Monday, May 10, 2021

Safety Experts Speak Up - #10 Comments in Response to NHTSA ANPRM

Rant first, comments to follow

Maybe prioritizing corporate business and speed are luxury attitudes available to those untouched by vehicle crashes or maybe we as a people can't resist the sleek charm and public relations of those selling and lobbying for a major industry that is accustomed to getting its way in Congress and in state and local planning. 

Most people are like my neighbors, the couple who walked into a dealership and were told that the car could drive itself for five minutes at a time, as though that were some magic interval, while they could read or watch TV on their phones. They had no idea that there is no car being sold today that enables the driver to completely not pay attention for any period, whether one or five or 30 minutes, and that there are no safety standards or testing performed by a neutral party or a government agency to ensure the safety of the technology to which they would be entrusting their lives - and the lives of anyone else on the road.

We assume that the law, the regulations, and those in the industries that produce our vehicles somehow look out for us. The job of a government agency is to safeguard people, not promote particular corporations or industries. When we drive a car, we want to think that the safety and operational assurances, or what look like assurances, actually mean something, whether those are statements made at a dealership, a rental agency, or - carefully worded - in the car manual.

We need engineers because they actually understand and are interested in the details of how to ensure as much safety as possible. 

Safety experts speak process, not promises

Gleaning comments to the proposed Framework for Automated Driving System Safety is a rich opportunity for NHTSA (National Highway Traffic Safety Administration) to heed expert engineering advice on safety standards from those with education, expertise, and experience.

Hand lettering of "Altered Mobility."
As I come to comment #318 - with more than that to go -  I have read a few from safety experts, who speak frankly and without guarantees. I might not have even read all of these type of comments yet, as there are so many still in that virtual unread pile of a few hundred, but so far I am finding some suggestions that keep popping up. It's premature to say that this is a consensus that NHTSA should heed, but these are experts with decades of experience that NHTSA should listen to. 

Three comments in particular stand out for their frankness and the quality of the knowledge behind them:

IIHS has over 50 years of experience (going back prior to its merger with HLDI) and a track record of encouraging automotive safety improvements. Steven Shaldover has been the co-chair of the annual automated vehicle (AV) symposium  conference (along with Jane Lappin) since its inception and he has 45 years of experience in automation technology. He is now retired from the University of California's PATH program at Berkeley. 

Let's not be mistaken, these are not, as far as I know, complete streets advocates or new urbanists riding on cargo bikes with helmeted toddlers; they are car people, but engineers who believe and work to improve safety. 

Daniel Malarkey at Sightline has a somewhat different background. His LinkedIn bio says that he "has helped implement large-scale projects in infrastructure, technology, and energy in Washington for nearly thirty years. For Sightline, he thinks and writes about the same topics with a view towards sustainability." His knowledge is more energy and planning oriented than anything to do with automotive topics or automation. Yet his comments focus on the same processes for achieving safer AV outcomes as IIHS-HLDI and Shaldover.

Personal translation: Even playing field of rules beats out neighborhood gang brutality (from my Brooklyn childhood brain)

All three of these comments recommend a government-generated framework for safety regulation through a process rather than through any required outcomes, hardware, or software. What they all state plainly enough for any non-engineer-or-brilliant person to understand is that NHTSA step up and actually fulfill its responsibility by establishing mandatory rules and get rid of the farce of voluntary standards. None of these commenters use text quite like that because these are diplomatic professionals, albeit engineers; but that's the gist.

Photo road with graffiti on pole. 
The Sightline Institute comment, however, gets pretty blunt, while basing its argument on the current status of AV technology. 

The private companies racing to market automated vehicles and robo-taxi services would rather “self-certify” their safety. Such a position reflects the  narrow financial interests of individual firms rather than the broad public interest. Moreover, it will ultimately undermine the public trust necessary to enable widespread adoption of these beneficial technologies when they are sufficiently safe. We encourage NHTSA to carefully weigh the case for adopting a standard that doesn't inhibit innovation but does require companies to make a comprehensive argument, supported by data, for the safety of their automated systems prior to deployment.

These are not maniacs against capitalism, but rather proponents, even at their most blunt, of using regulation to create an even playing field in which those capitalists can operate, while promoting safety and correcting for the tendencies of individuals and corporate leaders to put profits and bragging rights ahead of the lives of unknown people who are going about their daily lives.

Which standard? I just want the machine to work. 🤷

Engineers have actually been studying and developing safety protocols for a long time. Surprise to me, but there are some that are generally accepted ones in the auto industry. I will quote some of the language around the rejection of NHTSA's current voluntariness approach and the standards mentioned in these comments. 

From IIHS-HLDI:

It is clear from the current notice and NHTSA’s past publications that the agency is reluctant to issue prescriptive regulatory mandates governing ADS behavior. However, the guidance issued by NHTSA so far is too vague to help ADS developers understand what will be expected of their efforts or to provide the public with any confidence that the agency is, in fact, trying to ensure that ADSs will be safer than human drivers. To move forward from its current “hands-off” state, we recommend that NHTSA begin by formulating specific guidance based on the process and engineering measures described in the notice. [p. 3]

        
IIHS-HLDI recommend that NHTSA adopt an “all of the above” approach to guiding the development of ADS technology to address the causes and contributing factors that lead to injury and death from motor vehicle crashes. Focusing on process measures in the near term by auditing ADS developers’ safety cases would provide NHTSA with an opportunity to shape ADS safety ahead of its deployment onto our nation’s roads. It seems that ISO2148, ISO26262, UL4600 or some combination of the three could be used as the basis for such an effort. Specifying sooner rather than later how NHTSA will judge safety cases can only help ADS developers address the requirements that ultimately should be imposed on them. We urge NHTSA to issue a specific proposal describing how it plans to ensure the sound development of safety cases by those entities developing ADS technology. [p. 2-3, Emphasis added.]

From Shaldover, we hear much the same.

Focus initially on the safety of the development process, rather than trying to quantitatively assess the safety of the ADS in action, because this is what is currently technically feasible, relying on process standards such as UL4600, ISO 26262 and ISO PAS 21448. ADS developers should be required to self-certify that they have followed these standards (or key sections of these standards), and in cases where they have not followed them completely, they should be required to provide supportable explanations for why this does compromise the safety of their ADS. 

Require assessment of safety of ADS responses to specific scenarios at a later time, after enough research has been done to determine how to do that effectively (how to define the relevant scenarios and the performance thresholds that need to be met to be rated “safe enough”).  [p. 2, Emphasis added.]

And from Sightline, a more concise statement: "UL4600 should serve as the foundation for new NHTSA standards for certifying the safety of automated driving systems." [p. 1, Emphasis added.] 

Why UL4600? 

I will admit that I do not know anything about UL4600 or the others mentioned. I do like the explanation supporting this standard, though, it could apply to the others as well. Not because UL4600 sounds like an emergency protocol in a Star Trek movie or the name of a plug you have to get after buying a fancy foreign mixer for the kitchen. The real answer is expressed in the Sightline comment and that answer is a mix of common sense and correcting for the weaknesses of capitalism. Here is a long quote from the Sightline comment; it articulates why a standard is needed and why this particular one is best.

UL 4600 incorporates ISO 26262 and other existing standards into its broader safety case framework. 

UL 4600 is not prescriptive. It allows for continued innovation, but OEMs must present evidence that their automated systems are sufficiently safe. 

UL 4600 was developed by a diverse stakeholder group including representatives from the automotive and software industries. The standard does not prescribe how automated systems should operate rather it requires OEMs to make a comprehensive case, backed up with evidence, for why their system is safe. Safety case frameworks have been used in other industries with new and rapidly developing technologies and will allow companies to continue to innovate and compete on cost and performance. 

UL 4600 requires information sharing that will promote safety and fair competition. 

Crucially, UL 4600 requires OEMs to share information about potential problems with their systems so others can learn from their mistakes without requiring the disclosure of critical intellectual property. Mistakes include not just accidents but failures of an automated system to accurately identify objects even if that failure doesn’t lead to an accident. This process continues after vehicles are deployed so their safety continues to improve. Sharing lessons about failures of automated systems allows every firm to build safer systems. NHTSA should not allow safety lessons to become proprietary and a means to block new entrants into the market. Rather NHTSA must create a shared database of best practices and edge cases to watch out for with automated systems. Companies can compete on technology, cost and performance but NHTSA must ensure that they all have access to the best information on how to build safe automated systems. [Sightline, p. 4-5, Headings included, but bold and numbers for paragraphs removed.]

Shaldover addresses the quest for innovation and why this standard will not inhibit that quest: 

UL4600 places no limitations on the technological innovations or specific technologies that the ADS developers may choose to employ, leaving them free to innovate. It only requires that they apply a comprehensive safety process to the development and implementation of the ADS, regardless of its specific technologies. [p. 3-4]

Why not corporate-friendly, innovation-boosting, voluntary standards?

Number one: Let's do away with the idea that innovation and safety regulation represent opposite sides of the coin, that they are mutually exclusive. IIHS-HLDI puts the matter plainly that NHTSA's role is to be the adult in the room, to protect lives. This was the whole reason that NHTSA was created. 

NHTSA’s obsession with “removing regulatory hurdles” and “not stifling innovation” is inconsistent with the agency’s mission “to save lives, prevent injuries, and reduce economic costs due to road traffic crashes.” Automated driving technology may prove a useful tool to help accomplish that mission, but it is naïve to think that it will improve road safety without public policy that guides it to that end. ADSs are not being developed solely to improve road safety. There are other business interests behind these efforts. The compelling need for early safety regulation is to obligate ADS developers to favor safety over competing demands of the technology (e.g., cost, speed, style). NHTSA is surely aware of the countless instances when safety trade-offs made for cost and convenience led to needless injury and death. [p. 1. Footnote deleted.]

Number two: One could argue that the recommendation against allowing safety processes and software to become proprietary actually encourages innovation in the realm where we want it - for example, enabling new designs for my cute AV tiny house of the future, or, better yet accessible AVs so that real people can easily roll wheelchairs, walkers, strollers, shopping carts, and luggage onto those AVs instead of breaking backs to lift them - while ensuring that every manufacturer provides AV products that are as safe as possible, though never perfectly safe. 

A final, but very brief, quote here because it sums up the attitude that NHTSA has been asleep at the wheel. "The agency’s current lack of specificity about the safety goals for ADS technology is indefensible." (IIHS-HLDI, p. 3)

More to read 

Comments to refer to if you would like more details about safety process or standards:

The Sightline Institute - submitted by Daniel Malarkey

Insurance Institute for Highway Safety and Highway Loss Data Institute

Steven Shaldover

Ralph Panhuyzen 

People's Republic of China - submitted by Zhao Minggang

Less detailed, but with process orientation recommendations:

National Society of Professional Engineers and its Emerging Technology: A Public Policy Regulatory Guide (a brief brochure)