Implications of the positive risk balance on the development of automated driving

Objectives: Automated driving (AD) from SAE level 3 onwards represents a paradigm change from human driver controlling the vehicle to a technical system controlling it. In this light, different regulatory bodies (European Commission, Germany, etc.) have defined guidelines for the operation of such a system. One core principle of these guidelines is that the automated operation needs to be at least as safe as human driving-often referred to as the "positive risk balance." However, these guidelines are general and do not provide details on what this means in a practical sense. This article discusses a method to demonstrate how positive risk balance can be addressed in practice.

Methods: Starting from a detailed analysis of corresponding guidelines and a literature review of possible risk assessment frameworks, a comprehensive approach has been developed to consider ethical requirements for the development of AD. This approach covers different development stages. The PrOACT-URL (Problems, Objectives, Alternatives, Consequences, Trade-offs, Uncertainty, Risk attitudes, and Linked decisions) approach was chosen for reporting of the work.

Results: The article will present the approach developed by BMW to ensure that a positive risk balance is achieved for an AD system. The approach is presented per development stage (concept phase, AD development phase, verification and validation phase, post-start of production phase). In the concept phase, the scope is to define how good a human driver is and how good an AD needs to be. In the AD development phase, first the relevant system requirements need to be derived. Monte Carlo experiments in combination with Bayesian networks are applied. The fulfillment of these requirements is checked in the verification phase through simulations and test track and real-world tests. For validation of the risk balance, the impact of AD in terms of traffic safety is derived by means of simulation. In the post-start of production phase, field observation is used.

Conclusion: The safety of AD is paramount when it comes to its operation and ensuring trust in this technology. The described approach contributes directly to building this trust by considering the principle of a positive risk balance throughout the development in addition to existing safety standards for advance driver assistance systems, such as ISO 26262, ISO21434 or ISO 21488.