With the advancement of computers, software, artificial intelligence, communications, sensors and other technologies, self-driving cars are getting closer and closer to us, and topics related to them have been attracting much attention. The company focuses on autonomous driving and has set up a special column. Access certification is an important part of the safety management of autonomous vehicles, and it is also a necessary prerequisite for vehicles to enter the market. Researchers from the Dao Research Center of the Ministry of Public Security systematically sorted out the relevant contents of the EU autonomous vehicle access certification management, including the purpose and scope of the certification work, the main safety certification content, and the certification work procedures, hoping to provide reference for the mainland to build automatic driving access certification management.
Purpose and scope of application of the EU Certification Guide for Autonomous Vehicles
On 17 May 2018, the European Union (EU) released the EU Strategy for Intelligent and Connected Vehicles [1]. To implement the strategy, the European Commission announced its intention to work with member states to publish guidelines to achieve EU-wide harmonization in the certification of autonomous vehicles. To this end, the European Commission published the EU Guidelines for The Certification Exemption Process for Autonomous Vehicles on 5 April 2019[2].
The main directive of the EU regulating the certification of motor vehicles is the "Motor Vehicle Certification Measures (2007/46/EC)", and from September 1, 2020, the new EU Directive "Regulation No. 858/2018) is officially implemented. According to the above provisions, if a vehicle uses a new technology that exceeds the provisions of existing technical regulations, such as automatic driving, it is subject to a special exemption procedure at the time of certification. In view of the regulatory management requirements of autonomous driving technology, it is difficult to reach agreement at the EU level in the short term, so it is proposed to first carry out provisional certification at the member state level, and then through the decision of the European Commission, to promote mutual recognition among member states. In these two steps, certified autonomous vehicles can be launched to the EU markets like other certified vehicles.
The purpose of the introduction of the autonomous vehicle certification guidelines is, on the one hand, to summarize the practical experience of the evaluation of the automatic driving system through the temporary certification of member countries; on the other hand, to promote the process and standardization of the evaluation of the autonomous driving system; and the third is to provide a fair and transparent environment for the development of autonomous vehicles.
In considering the prioritization of certification guidelines, in order to adapt to the needs of the application, the main focus is on autonomous vehicles under limited conditions, that is, the third (L3) and fourth (L4) vehicles stipulated by the American Society of Automotive Engineers, which are currently tested on the road and are expected to be commercialized in the next few years.
The EU Vehicle Certification Exemption Procedure is only applicable to production vehicles. For the development of special small batch vehicles or prototypes, it is applicable to other certification procedures, such as individual certification in member countries, small batch certification in member countries, etc.
EU safety requirements for autonomous vehicles
1 Functional requirements for automatic driving system
The European Union has clarified 10 safety requirements for the functions of autonomous driving systems. They are:
●Automatic driving mode In the foreseeable traffic situation in the operating domain, the automatic driving system can drive itself, replacing the driver to complete various driving tasks.
● In autonomous driving mode, the vehicle cannot cause foreseeable and preventable traffic accidents.
● In autonomous driving mode, the vehicle should behave cautiously and predictably, while interacting appropriately with other traffic participants (e.g., following orders from law enforcement officers, interacting with other traffic participants, etc.).
● In automatic driving mode, vehicles should comply with road traffic rules.
●Car companies should declare to the certification body the operating domain of autonomous vehicles, that is, the time and space conditions for the vehicle to be suitable for operation in the design. The operating area should include at least: road conditions (motorized lanes/highways, ordinary highways, number of lanes, lane line requirements, roads dedicated to autonomous vehicles, etc.), geographical areas (urban areas/mountains, geographical fence settings, etc.), environmental conditions (weather, night driving restrictions, etc.), traffic speed ranges, and other conditions closely related to the safety of autonomous driving operation.
● The automatic driving system should be able to identify whether it is currently in the operating domain and can only operate in the operating domain.
Within the operating domain, the system should be able to handle situations (environmental awareness, making correct driving decisions, correctly performing dynamic driving tasks, interacting effectively with other traffic participants) without the need for constant supervision by the driver. Within the operating domain, vehicles should not cause traffic accidents. For the errors of the vehicle user inside and outside the vehicle, as well as other traffic participants, the vehicle should be designed to minimize the adverse effects caused by such errors.
● Vehicles should maintain a safe distance from the vehicle in front, especially in congested areas, in lateral movements, should leave enough time and space for other traffic participants, should be able to comply with the right of way, for accidents that can be avoided, if the avoidance does not cause a new accident, the accident should be avoided.
● When designing the operating domain, the driver's safety takeover should be considered, that is, it is only taken over in low-risk situations, and the road traffic rules should be observed when taking over.
● In autopilot mode, the system should be able to automatically detect situations that are difficult to continue driving, such as being able to detect operating domain boundaries, or the effectiveness of the system.
