Driven to Distraction – the future of car safety

If you haven’t gotten a new car in a while you may not have noticed that the future of the dashboard looks like this:


That’s it. A single screen replacing all the dashboard gauges, knobs and switches. But behind that screen is an increasing level of automation that hides a ton of complexity.

At times everything you need is on the screen with a glance. At other times you have to page through menus and poke at the screen while driving. And while driving at 70mph, try to understand if you or your automated driving system is in control of your car. All while figuring out how to use any of the new features, menus or rearranged user interface that might have been updated overnight.

In the beginning of any technology revolution the technology gets ahead of the institutions designed to measure and regulate safety and standards. Both the vehicle’s designers and regulators will eventually catch up, but in the meantime we’re on the steep part of a learning curve – part of a million-person beta test – about what’s the right driver-to-vehicle interface.

We went through this with airplanes. And we’re reliving that transition in cars. Things will break, but in a few decades we’ll come out out the other side, look back and wonder how people ever drove any other way.

Here’s how we got here, what it’s going to cost us, and where we’ll end up.


Cars, Computers and Safety
Two massive changes are occurring in automobiles: 1) the transition from internal combustion engines to electric, and 2) the introduction of automated driving.

But a third equally important change that’s also underway is the (r)evolution of car dashboards from dials and buttons to computer screens. For the first 100 years cars were essentially a mechanical platform – an internal combustion engine and transmission with seats – controlled by mechanical steering, accelerator and brakes. Instrumentation to monitor the car was made up of dials and gauges; a speedometer, tachometer, and fuel, water and battery gauges.
By the 1970’s driving became easier as automatic transmissions replaced manual gear shifting and hydraulically assisted steering and brakes became standard. Comfort features evolved as well: climate control – first heat, later air-conditioning; and entertainment – AM radio, FM radio, 8-track tape, CD’s, and today streaming media. In the last decade GPS-driven navigation systems began to appear.

Safety
At the same time cars were improving, automobile companies fought safety improvements tooth and nail. By the 1970’s auto deaths in the U.S averaged 50,000 a year. Over 3.7 million people have died in cars in the U.S. since they appeared – more than all U.S. war deaths combined. (This puts auto companies in the rarified class of companies – along with tobacco companies – that have killed millions of their own customers.) Car companies argued that talking safety would scare off customers, or that the added cost of safety features would put them in a competitive price disadvantage. But in reality, style was valued over safety.

Safety systems in automobiles have gone through three generations – passive systems and two generations of active systems. Today we’re about to enter a fourth generation – autonomous systems.

Passive safety systems are features that protect the occupants after a crash has occurred. They started appearing in cars in the 1930’s. Safety glass in windshields appeared in the 1930’s in response to horrific disfiguring crashes. Padded dashboards were added in the 1950’s but it took Ralph Nader’s book, Unsafe at Any Speedto spur federally mandated passive safety features in the U.S. beginning in the 1960’s: seat belts, crumple zones, collapsible steering wheels, four-way flashers and even better windshields. The Department of Transportation was created in 1966 but it wasn’t until 1979 that the National Highway Traffic Safety Administration (NHTSA) started crash-testing cars (the Insurance Institute for Highway Safety started their testing in 1995). In 1984 New York State mandated seat belt use (now required in 49 of the 50 states.)

These passive safety features started to pay off in the mid-1970’s as overall auto deaths in the U.S. began to decline.

Active safety systems try to prevent crashes before they happen. These depended on the invention of low-cost, automotive-grade computers and sensors. For example, accelerometers-on-a-chip made airbags possible as they were able to detect a crash in progress. These began to appear in cars in the late 1980’s/1990’s and were required in 1998. In the 1990’s computers capable of real-time analysis of wheel sensors (position and slip) made ABS (anti-lock braking systems) possible. This feature was finally required in 2013.

Since 2005 a second generation of active safety features have appeared. They run in the background and constantly monitor the vehicle and space around it for potential hazards. They include: Electronic Stability Control, Blind Spot Detection, Forward Collision Warning, Lane Departure Warning, Rearview Video Systems, Automatic Emergency Braking, Pedestrian Automatic Emergency Braking, Rear Automatic Emergency Braking, Rear Cross Traffic Alert and Lane Centering Assist.

