[SystemSafety] Digest, Vol 25, Issue 12: IMPORTANT RESPONSE REQ <5day
Simon Whiteley
simon at whiteley-safety.co.uk
Wed Aug 27 22:08:12 CEST 2014
Dear Martin, Friends and Colleagues,
I hope this email finds you all well.
Martin, thank you for the notification of the opportunity to respond to the
IET / Government invitation.
I think the subject of Autonomous Vehicles and their Safety in the public
domain is frightfully important and I would have jumped at the chance to
contribute. However, and I'm sure it's the same for many others on this
list, I don't have the time (currently) to dedicate to this worthy cause at
such short notice, though I am very interested in getting involved and
providing support where I can.
I have made the following points for consideration and discussion by the
members of this list (be gentle you lot! :-) ), and will also forward
relevant ones to IET and others, as time allows.
I've also pointed out STAMP & the Euro STAMP Conference as I know that using
STAMP would provide mega benefit to the "Autonomous Vehicles" enigma:
1) Definitions
Gov. paperwork apparently confuses terms and does not provide adequate
definitions, this must be resolved:
a. "Driverless" cars--> a car that does not need to be controlled by
anyone on-board? Or a car that cannot be controlled by anyone on-board?
The general population may get the wrong impression if this is not firmly
defined, and the various Marketing people need to be managed! This also
raises questions about "off-board" control, e.g. via a smart phone (cold
shiver!).
b. "Advanced Autonomous Safety Systems"--> this term is used seemingly
interchangeably as though it refers to a fully autonomous "driverless car"
(my definition: a car that does not need, or has no controls for, a human
controller / driver). However, my understanding was that this term referred
to and is associated with "Driver Assistance Systems" of the type that only
assist the driver and are meant to be perceived as "assisting the driver"
(whether that "perception" is technically correct or even appropriate is a
whole different discussion!), not a system that eliminates the need for a
driver (assists the elimination of the driver, that sounds really bad!)
c. "Full Automation" Vs. "High Automation", the only differences in
definition are that no human intervention is required, and that the driver
need not be "able" and "ready" to take over, which presents some interesting
safety requirements beyond just the vehicle in isolation, but its
interactions with other vehicles and the surrounding environment, which the
review doesn't apparently focus on.
2) "Failures", "Testing" & Software
There is significant focus upon "Failures" and "Testing", which fails (!) to
recognise that in a massively complex Road System with Autonomous / Normal
Vehicles, "failures" do not have to occur to result in accidents, just
interactions.
This is compounded by the fact that Autonomous Vehicles will likely be
heavily dependent upon software that "does not fail" and cannot be
exhaustively tested. Furthermore, there would be difficulties trying to
envisage all potential real world interactions without trying to test them
all too!
The focus here definitely needs re-thinking: Systems Thinking, i.e. Nancy
Leveson's STAMP & STPA.
3) Compulsory Software Updates
The document suggests compulsory software updates, which opens a significant
can of worms, especially in terms of what happens if the car is involved in
an accident and hadn't had the software updated and how much the updates
could cost and who could provide them.
Also, exactly how software updates are managed requires the utmost care,
especially with the perception / reality of tricks certain mobile phone
manufacturers are playing with "free" software "updates" and "planned
obsolescence".
4) Human Monitoring of a Computer
The concept of a normal-everyday-Human sat monitoring a computer controlled
vehicle waiting to detect and arrest a hazardous situation with only inches
/ milliseconds to respond is unreasonable and frankly dangerous.
I accept that certain members of the community may be perfectly adapted to
such a task (i.e. a test pilot) and that this will be part of the
"not-exhaustive testing", but Human-monitoring is not something that should
be imposed wholesale onto just anyone, whether they themselves realise that
this is what is required or not!
Humans are not designed or particularly competent for the monitoring and
taking-control-when-the-wheels-fall-off task, and cannot be relied upon for
such safety critical functions.
Let me be clear, there should be appropriate and adequate thought and
analysis that either places the Human in the loop far enough that they do
not get bored or complacent, or that they at least have a chance to arrest
things should they go wrong. Let Humans play to their advantages, and not
their disadvantages.
5) Vehicle Safety Data Recorders
As part of my Masters Project on the Development of Requirements for Vehicle
Safety Data Recorders, I identified some very interesting and specific
extra-requirements for Autonomous Vehicles and made associated comments that
any Autonomous Vehicle should be fitted with a Data Recorder (akin to an
aircraft, though my method identified new requirements beyond what aircraft
are currently required to record) for two main reasons:
a. To provide evidence that the Human Driver was / was not faulty;
b. To provide evidence that the Autonomous Vehicle was / was not faulty.
Otherwise, without that information a great number of injustices could
occur, and Manufacturers / Regulators would not have the necessary feedback
Safety information they need to control safety (Nancy Leveson's STAMP
Hierarchical Control Structure Requirements).
This is before we tackle the elephant-in-the-room of always blaming Human
Error on the part of the involved Pilots / Drivers, which prevents learning
about the real causes of accidents and how to control them.
Obviously, privacy, security and data control / ownership were identified as
massive cans of worms, which need to be resolved, but not at the expense of
safety.
For real, and immediate benefit, the Review Team could do a STAMP Analysis
using STPA to identify the Unsafe Control Actions (Human, Technical
(Hardware & Software), Social), derive appropriate Top-Level System Safety
Requirements / Safety Constraints, and then feed those back into the Review
Activity. This would answer literally all the questions included below (if
the Hierarchical Control Structure was developed / detailed enough to answer
them, based on available information) and answer others not already
considered.
I can foresee literally tens of Unsafe Control Actions, both Human, Machine,
Environmental and Regulatory that need to be identified and resolved with
adequate and appropriate Safety Constraints, before the review is completed.
It is evident from the language and questions in the various Government
documents that the Reviewers haven't foreseen many of the important and
concealed / obscure Unsafe Control Actions, which is rather concerning,
especially when considering the complexity of the Systems involved and how
they compare to what we currently do in Aerospace & Defence!
This type of STPA only needs a small group of people to perform, it can be
applied to the technical and regulatory / organisational aspects easily and
it could would produce extremely-valuable results, within a matter of hours!
And it can be done with limited information and iterated swiftly as further
information becomes available.
I can help with this and would be prepared to take part in further
discussions with those interested, but would find it a challenge in the
urgent time scales mentioned.
If anyone wants to find out more about STAMP, apart from reading Nancy's
book (
<http://mitpress.mit.edu/sites/default/files/titles/free_download/9780262016
629_Engineering_a_Safer_World.pdf>
http://mitpress.mit.edu/sites/default/files/titles/free_download/97802620166
29_Engineering_a_Safer_World.pdf), please give me a call / drop me an email,
or pop along to the Euro #STAMP Conference 2014 in Stuttgart (22-23
September 2014):
<http://www.iste.uni-stuttgart.de/en/se/esw2014.html>
http://www.iste.uni-stuttgart.de/en/se/esw2014.html
I'll be there, if you want to have a chat.
On a side note, I've recently created a LinkedIN Group that you are welcome
to join, where I'm about to publish some interesting STAMP-related articles,
of which Autonomous Vehicles & Data Recorders is going to be one such
subject: "International STAMP (Systems-Theoretic Accident Modelling and
Processes) Interest Group".
It is my honest view that this is a situation where STAMP would make a
MASSIVE difference, very quickly, to the spectre of Autonomous Vehicles and
their Safety, which is a matter of significant importance to humanity and
economic well-being which must be addressed before we build a massively
complex, untestable, monster. And then release it on the public.
All the very best,
Simon
p.s. See you in Stuttgart! :-) or at least in the LinkedIN Group!
p.p.s Please be aware, I intend to offer a STAMP / STPA Training Workshop in
the UK in the very near future and have already had talks with Professor
Leveson with regards to her support and attendance in the UK.
If you are interested in knowing more, please let me know or visit my
website.
