Economic Commission for Europe s25

United Nations ECE/TRANS/WP.29/2017/145

Economic and Social Council Distr.: General 27 September 2017

English only

Economic Commission for Europe Inland Transport Committee World Forum for Harmonization of Vehicle Regulations 173rd session Geneva, 14-17 November 2017 Item 2.3 of the provisional agenda 1958 Agreement: Intelligent Transport System and automated vehicles

Proposal for the Definitions of Automated Driving under WP.29 and the General Principles for developing a UN Regulation on automated vehicles

Submitted by the Informal Working Group on Intelligent Transport Systems / Automated Driving*

The text reproduced below was prepared by the expert from Informal Working Group (IWG) on Intelligent Transport Systems / Automated Driving (ITS/AD). It is based on Working Paper ITS/AD-12-05-3, distributed during the twelfth session of Informal Working group on ITS/AD.

* * In accordance with the programme of work of the Inland Transport Committee for 2016–2017 (ECE/TRANS/254, para. 159 and ECE/TRANS/2016/28/Add.1, cluster 3.1), the World Forum will develop, harmonize and update Regulations in order to enhance the performance of vehicles. The present document is submitted in conformity with that mandate. ECE/TRANS/WP.29/2017/145

A proposal for the Definitions of Automated Driving under WP.29 and the General Principles for developing a UN Regulation on automated vehicles

1. The following table reflects the general principles for automated driving systems as WP.29. These principles will be treated as guidelines for developing a new regulation related to automated driving systems at WP.29. (a) The control systems that intervening in case of emergency (AEB, ESC, Dead man, etc.) are not included in these definitions of automated driving. (b) The control functions that avoid dangers caused by unpredictable traffic conditions (goods/luggage dropping, frozen road, etc.) or other drivers’ illegal driving behaviors are not considered in this table. 2. The regulation on automated driving needs to have new specific performance requirements and verification tests under various conditions depending on each level. 3. In discussing system requirements, it is desirable to organize them by level as well as by roadway type and to include the range of vehicle types (1: parking area; 2: motorway; 3: urban and interurban road, and both automated vehicles (i.e. existing vehicle classes) and low-speed shuttle buses, pod cars, etc (i.e. new classes of vehicles). 4. The following table shows the distinguish way of level of automated driving under WP.29 at this present considering the results of discussions so far and the assumed use cases. This table should be reconsidered appropriately in accordance with each concept of automated driving system to be placed on the market in the future.

2 ECE/TRANS/WP.29/2017/145

Outline of Classification System takes care ofThe system takes care of both The system is The system is able to cope with any situations in the The system is able to cope longitudinal or longitudinal and lateral control. able to cope ODD (fallback included). with any situations on all lateral control. with all dynamic road types, speed ranges Monitoring by driver necessary because driving tasks The driver is not necessarily needed during the and environmental Monitoring by the the system is not able to detect all the within its specific use-case, e. g. Valet Parking/ Campus conditions. driver. situations in the ODD. operational Shuttle. design domain* No driver necessary. The driver shall be able to intervene at or will otherwise The system may however request a takeover if the any time. transition to the ODD boundaries are reached (e.g. motorway exit). driver offering sufficient lead time (driver is fallback).

The system drives and monitors (specific to the ODD) the environment.

The system detects system limits and issues a transition demand if these are reached.

*The Level 3

3 ECE/TRANS/WP.29/2017/145

Object and Event Detection and Response (OEDR) Object and Event Detection and Response (OEDR) by the driver by the system The driver may not perform secondary activities The driver may perform secondary activities Monitor by System Monitor by Driver Monitor by (Return to Driver Monitor by System Full Time Monitor by Driver Monitor by System only (a) Driver (b) Control on System under defined use case Request) system is e.g. not expected to provide a corridor for emergency vehicle access or to follow hand signals given by traffic enforcement officers. The driver needs to remain sufficiently vigilant as to acknowledge and react on these situations (e. g. when he hears the sirens of an emergency vehicle in close vicinity).

