Consumer Autonomous Vehicle Bill of Rights

• The bare minimum standard for introduction of AVs into commerce is that an AV does not degrade the safety of the highways, highway users, or accessible property.* (Do no harm!)
• AVs must objectively demonstrate their overall safety before deployment
  • An acceptable predeployment approach is using test drivers and demonstrating favorable comprehensive safety metrics comparison, including statistical confidence, between conventionally and automatically controlled vehicles over the same operational design domain.**
  • An alternative acceptable approach is comprehensive neutral third party safety case analysis (e.g. UL4600 compliance) of a proposed configuration of vehicle software, firmware, and hardware for an approved operational design domain.***
• No vehicle design configuration may be deployed that is projected or proven to increase the risk (considering the probability and consequence) of crashes or fire with due consideration of other motorists and their vehicles, to structures that might contain the AV while not in use (including by battery or other electrical fires), to police, fire fighters and other emergency personnel, or other vulnerable road users.
• AVs must include automatic fallback to a safe state in the event of mechanical failure, software or data processing failure or fault, inability to safely continue based on Object Event Detection and Response processing failure, other consequential operational problem, or upon occupant demand.

* National Motor Vehicle Crash Causation Survey (~1/140 million hours of operation between critical factors in fatal crashes), https://crashstats.nhtsa.dot.gov/Api/Public/ViewPublication/811059
** https://www.autosafety.org/wp-content/uploads/2021/04/Center-for-Auto-Safety-Comment-on-ADS-Framework-ANPRM-Docket-No.-NHTSA-2020-0106-FINAL.pdf
*** https://ulse.org/standards-and-engagement/presenting-standard-safety-evaluation-autonomous-vehicles/second-edition

• AVs must include effective cybersecurity in their designs.
• AVs must verify that the electronic interpretation of an operational command is the correct interpretation of such command.
• Operational AVs must verify that operational commands whether originating in electronic, verbal, or manual inputs, are from the authenticated authorized user only, and that other operational commands from all other sources are automatically rejected.
  • (A song on the radio with lyrics “Let’s go surfing now…” must not be allowed to redirect an AVs trajectory or trip planning by means of voice command.
  • Similarly, a malicious electronic input must not alter the AV authorized and intended operating state, trajectory, or destination.)

• AV designs may not discriminate against persons with physical or mental disabilities.
• Overall AV safety may not be based on prejudice against any cohort or group.
  • (For example, AV safety may not be grounded in such claims as an overall reduction in injury or death based on software that selectively kills only blond-haired children while saving everyone else.)
• AVs may not discriminate between acceptable users on the basis of their ethnicity, race, sex, age, or national origin.
• AV optical identification of humans as users or vulnerable road users may not provide differential results based on skin color, height, weight or other observable characteristics.
• AVs must assure safe ingress and egress of passengers without regard to their ability or disability.

• AVs must respect and adhere to motor vehicle laws concerning operations with or near law enforcement personnel and other first responders in the vicinity of or near the planned trajectory of the AV.
• AVs must respond correctly to manual, visual, and audible commands by emergency personnel, including commanded deviations from otherwise applicable traffic regulations.
• AVs must acknowledge and respond appropriately and safely to good Samaritans who may provide optical or manual warning signals in emergency situations in lieu of officials.

• AVs may never be programmed by manufacturers or users to violate motor vehicle laws except when commanded by authorized public officials. (e.g., cruise control settings exceeding speed limits are legal violations and are not permissible.)
• AVs must respond properly to hand signals and verbal commands from law enforcement or other officials. (e.g., an AV must not crash the gate at a secured facility [particularly when the guards have automatic weapons]).
• AVs must recognize and respond safely and appropriately to unmapped traffic events (e.g., collision response, fire activity, debris) or unexpected traffic warning signal lights and gates (e.g. gated railroad crossings, drawbridges, gated entrances/exits and similar variable automatic or manual traffic control devices.)

• AVs must include and conspicuously display markers and instructions that allow first responders to expeditiously immobilize and render the AV safe for extraction and recovery of injured or killed persons inside or outside of the AV after a crash, including police/fire/EMT personnel).
• AVs must provide easily understood markings and instructions to render the vehicle inert and safe for towing or carriage and/or storage after a crash.
• AVs must be designed to protect first responders, injured persons, and bystanders against unintended vehicle operation or emission of toxic products (including battery combustion products) after a crash.
• AVs must include means for law enforcement to remotely interdict AV operations for law enforcement, emergencies, or ad hoc traffic exclusion.

• AVs that transit across political boundaries with differing requirements or restrictions on AV operation must not increase risk to occupants, other motorists, or vulnerable road users by crossing that boundary, including but not limited to:
  • an AV designed for right hand driving being used in a country that specifies left hand driving.
  • a speed limit change from one within AV design limits to another that is beyond the safe control limits of the AV.
  • geofenced operational limits.

• AVs shall automatically confirm validity of software and firmware versions prior to operation.
• Safety-critical functionality that cannot be visually inspected and confirmed safe must be evaluated by built-in test and/or built-in diagnostics to confirm operation within safe limits prior to operation and anomalies reported to the operator and occupant(s) if different.
• Degraded AV operational limits due to safety-critical faults or incapacity must be immediately reported to authorized operator and consequent hazards automatically mitigated.
• During vehicle safety inspection by law enforcement or designees, AVs must report via readily available , non-proprietary web browsers, OBD port, or equivalent 1) the installed software/firmware version, and 2) existence and status of safety-critical functionality that cannot be visually, manually, or audibly inspected.

• AVs must provide a means for untrained occupants, including those with physical or mental limitations allowed unaccompanied use of the AV, to initiate and accomplish expedited safe vehicle stop and egress at any time.
• AV emergency egress must address physical or mental limitations of its passengers.
• AVs must never falsely imprison occupants who desire for any reason to terminate a trip and egress from the vehicle.
• AVs must self-diagnose and execute emergency safety maneuvers in response to plausible vehicle-generated emergencies such as fire, substantive sensor or digital processing fault, or mechanical failures.

• AV manufacturers must plan for full life cycle safe material handling, post-deployment protection of humans and the environment, and end-of-life sequestration or recycling of hazardous chemicals and materials used in AV manufacturing or operation.
• AVs must not increase vehicle lifetime fuel consumption compared to conventional vehicles with due consideration of end-to-end electrical generation, distribution, conversion, and storage efficiencies and the ongoing impact of unoccupied AV operation.

• No AV vehicle occupant shall be liable for the actions or consequences of AV automated controls.*
• Proving a products liability case (showing a defect) is incredibly slow, expensive, and may be impossible when AI is involved, so an explicit duty of care, as for human drivers, is needed to simplify compensation for victims of AI control safety defects.
• In order to ensure that AV victims are able to seek redress, this requirement is needed that does not set unachievable bars for recovery from negligent manufacturers.
• Humans face negligence claims when they fail to conform to the duty of care expected of a reasonable human driver, AV manufacturers must be subject to similar claims when their products fail to conform to this well-established standard.

* A Reasonable Driver Standard for Automated Vehicle Safety, Koopman and Widen, University of Miami Legal Studies Research Paper No. 4475181;

• When sold to consumers, AVs shall not include restrictions on the consumer’s right to sue for damages caused by the AV’s mechanical or logical design, implementation, or incorporation of unverified over-the-air software modifications or updates.
• When AVs provide transportation service for hire, as a condition of use there shall be no limitation on the customer’s right to sue for damages.
• AV owners and users shall be indemnified against the consequences of any AV defect in design, implementation, software, digital processing, sensor, logical, or mechanical failures.