nominal performance of E/E systems, … (e.g. active and passive safety systems, brake systems, Adaptive Cruise Control).”
ISO 26262 only contains guidance for development to address faults of the electronic, i.e. its deviation from specification. It does not include guidance on preventing specifications that lead to malfunctioning.
This kind of malfunctioning will be addressed by the upcoming ISO Publicly Available Specification: Road Vehicles – Safety of the Intended Functionality (SOTIF): “This document provides guidance on the design, verification and validation measures applicable to avoid a malfunctioning behavior in the system in the absence of faults, resulting from system definition shortcomings.”
How can this incident be prevented in the future?
Society and legislation have to balance between increased safety by active safety systems and automated driving on the one hand and reduced safety because of remaining system hazards on the other. In our opinion, most likely it will be decided that automated driving is only allowed as far as overall health risk is reduced.
SOTIF can help to cover the open flank of Functional Safety as it deals with missing and incomplete specifications or other system definition shortcomings, like e.g. misdetection of sensors. Its scope will be the Advanced Driver Assistance Systems with automation levels 0-2 (SAE J3016). SOTIF is planned to be available in 2018, together with the 2nd edition of ISO 26262.
Applying ISO 26262 and SOTIF, both hazards from electric / electronic system faults and hazards resulting from insufficient system definitions will be dealt with.
Dr. Erwin Petry, Process Director at KUGLER MAAG CIE, Functional Safety Expert (TÜV Rheinland #167/11 Automotive), CMMI Institute-Certified SCAMPI Lead Appraiser
Steffen Herrmann, Process Director at KUGLER MAAG CIE, Functional Safety Engineer (TÜV Rheinland, #11218/15, Automotive), iNTACS™ Certified Principal Assessor, iNTACS™ Certified Instructor (Provisional Level)