Autonomous Cars
Today, a fourth wave of safety features is appearing as Autonomous/Self-Driving features. These include Lane Centering/Auto Steer, Adaptive cruise control, Traffic jam assist, Self-parking, full self-driving. The National Highway Traffic Safety Administration (NHTSA) has adopted the six-level SAE standard to describe these vehicle automation features:

Getting above Level 2 is a really hard technical problem and has been discussed ad infinitum in other places. But what hasn’t got much attention is how drivers interact with these systems as the level of automation increases, and as the driving role shifts from the driver to the vehicle. Today, we don’t know whether there are times these features make cars less safe rather than more.

For example, Tesla and other cars have Level 2 and some Level 3 auto-driving features. Under Level 2 automation, drivers are supposed to monitor the automated driving because the system can hand back control of the car to you with little or no warning. In Level 3 automation drivers are not expected to monitor the environment, but again they are expected to be prepared to take control of the vehicle at all times, this time with notice.

Research suggests that drivers, when they aren’t actively controlling the vehicle, may be reading their phone, eating, looking at the scenery, etc. We really don’t know how drivers will perform in Level 2 and 3 automation. Drivers can lose situational awareness when they’re surprised by the behavior of the automation – asking: What is it doing now? Why did it do that? Or, what is it going to do next? There are open questions as to whether drivers can attain/sustain sufficient attention to take control before they hit something. (Trust me, at highway speeds having a “take over immediately” symbol pop up while you are gazing at the scenery raises your blood pressure, and hopefully your reaction time.)If these technical challenges weren’t enough for drivers to manage, these autonomous driving features are appearing at the same time that car dashboards are becoming computer displays.

We never had cars that worked like this. Not only will users have to get used to dashboards that are now computer displays, they are going to have understand the subtle differences between automated and semi-automated features and do so as auto makers are developing and constantly updating them. They may not have much help mastering the changes. Most users don’t read the manual, and, in some cars, the manuals aren’t even keeping up with the new features.

But while we never had cars that worked like this, we already have planes that do.
Let’s see what we’ve learned in 100 years of designing controls and automation for aircraft cockpits and pilots, and what it might mean for cars.

Aircraft Cockpits
Airplanes have gone through multiple generations of aircraft and cockpit automation. But unlike cars which are just first seeing automated systems, automation was first introduced in airplanes during the 1920s and 1930s.

For their first 35 years airplane cockpits, much like early car dashboards, were simple – a few mechanical instruments for speed, altitude, relative heading and fuel. By the late 1930’s the British Royal Air Force (RAF) standardized on a set of flight instruments. Over the next decade this evolved into the “Basic T” instrument layout – the de facto standard of how aircraft flight instruments were laid out.

Engine instruments were added to measure the health of the aircraft engines – fuel and oil quantity, pressure, and temperature and engine speed.

Next, as airplanes became bigger, and the aerodynamic forces increased, it became difficult to manually move the control surfaces so pneumatic or hydraulic motors were added to increase the pilots’ physical force. Mechanical devices like yaw dampers and Mach trim compensators corrected the behavior of the plane.

Over time, navigation instruments were added to cockpits. At first, they were simple autopilots to just keep the plane straight and level and on a compass course. The next addition was a radio receiver to pick up signals from navigation stations. This was so pilots could set the desired bearing to the ground station into a course deviation display, and the autopilot would fly the displayed course.

In the 1960s, electrical systems began to replace the mechanical systems:

  • electric gyroscopes (INS) and autopilots using VOR (Very High Frequency Omni-directional Range) radio beacons to follow a track
  • auto-throttle – to manage engine power in order to maintain a selected speed
  • flight director displays – to show pilots how to fly the aircraft to achieve a preselected speed and flight path
  • weather radars – to see and avoid storms
  • Instrument Landing Systems – to help automate landings by giving the aircraft horizontal and vertical guidance.

By 1960 a modern jet cockpit (the Boeing 707) looked like this:

While it might look complicated, each of the aircraft instruments displayed a single piece of data. Switches and knobs were all electromechanical.

