While the potential seems great, there are many unknowns that public authorities must manage. There are also certain issues that authorities must guarantee. The first of these is that vehicles and the traffic systems they operate in must be safe.

The basis of the safe systems approach is that traffic systems should be designed in such a way that human weakness does not result in death or serious injury. Conceived to ensure safety in a world full of human error, the safe systems approach to road safety should also deliver safety in a world of machine errors or unanticipated behaviours. While it seems likely that the number of road casualties will decrease with increasing automation, crashes will not disappear. This is particularly likely in circumstances where drivers must take over from automated driving in emergency situations.

The lack of experience and data available makes it difficult to assess how safe automated driving really is. This is further complicated by the lack of a common framework for such a safety performance assessment, and by rapid changes in its object: a self-driving car is, after all, a combined hardware and software system whose critical performance characteristics can change radically with software upgrades. Vehicle automation strategies that keep humans involved in the driving task seem risky. A shared responsibility for driving between both automated systems and humans may not render decision-making simpler, but more complex. Thus, the risk of unintended consequences could increase.

Humans retain an advantage over single sensor-based automated systems in many contexts. Overcoming this gap requires combined input from several sensors. In some cases, safe operation will require vehicles to communicate with each other and with infrastructure beyond line of sight. However, to rely on this connectivity for safety performance is fraught with risks, especially with regard to cybersecurity. Whether vehicle automation should move from a reactive safety paradigm (where vehicles rely on their own capabilities) to a proactive safety framework (where vehicles are embedded in a communicative network) is still being debated.

In addition, two fundamental design strategies condition cybersecurity for automated driving. The first relates to the functional isolation of a safety-critical subsystem; the second relates to whether safe performance is contingent upon connectivity to external networks. These are not trivial design decisions. The choice of strategy will influence whether imperatives for safety and cybersecurity can be reconciled – and, if so, how easily this can be done. Robust cybersecurity within complex ‘systems of systems’ like automated driving requires comprehensive and shared frameworks.

1381 Tom Voege blog author photo

Dr Tom Voege

Policy analyst at the International Transport Forum