Vehicle Tasks 1. Execute either 1. Execute longitudinal (accelerating, 1. Execute 1. Execute longitudinal (accelerating/braking) and 1. Monitor the driving longitudinal braking) and lateral (steering) dynamic longitudinal lateral (steering) portions of the dynamic driving environment (acceleration/brakindriving tasks when activated. The system (accelerating/br task when activated. Shall monitor the driving g) or lateral is not able to detect all situations in the aking) and environment for any decisions happening in the (steering) dynamic ODDs. lateral (steering) ODD (for example Emergency vehicles). driving tasks when portions of the activated The dynamic driving system is not able task when to detect all the activated. Shall

4 ECE/TRANS/WP.29/2017/145

2. System 2. System deactivated immediately upon 2. Permit 2 Permit activation only under conditions for which 2. Execute longitudinal deactivated request by the human driver. activation only it was designed. System deactivated immediately at (accelerating/ braking) immediately at the under conditionsthe request of the driver. However the system may and lateral (steering) request of the for which it was momentarily delay deactivation when immediate driver designed. human takeover could compromise safety System deactivated immediately at the request of the driver. However the system may momentarily delay deactivation when immediate human takeover could compromise safety

3. No transition demand as such, only 3. System 3. Shall deactivate automatically if design/boundary 3. Execute the OEDR warnings. automatically conditions are no longer met and must be able to subtasks of the dynamic deactivated only transfer the vehicle to a minimal risk condition. May driving task- human after requesting also ask for a transition demand before controls are not required

5 ECE/TRANS/WP.29/2017/145

Object and Event Detection and Response (OEDR) Object and Event Detection and Response (OEDR) by the driver by the system The driver may not perform secondary activities The driver may perform secondary activities Monitor by System Monitor by Driver Monitor by (Return to Driver Monitor by System Full Time Monitor by Driver Monitor by System only (a) Driver (b) Control on System under defined use case Request) the driver to deactivating. in an extreme scenario. take-over with a sufficient lead time; may − under certain, limited circumstances − transition (at least initiate) to minimal risk condition if the human driver does not take over. It would be beneficial if the vehicle displays used for the secondary activities were also used to improve the human takeover process.

4. A driver engagement detection 4. Driver 4. Driver availability recognition shall be used to 4. System will transfer the function (could be realized, for example, availability ensure the driver is in the position to take over vehicle to a minimal risk as hands-on detection or monitoring recognition shall when requested by transition demand. This can condition. cameras to detect the driver’s head be used to however be lighter solutions than for level 3 position and eyelid movement etc.) ensure the because the system is able to transfer the vehicle to could evaluate the driver’s involvement driver is in the a minimal risk condition in the ODD. in the monitoring task and ability to position to take

6 ECE/TRANS/WP.29/2017/145

Object and Event Detection and Response (OEDR) Object and Event Detection and Response (OEDR) by the driver by the system The driver may not perform secondary activities The driver may perform secondary activities Monitor by System Monitor by Driver Monitor by (Return to Driver Monitor by System Full Time Monitor by Driver Monitor by System only (a) Driver (b) Control on System under defined use case Request) intervene immediately. over when requested by the system. Potential technical solutions range from detecting the driver’s manual operations to monitoring cameras to detect the driver’s head position and eyelid movement. 5. Emergency 5. Emergency braking measures must be braking accomplished by the system and not expected from measures must the driver (due to secondary activities) be accomplished by the system and not expected from the driver (due to secondary activities)

7 ECE/TRANS/WP.29/2017/145

Driver Tasks 1. Determine when activation or 1. Determine when 1. Determine when activation or 1. Determine when 1. Activate and deactivate deactivation of assistance system is activation or deactivation deactivation of the automated activation/deactivation of the the automated driving appropriate of the system is driving system is appropriate. automated driving system is system. appropriate. appropriate.

2. Monitor the driving environment. 2. Execute the OEDR by 2. Does not need to execute the 2. Does not need to execute the 2. Does not need to Execute either longitudinal monitoring the driving longitudinal, lateral driving tasks longitudinal, lateral driving tasks execute the longitudinal, (acceleration/braking) or lateral environment and and monitoring of the and monitoring of the lateral driving tasks and (steering) dynamic driving task responding if necessary environment for operational environment in the ODD. monitoring of the (e.g. emergency vehicles decisions in the ODD. environment during the coming). whole trip.