Enter the Glass Cockpit and Autonomous Flying
Fast forward to today and the third generation of aircraft automation. Today’s aircraft might look similar from the outside but on the inside four things are radically different:

  1. The clutter of instruments in the cockpit has been replaced with color displays creating a “glass cockpit”
  2. The airplanes engines got their own dedicated computer systems – FADEC (Full Authority Digital Engine Control) – to autonomously control the engines
  3. The engines themselves are an order of magnitude more reliable
  4. Navigation systems have turned into full-blown autonomous flight management systems

So today a modern airplane cockpit (an Airbus 320) looks like this:

Today, airplane navigation is a real-world example of autonomous driving – in the sky. Two additional systems, the Terrain Awareness and Warning Systems (TAWS) and Traffic Condition Avoidance System (TCAS) gave pilots a view of what’s underneath and around them dramatically increasing pilots’ situation awareness and flight safety. (Autonomy in the air is technically a much simpler problem because in the cruise portion of flight there are a lot less things to worry about in the air than in a car.)

Navigation in planes has turned into autonomous “flight management.” Instead of a course deviation dial, navigation information is now presented as a “moving map” on a display showing the position of navigation waypoints, by latitude and longitude. The position of the airplane no longer uses ground radio stations, but rather is determined by Global Positioning System (GPS) satellites or autonomous inertial reference units. The route of flight is pre-programmed by the pilot (or uploaded automatically) and the pilot can connect the autopilot to autonomously fly the displayed route. Pilots enter navigation data into the Flight Management System, with a keyboard. The flight management system also automates vertical and lateral navigation, fuel and balance optimization, throttle settings, critical speed calculation and execution of take-offs and landings.

Automating the airplane cockpit relieved pilots from repetitive tasks and allowed less skilled pilots to fly safely. Commercial airline safety dramatically increased as the commercial jet airline fleet quadrupled in size from ~5,000 in 1980 to over 20,000 today. (Most passengers today would be surprised to find out how much of their flight was flown by the autopilot versus the pilot.)

Why Cars Are Like Airplanes
And here lies the connection between what’s happened to airplanes with what is about to happen to cars.

The downside of glass cockpits and cockpit automation means that pilots no longer actively operating the aircraft but instead monitor it. And humans are particularly poor at monitoring for long periods. Pilots have lost basic manual and cognitive flying skills because of a lack of practice and feel for the aircraft. In addition, the need to “manage” the automation, particularly when involving data entry or retrieval through a key-pad, increased rather than decreased the pilot workload. And when systems fail, poorly designed user interfaces reduce a pilot’s situational awareness and can create cognitive overload.

Today, pilot errors — not mechanical failures– cause at least 70-80% of commercial airplane accidents. The FAA and NTSB have been analyzing crashes and have been writing extensively on how flight deck automation is affecting pilots. (Crashes like Asiana 214 happened when pilots selected the wrong mode on a computer screen.) The FAA has written the definitive document how people and automated systems ought to interact.

In the meantime, the National Highway Traffic Safety Administration (NHTSA) has found that 94% of car crashes are due to human error – bad choices drivers make such as inattention, distraction, driving too fast, poor judgment/performance, drunk driving, lack of sleep.

NHTSA has begun to investigate how people will interact with both displays and automation in cars. They’re beginning to figure out:

  • What’s the right way to design a driver-to-vehicle interface on a screen to show:
    • Vehicle status gauges and knobs (speedometer, fuel/range, time, climate control)
    • Navigation maps and controls
    • Media/entertainment systems
  • How do you design for situation awareness?
    • What’s the best driver-to-vehicle interface to display the state of vehicle automation and Autonomous/Self-Driving features?
    • How do you manage the information available to understand what’s currently happening and project what will happen next?
  • What’s the right level of cognitive load when designing interfaces for decisions that have to be made in milliseconds?
    • What’s the distraction level from mobile devices? For example, how does your car handle your phone? Is it integrated into the system or do you have to fumble to use it?
  • How do you design a user interface for millions of users whose age may span from 16-90; with different eyesight, reaction time, and ability to learn new screen layouts and features?

Some of their findings are in the document Human-centric design guidance for driver-vehicle interfaces. But what’s striking is that very little of the NHSTA documents reference the decades of expensive lessons that the aircraft industry has learned. Glass cockpits and aircraft autonomy have traveled this road before. Even though aviation safety lessons have to be tuned to the different reaction times needed in cars (airplanes fly 10 times faster, yet pilots often have seconds or minutes to respond to problems, while in a car the decisions often have to be made in milliseconds) there’s a lot they can learn together. Aviation has gone 9 years in the U.S. with just one fatality, yet in 2017 37,000 people died in car crashes in the U.S.

There Are No Safety Ratings for Your Car As You Drive
In the U.S. aircraft safety has been proactive. Since 1927 new types aircraft (and each sub-assembly) are required to get a type approval from the FAA before it can be sold and be issued an Airworthiness Certificate.