2 human-computer interaction requirements
The EUROPEAN Union has clarified five major safety requirements for human-computer interaction in autonomous driving systems. They are:
● Only when the operating domain conditions are met, the automatic driving mode can be activated, and the driving takeover or exit automatic driving mode is performed by the driver, operator or control center supervisor, and must be easy to operate. When a human-issued instruction to exit autonomous driving mode may contain safety risks, the automatic driving system should delay the exit of automatic driving mode.
●The vehicle must continuously and clearly show the operating status of the system such as operation and failure to the takeover personnel.
● The driver should be clear about the functions and limitations of the automatic driving mode, and need to understand the task functions that the automatic driving system can give the driver.
●If the system is designed to take over under certain circumstances, the system should monitor whether the driver's status has the requirements for takeover. The system should ensure that the driver is in a takeoverable state through the driver monitoring and early warning system, and should be designed to prevent and foresee the misoperation of the driver within the operating area.
●For driverless self-driving vehicles such as unmanned shuttle buses, an information transmission system that transmits emergency notifications to the control center should be provided. In addition, the car should also be equipped with cameras and sound transmission devices to ensure that the control center can monitor the situation inside the car.
3 Driving task handover requirements
When the vehicle is difficult to continue to drive in autonomous driving mode when it is difficult to continue to drive in autonomous driving mode when it is difficult to continue to drive in the operating area or in the event of a malfunction, the autopilot system may request the driver to take over, but should retain sufficient time for the takeover. If the driver is not taken over, the autopilot system should continue to drive in autopilot mode or perform minimal risk operations. Vehicle design should ensure that the driver can clearly identify the takeover request. The system should also accurately identify whether the driver performed a takeover.
4 Minimum Risk Operational Requirements
When the autonomous driving system detects that it is difficult to continue driving in autonomous driving mode, the vehicle should return to the lowest risk state by operating with minimal risk. When operating with the minimum risk, it is necessary to remind other traffic participants of the minimum risk operation in accordance with the traffic rules, such as turning on the hazard alarm flash, brake lights, turn signals, etc. Minimal risk operations should comply with traffic regulations. Minimal risk actions may include stopping in this lane or changing lanes, and then safely stopping on the side of the road after alerting surrounding traffic participants. In the final stage of the least-risk operation, the driver may be required to take over, such as for an L3 autonomous vehicle with lane-keeping capabilities, where the human driver may be required to perform the final safe stop on the side of the road.
5 Data storage system requirements
Autonomous vehicles should be equipped with on-board equipment to record the operating state of the automatic driving system and the state of human driving, so as to distinguish the driving task bearer at the time of the accident. The recorded data should support the allocation of accident liability and support the assessment of how human driving or autonomous driving responds in an accident. At a minimum, it should contain the operating status of the automatic driving system, the state of human driving, the surrounding environment information, and the automatic driving control information. The recorded data should remain complete and readable after an impact, fire, etc., and attention should be paid to data security protection to prevent data tampering and to ensure compliance with EU data protection regulations, but should be allowed to be read and parsed by the relevant regulatory authorities of the Member States. With the accumulation of practical experience, more detailed data requirements (such as recording time, retention time, purpose of data use, standardization of data reading interface, privacy information protection, etc.) should be formulated.
6 Information Security Requirements
Autonomous vehicles should be designed with state-of-the-art technology to prevent vehicles from being hacked and ensure that they comply with EU data protection regulations. It mainly prevents, mitigates and responds to information attacks through risk assessment, security design methods and process management of car companies. For software upgrades, etc., car companies should take security measures to ensure the information security of the whole life cycle of the car in use.
7 Security Assessment and Testing Requirements
The security assessment and testing requirements are as follows:
●Autonomous vehicles, autonomous driving systems, autonomous driving system components and technical units are required to meet the requirements of safety technical regulations listed in Appendix 4 of the "Motor Vehicle Certification Measures (2007/46/EC)".
● The certification assessment of the car company by the certification authority should focus on: the automatic driving system has a robust design and robust verification procedures to ensure that the vehicle complies with this guideline, especially the vehicle does not cause accidents, can make a safe takeover request, and perform minimal risk operations. According to the safety assessment report provided by the car company on testing, verification, evaluation, etc., the certification authority shall draw a safety conclusion (equivalent to that of traditional vehicles).
● Car companies should specifically state that for autonomous driving systems, hazard and risk analysis has been carried out, and this analysis has been integrated into the overall design of the vehicle, even taking into account the broader road traffic ecosystem, and sufficient design and redundancy are made to ensure that the vehicle can cope with these risks.
● Risks that have a greater impact on functional safety should be addressed in the system design, which may be caused by information attacks, effectiveness (functional safety) or potential lack of control, unforeseen control behavior, misuse of personnel, and insufficient interaction with other traffic participants (operational safety). Approaches to this can refer to the functional safety standard (ISO 26262) and the section on operational safety in the System Theory Analysis Process (STRA), or to other equivalent methods such as the draft expected functional safety standard (ISO 21448).
●All design decisions should be tested, verified and confirmed by the car company at the independent subsystem level and under the overall framework of the vehicle.
● The certification authority should: confirm that the hazard and risk analysis of the car company has covered all system-related failure and driving risks, and can assess the threshold of risk. The logical diagram (redundancy, operation) for assessing risk response covers predictable system failure and driving risks. Ensure that human-computer interaction is properly evaluated based on relevance experimentation and considering different users. Conduct a minimum number of tests (taking into account both severe failure and driving risk scenarios, as well as normal driving scenarios) to confirm that the vehicle can operate safely both from the functional and operational levels. The minimum number of tests described above should include both falsenegative and falsepositive test scenarios. The method of ensuring that the safety performance of the system is evaluated is transparent. Simulation test verification methods may be used, but the regulatory requirements for virtual testing in the EU Directives "Regulation on The Certification of Motor Vehicles (2007/46/EC)" and "Regulation No. 858/2018) on virtual testing should be complied with.
●When the certification authority implements the vehicle safety assessment, it can access the automatic driving system under test.
●The certification authority shall have the necessary capabilities and qualifications and receive corresponding training in order to carry out the above-mentioned vehicle safety assessment and testing work.
8 Requests for information provided to users
Car companies should take various measures to provide users with knowledge related to autonomous driving in an easy-to-understand manner. Mainly including:
●Operating conditions, operating domain, and functional limitations of the automatic driving system;
● Method of turning off automatic driving mode;
Human driver tasks (such as for L3 level autonomous driving, the driver needs to undertake the takeover task);
For L3 level autonomous driving, other extra-driving actions required by human drivers are required;
●Instructions provided by human-computer interaction (such as whether it is in the automatic driving state);
●Measures that users should take in the event of an emergency;
● When there is a problem with the automatic driving system, the behavior of the vehicle;
● Vehicle maintenance, inspection, and system online upgrade related knowledge.
Eu autonomous vehicle certification process
According to Chapter 20 of the EU Directive "Regulation No. 858/2018)" of the EU Directive "Regulation No. 858/2018)" and Chapter 39 of the "Regulation No. 858/2018)", the exemption procedure for the certification of autonomous vehicles is as follows:
●Automotive companies submit certification applications to the certification authorities of member countries. The documents to be submitted are shown in Table 1.
Table 1 Information submitted by automobile enterprises to the certification authority
● If conditions permit, member states may temporarily certify the license under the certification exemption procedure, which is valid only in the territory of the member state, and inform the European Commission and the member states of the following information: explain the reasons for the exemption, indicate the compliance of the vehicle systems, components, and independent technical units with the existing technical regulations, as well as the non-conformity. The interaction of various systems within autonomous vehicles should also be considered. Description of the safety of the vehicle and the environment in which it is used, and the corresponding measures taken. Certification authorities should evaluate autonomous vehicles on the basis of certification exemption guidelines. In addition, the European Commission and Member States may also amend the relevant technical regulations of the European Union and the United Nations Economic Commission for Europe as an alternative basis for certification. A description of the tests performed for exempted items and their results should ensure that the tests for safety and environmental protection and their results do not meet the requirements of existing similar standards.
● The European Commission shall organize a vote by the Motor Vehicle Technical Committee on whether to convert the provisional certification of member states to EU certification. The European Commission's certification decision should also be based on the certification exemption guidelines to clearly identify the function of autonomous driving. The European Commission's certification decision should be made public. The European Commission shall limit the duration (minimum of 36 months) and the number of certifications based on an assessment of the risks and the conditions applicable to possible future certification.
Pending the European Commission's certification decision, Member States may accept provisional certification from other Member States and permit them to obtain provisional certification within their own territory.
● For vehicles certified in accordance with the certification exemption procedure, the European Commission can expand the scope of certification according to the simplified materials provided by the certification authority. The above-mentioned simplified material should clearly describe the difference between the vehicles to be expanded and the certified vehicles.
On July 30, 2021, the Ministry of Industry and Information Technology issued the Opinions on Strengthening the Management of Access to Intelligent and Connected Vehicle Manufacturers and Products (No. 103 [2021] of the Ministry of Industry and Information Technology), which requires strengthening automotive data security, network security, software upgrades, functional safety and expected functional safety management, ensuring product quality and production consistency, and promoting the high-quality development of the intelligent and connected vehicle industry. The Opinions put forward 11 specific opinions from the aspects of strengthening data and network security management, standardizing software online upgrades, strengthening product management, and safeguard measures, which provide good guidance for the product access of autonomous vehicles. However, it needs to be seen that in terms of the functional safety requirements of autonomous vehicles, road traffic rules, and responses to traffic hazard scenarios, the relevant regulations of the mainland are not meticulous, or even missing, and the evaluation of the safety of autonomous vehicles is currently blank, and further research and improvement are needed.
bibliography
(Text/ Zhou Wenhui, Research Center for Road Traffic Safety, Ministry of Public Security, originally published in the Special Column of Motor Vehicle Registration and Inspection of Automobile and Safety Magazine, No. 1, 2022)
Editor 丨Li Yunyue Zhao Xiaoxuan