3. Supervise the dynamic driving task 3. Constantly supervise 3. Shall remain sufficiently vigilant 3. May be asked to take over upon 3. Determine waypoints executed by driver assistance system the dynamic driving task as to acknowledge the transition request within lead time. Howeverand destinations and intervening immediately when executed by the system. demand and, acknowledge the system does not require the required by the environment and the Although the driver may vehicle warnings, mechanical driver to provide fallback system (warnings) be disengaged from the failure or emergency vehicles performance under the ODD. physical aspects of (increase lead time compared to driving, he/she must be level 2). fully engaged mentally with the driving task and shall immediately intervene when required by the environment or by the system (no transition demand by the system, just warning in case of misuse or failure).

4. The driver shall not perform 4. The driver shall not 4. May turn his attention away 4. May perform a wide variety of 4. May perform a wide secondary activities which will perform secondary from the complete dynamic secondary activities in the ODD. variety of secondary hamper him in intervening activities which will driving task in the ODD but can activities during the immediately when required. hamper him in only perform secondary activities whole trip. intervening immediately with appropriate reaction times. It when required. would be beneficial if the vehicle displays were used for the secondary activities.

8 ECE/TRANS/WP.29/2017/145

Consideration points Same as current principle (manner) 1. Consider whether 1. Consider which regulatory 1. Consider which regulatory Note: Preliminary on development of regulatory provision for provision for longitudinal provision for longitudinal analysis only- subject vehicle regulation longitudinal (accelerating, (accelerating, braking) and lateral (accelerating, braking) and lateral further review. braking) and lateral control (steering) are necessary control (steering) are necessary control (steering) are including the monitoring of the including the monitoring of the 1. Consider which necessary. driving environment. driving environment for any regulatory provision for decisions happening in the use longitudinal (accelerating, case (for example Emergency braking) and lateral vehicles). control (steering) are necessary including the monitoring of the driving environment for any decisions (for example Emergency vehicles).

2. Consider regulatory 2. Consider regulatory provision 2. Consider regulatory provision to2. Depending upon the provision to ensure the to ensure the system: ensure the system: vehicle configuration, system is deactivated i) Permits activation only under i) Permits activation only under consider regulatory immediately upon requestconditions for which it was conditions for which it was provision to ensure the by the human driver. designed, and designed, and system: ii) Deactivates immediately upon ii) Deactivates immediately upon i) Permits activation only request by the driver. However request by the driver. However theunder conditions for the system may momentarily system may momentarily delay which it was designed, delay deactivation when deactivation when immediate and immediate driver takeover could driver takeover could compromise ii) Deactivates compromise safety. safety. immediately upon request by the driver. However the system may momentarily delay deactivation when immediate driver takeover could compromise safety.

3. Consider the warning 3. Consider regulatory provision 3. Consider regulatory provision to3. Consider regulatory strategy to be used. This to ensure the system ensure the system automatically provision to ensure the

9 ECE/TRANS/WP.29/2017/145

might include automatically deactivates only transfer the vehicle to a minimal system automatically warning/informing the after requesting the driver to risk condition preferably outside transfer the vehicle to a driver in due time whentake-over with a sufficient lead of an active lane of traffic if minimal risk condition an intervention by the time; including − under certain, design/boundary conditions are preferably outside of an driver is needed, limited circumstances − transition no longer met. active lane of traffic. (at least initiate) to minimal risk condition if the driver does not take over. It would be beneficial if the vehicle displays used for the secondary activities were also used to improve the human takeover process.

4. Consider the driver 4. Consider regulatory provision 4. Consider regulatory provision availability recognition for driver availability recognition for driver availability recognition is function to evaluate the is used to ensure the driver is in used to ensure the driver is in the driver’s involvement in the position to take over when position to take over when the monitoring task and requested by the system. . requested by the system transition ability to intervene demand at the end of the ODD. immediately. For example, as hands-on detection or monitoring cameras to detect the driver’s head position and eyelid movement etc. 5. Consider regulatory provision 5. Consider regulatory provision 4. Consider regulatory for emergency braking measures for emergency braking measures provision for emergency by the system by the system. braking measures by the system.