Unlike aircraft, car safety in the U.S. has been reactive. New models don’t require a type approval, instead each car company self-certifies that their car meets federal safety standards. NHTSA waits until a defect has emerged and then can issue a recall.

If you want to know how safe your model of car will be during a crash, you can look at the National Highway Traffic Safety Administration (NHTSA) New Car Assessment Program (NCAP) crash-tests, or the Insurance Institute for Highway Safety (IIHS) safety ratings. Both summarize how well the active and passive safety systems will perform in frontal, side, and rollover crashes. But today, there are no equivalent ratings for how safe cars are while you’re driving them. What is considered a good vs. bad user interface and do they have different crash rates? Does the transition from Level 1, 2 and 3 autonomy confuse drivers to the point of causing crashes? How do you measure and test these systems? What’s the role of regulators in doing so?

Given the NHTSA and the FAA are both in the Department of Transportation (DoT), It makes you wonder whether these government agencies actively talk to and collaborate with each other and have integrated programs and common best practices. And whether they have extracted best practices from the NTSB. And from the early efforts of Tesla, Audi, Volvo, BMW, etc., it’s not clear they’ve looked at the airplane lessons either.

It seems like the logical thing for NHTSA to do during this autonomous transition is 1) start defining “best practices” in U/I and automation safety interfaces and 2) to test Level 2-4 cars for safety while you drive (like the crash tests but for situational awareness, cognitive load, etc. in a set of driving scenarios. (There are great university programs already doing that research.)

However, the DoT’s Automated Vehicles 3.0 plan moves the agency further from owning the role of “best practices” in U/I and automation safety interfaces. It assumes that car companies will do a good job self-certifying these new technologies. And has no plans for safety testing and rating these new Level 2-4 autonomous features.

(Keep in mind that publishing best practices and testing for autonomous safety features is not the same as imposing regulations to slow down innovation.)

It looks like it might take an independent agency like the SAE to propose some best practices and ratings. (Or the slim possibility that the auto industry comes together and set defacto standards.)

The Chaotic Transition
It took 30 years, from 1900 to 1930, to transition from horses and buggies in city streets to automobiles dominating traffic. During that time former buggy drivers had to learn a completely new set of rules to control their cars. And the roads in those 30 years were a mix of traffic – it was chaotic.
In New York City the tipping point was 1908 when the number of cars passed the number of horses. The last horse-drawn trolley left the streets of New York in 1917. (It took another decade or two to displace the horse from farms, public transport and wagon delivery systems.) Today, we’re about to undergo the same transition.

Cars are on the path for full autonomy, but we’re seeing two different approaches on how to achieve Level 4 and 5 “hands off” driverless cars. Existing car manufacturers, locked into the existing car designs, are approaching this step-wise – adding additional levels of autonomy over time – with new models or updates; while new car startups (Waymo, Zoox, Cruise, etc.) are attempting to go right to Level 4 and 5.

We’re going to have 20 or so years with the roads full of a mix of millions of cars – some being manually driven, some with Level 2 and 3 driver assistance features, and others autonomous vehicles with “hands-off” Level 4 and 5 autonomy. It may take at least 20 years before autonomous vehicles become the dominant platforms. In the meantime, this mix of traffic is going to be chaotic. (Some suggest that during this transition we require autonomous vehicles to have signs in their rear window, like student drivers, but this time saying, “Caution AI on board.”)

As there will be no government best practices for U/I or scores for autonomy safety, learning and discovery will be happening on the road. That makes the ability for car companies to have over-the-air updates for both the dashboard user interface and the automated driving features essential. Incremental and iterative updates will add new features, while fixing bad ones. Engaging customers to make them realize they’re part of the journey will ultimately make this a successful experiment.

My bet is much like when airplanes went to glass cockpits with increasingly automated systems, we’ll create new ways drivers crash their cars, while ultimately increasing overall vehicle safety.

But in the next decade or two, with the government telling car companies “roll your own”, it’s going to be one heck of a ride.