Kindest Regards,
Simon P.P. Whiteley BEng (Hons) MSc MRAeS
DIRECTOR
M: +44(0) 7899 754090
E: <mailto:simon at whiteley-safety.co.uk> simon at whiteley-safety.co.uk
W:
<http://www.dependable-management.com/?utm_source=CES_SW_BIEL&utm_medium=ema
ilsig&utm_campaign=MLIST> www.whiteley-safety.co.uk
W:
<http://www.dependable-management.com/?utm_source=CES_SW_BIEL&utm_medium=ema
ilsig&utm_campaign=MLIST> www.dependable-management.com
____________________________________________________________________________
______________
Whiteley Aerospace Safety Engineering & Management Limited
Registered Office: Delta 606, Welton Road, Swindon, Wiltshire, England SN5
7XF, UK
Registered in England & Wales No: 6785948
VAT Registration No: 943 9340 07
-----Original Message-----
From: systemsafety-bounces at lists.techfak.uni-bielefeld.de
[mailto:systemsafety-bounces at lists.techfak.uni-bielefeld.de] On Behalf Of
systemsafety-request at lists.techfak.uni-bielefeld.de
Sent: 27 August 2014 11:00
To: systemsafety at lists.techfak.uni-bielefeld.de
Subject: systemsafety Digest, Vol 25, Issue 12
Send systemsafety mailing list submissions to
<mailto:systemsafety at lists.techfak.uni-bielefeld.de>
systemsafety at lists.techfak.uni-bielefeld.de
To subscribe or unsubscribe via the World Wide Web, visit
<https://lists.techfak.uni-bielefeld.de/mailman/listinfo/systemsafety>
https://lists.techfak.uni-bielefeld.de/mailman/listinfo/systemsafety
or, via email, send a message with subject or body 'help' to
<mailto:systemsafety-request at lists.techfak.uni-bielefeld.de>
systemsafety-request at lists.techfak.uni-bielefeld.de
You can reach the person managing the list at
<mailto:systemsafety-owner at lists.techfak.uni-bielefeld.de>
systemsafety-owner at lists.techfak.uni-bielefeld.de
When replying, please edit your Subject line so it is more specific than
"Re: Contents of systemsafety digest..."
Today's Topics:
1. Review of the legislative and regulatory framework for
testing driverless cars (Martin Lloyd)
----------------------------------------------------------------------
Message: 1
Date: Wed, 27 Aug 2014 10:30:56 +0100
From: Martin Lloyd < <mailto:martin.farside at btinternet.com>
martin.farside at btinternet.com>
To: <mailto:systemsafety at techfak.uni-bielefeld.de>
systemsafety at techfak.uni-bielefeld.de
Subject: [SystemSafety] Review of the legislative and regulatory
framework for testing driverless cars
Message-ID: < <mailto:53FDA550.6010102 at btinternet.com>
53FDA550.6010102 at btinternet.com>
Content-Type: text/plain; charset="utf-8"; Format="flowed"
Dear Colleagues
The UK IET (Institute of Engineering Technology) is inviting contributions
to a submission on this matter, as shown below. It is very disappointing
that I only received this notice yesterday. However, despite the lack of
time perhaps individual members of this list could make a response. I am
particularly exercised by the software implications of driverless cars and
the standards that should be applied to them.
*_Review of the legislative and regulatory framework for testing driverless
cars
_*
In the Autumn Statement 2013, the Government announced its plan to review
the legislative and regulatory framework for developing and testing
driverless cars in the UK, reporting by the end of 2014.
The Department for Transport is interested in comments on any regulatory or
other issues that may need to be addressed in considering the testing of
cars with advanced autonomous safety systems on public roads, and the areas
where new regulation may be necessary in order to maintain road safety and
provide the appropriate safeguards in the introduction of this novel
technology.
The DfT are interested in hearing views on the below questions;
* Q1. Should any special training/testing or a minimum number of years
of driving experience be specified for drivers involved in testing
driverless cars with high automation?
* Q2. Should a second person be required to be present, as an observer?
* Q3. Do you believe that the normal set of requirements for driver
behaviour should still apply or are any exemptions from these
required, if so please specify?
* Q4. Are any new requirements or constraints necessary?
* Q5 Do you have any suggestions for an indication to other road users
that the vehicle is operating autonomously, or capable of autonomous
operation? For example, a warning signal showing autonomous
operation or a distinguishing sign (different number plate, sticker
on windscreen, etc.) indicating the potential capability of
autonomous operation?
* Q6. Should educational materials be developed to advise other road
users about the testing of highly autonomous cars?
* Q7. Do you have any observations on the possible reactions of other
road users, or the risks of interaction with driverless cars, and
possible mitigation measures?
* Q8. Do you see any difficulties with the existing product liability
regime, when operating driverless cars with high automation?
* Q9. Do you have any suggestions for standards to regulate the
testing of prototype cars with high automation?
* Q10. Are there current type approval or construction rules that
prototype cars with high automation might not comply with?
* Q11. Are you able to suggest any specific areas (e.g. braking,
steering) or any specific systems/technologies (e.g. ABS, ESC) where
regulation needs to be amended or developed, as a priority ?
* Q12. Are any changes to the current roadworthiness regime required
to permit the testing of driverless cars, or ensure their safety?
* Q13. Have you any initial thoughts about any longer term risks and
issues as driverless cars age, and possible requirements to address
this?
* Q14. Cars with high automation would need to be registered. In due
course, decisions would be required as to the level of taxation and
whether the capability for autonomous operation would be recorded on
the DVLA database, in order to provide data on uptake, but that
seems to be outside the scope of this initial review. Do you have
any comments on this approach?
* Q15. Do you anticipate a need for special infrastructure to permit
the testing of cars with high automation?
* Q16. What issues would need to be addressed, to enable insurers to
offer suitable insurance products?
* Q17. Are there other insurance-related issues which may affect the
introduction and testing of driverless cars?
* Q18. Do you have any suggestions or concerns over data collection
and privacy, when considering the testing of cars with high automation?
* Q19 Do you (a) support amending diverse current regulations to cater
for driverless cars alongside conventional ones, or (b) support
creating a special regime via specific regulations to permit the
testing of driverless cars under certain circumstances or
constraints? (Or does it not matter as long as the regulations are
appropriate and clear?)
* Q20 Do you have any other comments on the need for a special regime
to cover the testing of driverless cars with high automation? Do you
consider any other regulations or aspects of driving practice would
pose a barrier, or do you consider that extra conditions would need
to be imposed? Please give full details.
The Institution of Engineering and Technology Trustees propose submitting a
response to this consultation <
<http://email.ietinfo.org/c/13LOxnHzRgD0p5dfrbwKjtnu>
http://email.ietinfo.org/c/13LOxnHzRgD0p5dfrbwKjtnu> and invite comments
from Members who have expertise in this area and have studied the
consultation documents. In its capacity as a professional body the IET will
confine itself to only addressing those questions that are within its
area(s) of competence.
Members contributing are asked to state their relevant experience.All inputs
will be treated confidentially in the production of a corporate view and
individual contributors will not be named. ?Member? should be interpreted as
IET Technician Members, Members and Fellows.
For more information and a summary of the questions, please refer to the
consultation document <
<http://email.ietinfo.org/c/13LOxzdValXfghjpdhEdpIjr>
http://email.ietinfo.org/c/13LOxzdValXfghjpdhEdpIjr>.
The deadline for response to this consultation is the *_01 September 2014_*.
Please send your responses to Sahar Danesh < <mailto:sdanesh at theiet.org>
mailto:sdanesh at theiet.org>.
Full details located here
< <http://email.ietinfo.org/c/13LOxWgBMwBIYFvILtT9Ccbl>
http://email.ietinfo.org/c/13LOxWgBMwBIYFvILtT9Ccbl>.
For more information and other submissions, please visit our website <
<http://email.ietinfo.org/c/13LOy7MX5BVXPRBSxA0CIr7i>
http://email.ietinfo.org/c/13LOy7MX5BVXPRBSxA0CIr7i>.
IET Policy
Michael Faraday House,
Six Hills Way,
Stevenage,
Hertfordshire,
SG1 2AY
--
Kind regards
Martin Lloyd
===========================
Dr M H Lloyd CEng FIET
<mailto:martin.farside at btinternet.com> martin.farside at btinternet.com
Tel: +44(0)118 941 2728
Mobile: +44(0)786 697 6840
<http://www.farsideresearch.co.uk> www.farsideresearch.co.uk
============================
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <
<https://lists.techfak.uni-bielefeld.de/mailman/private/systemsafety/attachm
ents/20140827/ee50ba77/attachment-0001.html>
https://lists.techfak.uni-bielefeld.de/mailman/private/systemsafety/attachme
nts/20140827/ee50ba77/attachment-0001.html>
------------------------------
_______________________________________________
systemsafety mailing list
<mailto:systemsafety at lists.techfak.uni-bielefeld.de>
systemsafety at lists.techfak.uni-bielefeld.de
<https://lists.techfak.uni-bielefeld.de/mailman/listinfo/systemsafety>
https://lists.techfak.uni-bielefeld.de/mailman/listinfo/systemsafety
End of systemsafety Digest, Vol 25, Issue 12
********************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.techfak.uni-bielefeld.de/mailman/private/systemsafety/attachments/20140827/d0b1bf21/attachment-0001.html>
More information about the systemsafety
mailing list