10 ECE/TRANS/WP.29/2017/145

Examples of the necessary system performance requirements Override (e.g. steering, Necessary in general Unnecessary when driverless Unnecessary braking, accelerating) mode. Otherwise necessary in function by the driver general. However the system may momentarily delay deactivation when immediate human takeover could compromise safety.

Aspects of arrangement Detection of hands- Detection of Detecting the driver Detection of driver’s availability to Unnecessary when driverless Unnecessary that ensures the driver’soff when Level 1 hands-off availability recog- take over the driving task upon operation/use case. involvement in dynamic addresses LKAS nition function to request or when required: driving tasks (driver evaluate the driver’s e.g. seated/unseated, Necessary when driver is monitoring, etc.) involvement in the driver availability recognition system requested to take over at the monitoring task and (e.g. head and/or eye movement end of ODD. In these ability to intervene and/or input to any control element circumstances, this can be immediately (e.g. of the vehicle) lighter solutions than for level hands off detection, 3 because the system is able head and/or eye to transfer the vehicle to a movement and/or minimal risk condition in the input to any control ODD. element of the vehicle) Aspects of arrangement not applicable Consideration of the methods used to Unnecessary when driverless Unnecessary that ensures the driver’s reengage the driver following system operation/use case but level 3 resumption of dynamic request (including minimal risk requirement when the end of driving tasks (transition maneuver and cognitive stimulation- the ODD is reached. periods to the driver, if applicable the vehicle infotainment etc.) system showing non-driving relevant Aspect of transition content to be deactivated demand procedure. automatically when transition demand is issued). System reliability Consideration shall be given to evaluation of the system reliability and redundancy as necessary.

Comprehensive The area to be The area to be The area to be The area to be monitored depends on the system function (Lateral and longitudinal directions). recognition of monitored monitored monitored necessary surrounding (depends on the necessary for for lateral and It is the task of the system to perform OEDR. environment system function). lateral and longitudinal control (sensing, etc.) longitudinal (depends on the control (depends system function,

11 ECE/TRANS/WP.29/2017/145

on the system while recognizing it is function, while the task of the driver recognizing it is theto perform OEDR). task of the driver Additionally the to perform OEDR). system may perform OEDR function. Recording of system Unnecessary Unnecessary The driver’s The driver’s operations and the The system status (incl. system behavior)) status (inc. system operations and the system status (incl. system behavior) behavior) system status (incl. (DSSA-Data Storage system behavior) System for ACSF, EDR, etc.) Cyber-Security Necessary if the information communication in connected vehicles, etc. affects the vehicle control

12 ECE/TRANS/WP.29/2017/145

Compatibility with Yes Yes Yes [WP.1-IWG-AD recommends WP.1 to [WP.1-IWG-AD recommends Further consideration traffic law (WP.1) state that the use of these functions WP.1 to state that the use of necessary to reflect remain within the requirements of these functions remain within driverless systems before the Conventions.] the requirements of the a conclusion can be Conventions. These are made. functions whereby a driver is still available at the end of the ODD. Functions that do not require a driver (e.g. campus shuttle) at all (driverless) are still in discussion – except for those that do not interact on/with public roads.] Summary of the current conditions and the issues to be discussed (specific use cases) Parking area Already put into  Automated parking by the driver’s Requirements need to be developed practice: remote control (monitoring) (RCP- Remote Control Parking, CAT. A under  Parking Assist ACSF amendment of R79) Roads exclusively for  LKA (draft standards) Under discussion: Under discussion : Requirements need to be developed motor vehicles with  ACC (no specific  Categories [B2], C, D and [E] under  Categories B2, B2+E under ACSF physical separation performance ACSF (amendment of R79) (amendment of R79) from oncoming requirements)  Category B1 in combination with traffic (e.g.  ACSF Cat.B1 longitudinal control motorway) (Steering Function  ACC+ACSF  [ACSF Cat. B2] hands-on) (Cat.B1, Cat.C  [ACSF Cat.E] [Basic Lane (Continuous Lane Change Assist], Guidance hands- Cat.D [Smart off) LCA]) Urban and  Category B1 in combination with Requirements need to be developed interurban roads longitudinal Control  To be discussed by R79 IWG ACSF: Cat. B1 in combination with C, D