Lessons Learned

  • There’s a (r)evolution as car dashboards move from dials and buttons to computer screens and the introduction of automated driving
    • Computer screens and autonomy will both create new problems for drivers
    • There are no standards to measure the safety of these systems
    • There are no standards for how information is presented
  • Aircraft cockpits are 10 to 20 years ahead of car companies in studying and solving this problem
    • Car and aircraft regulators need to share their learnings
    • Car companies can reduce crashes and deaths if they look to aircraft cockpit design for car user interface lessons
  • The Department of Transportation has removed barriers to the rapid adoption of autonomous vehicles
    • Car companies “self-certify” whether their U/I and autonomy are safe
    • There are no equivalents of crash safety scores for driving safety with autonomous features
  • Over-the-air updates for car software will become essential
    • But the downside is they could dramatically change the U/I without warning
  • On the path for full autonomy we’ll have three generations of cars on the road
    • The transition will be chaotic, so hang on it’s going to a bumpy ride, but the destination – safety for everyone on the road – will be worth it

8 Responses

  1. safetyy typo in the title?

    Very informative.

    Like

  2. Great article Steve. One thing I’d point out is that you’re comparing all driving, both personal and professional, to airline flying. Airline pilots have vast amounts of initial and recurrent training on the plane and, more specifically, the systems to which your referring. I would suggest this has a significant effect on the safety history of the airborne automation systems. (General aviation pilots are not subject to the same level of training and our accident record reflects it.). Perhaps a concerted effort to train drivers on the new technologies, instead of just handing them the keys, may show a better safety record, especially during the transition years.

    Like

  3. Great article …

    But the model 3 mid screen is an UI disaster, you need essential information like speed in front of you, especially while traveling fast, a screen in the middle is adding workload to the driver not reducing it.

    Perfect would be a non intrusive situation aware driver companion AI like Jarvis, giving you hints and also observing the driver for fatigue (well I do think that some people would like to drive even a level 5 car on their just for fun)

    Like

  4. Steven, great article but as a retired commercial pilot, I am not convinced that your analogy holds up to people that operate in both worlds.

    In aviation we spend hours operating at altitudes that mistakes are not generally fatal. Admittedly, troubles in aviation automation during takeoff and landing require immediate action. So for 95% of the time no immediate response is required. We can take control of the aircraft manually, then reset the automation one step at a time. The other 5% of the time, when commercial aircraft drop below 18,000 feet the cockpit becomes sterile and even the flight attendants will not interrupt you and idle conversations are restricted. (In theory any way.). As a previous reply stated, pilots are also trained to loose automation in flight simulators on initial checkout and during recurring training. That will never happen with automation in cars.

    In automotive automation, if lost once you are over 10 or 15 mph, immediate action would be required to protect the car, the driver, the passengers and others in the immediate area whether in another car or pedestrians. There is no such thing as a sterile cockpit in a car. We may wish there was but it is not likely to happen, so for 95% of the trip, we are asking drivers to pay 100% attention and that will never happen.

    The shear numbers of car trips would make the risk too great to even think of just turning these “missiles” loose on a freeway. We understand your point, but it will take much greater time before we turn automation loose for the general, aging, untrained public.

    Like

  5. “chaos” == people dying.

    A key difference between aviation and driving: The full time job of the pilot is training and using the aviation automation system. So much so that a Boeing pilot cannot fly a Airbus plane without training.

    Are we prepared for having to be trained as a “GM-certified driver”?

    The real problem I see: human drivers are actually relatively safe and getting safer (with assistance) all the time.

    Part of that safety comes in the form of human to human non-verbal communication: A pedestrian looks a human driver in the eyes to ensure they are seen. A driver notices that the child is wobbly on their bike, slows down and makes room for them. A driver notices that the school bus is pulling over and expects to see kids starting to cross the road even before the safety stop sign extends.

    Technologists are overrate the sensor aspect of things.

    Technologists talk about the “trolley problem”. However, regular human drivers recognize potential trolley situations and avoid a trolley problem from presenting itself.

    Like

  6. Steven is correct. It is happening so let’s try to anticipate and fix the problems and not worry so much about runway behind us.

    Like

  7. Steve, great insights.
    In general aviation, if you want to fly a specific aircraft type, or one with retractable landing gear say, its not just the FAA serving as gatekeeper of that left seat: its your aviation insurance company. You will need a certain amount of time in type (and transition training) before they will underwrite. When it comes to partial or conditional automation levels for autos, I wonder if this industry may begin following that model as well.
    And perhaps with finer granularity: that automation feature (or maybe even the steering wheel) in your new car may be disabled remotely by your insurance company until you’ve jumped through all their hoops.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: