AV Bill of Rights
Minimum Requirements for AV Safety
Working Draft - February 2023
AVs shall not increase risk of injury or death inside or outside of an AV.
- The bare minimum standard for introduction of AVs into commerce is that an AV does not degrade the safety of the highways, highway users, or accessible property. (Do no harm!)
- No vehicle design version may be deployed that increases the frequency of crashes or the likely magnitude of property damage due to crashes or fire.
- No vehicle design may be deployed that increases the probability of injury or death to vehicle occupants, to other motorists or their vehicles, to structures that might contain the AV (including by battery or other electrical fires), to police, fire fighters and other emergency personnel, construction personnel, or other vulnerable road users.
- AVs must include automatic fallback to a safe state in the event of mechanical failure, software or data processing failure or fault, inability to safely continue based on Object Event Detection and Response processing failure, other consequential operational problem, or occupant demand.
- NHTSA 2017 paper shows minimum standard for AV-specific reliability ~1/140 million hours of operation between critical factors in fatal crashes.
AVs shall secure, verify, and authenticate operational commands and external communications.
- AVs must include effective cybersecurity in their designs.
- AVs must verify that the electronic interpretation of an operational command is the correct interpretation of such command.
- Operational AVs must verify that operational commands whether originating in electronic, verbal, or manual inputs, are from the authenticated authorized user only, and that other operational commands from all other sources are automatically rejected.
- (A song on the radio with lyrics “Let’s go surfing now…” must not be allowed to redirect an AVs trajectory or trip planning by means of voice command.
- Similarly, a malicious electronic input must not alter the AV authorized and intended operating state, trajectory, or destination.)
AVs shall not prejudice for or against any group of living persons with respect to any other group.
- AV designs may not discriminate against persons with physical or mental disabilities.
- Overall AV safety may not be based on prejudice against any cohort or group.
- (For example, AV safety may not be grounded in such claims as an overall reduction in injury or death based on software that selectively kills only blond-haired children while saving everyone else.)
- AVs may not discriminate between acceptable users on the basis of their ethnicity, race, sex, age, or national origin.
- AV optical identification of humans as users or vulnerable road users may not provide differential results based on skin color, height, weight or other observable characteristics.
- AVs must assure safe ingress and egress of passengers without regard to their ability or disability.
AVs shall respond appropriately to emergency vehicle lights, audible signals, and manual directions from police officers and good Samaritans without endangering either those third parties or vehicle occupants.
- AVs must respect and adhere to motor vehicle laws concerning operations with or near law enforcement personnel and other first responders in the vicinity of or near the planned trajectory of the AV.
- AVs must acknowledge and respond appropriately and safely to good Samaritans who may provide optical or manual warning signals in an emergency situation.
AVs shall not be programmed to violate motor vehicle laws.
- AVs may never be programmed by manufacturers or users to violate motor vehicle laws.
- (E.g., cruise control settings exceeding speed limits are legal violations and are not permissible.)
- AVs must respond properly to hand signals and verbal commands from law enforcement or other officials.
- (E.g., an AV must not crash the gate at a secured facility [particularly when the guards have automatic weapons]).
- (An AV must not refuse to stop at or crash into a toll or railroad crossing gate.)
- AVs must recognize and respond safely and appropriately to signal lights and gates at railroad crossing, drawbridges, and similar variable automatic or manual traffic control devices.
AVs shall expedite first responder safety and safe recovery of persons injured or killed after a crash including providing means to readily render vehicles safe for first responders, second responders, and bystanders.
- AVs must include and conspicuously display markers and instructions that allow first responders to expeditiously immobilize and render the AV safe (including fire suppression) for extraction and recovery of injured or killed persons inside or outside of the AV after a crash.
- AVs must provide easily understood markings and instructions to render the vehicle inert and safe for towing or carriage and/or storage after a crash.
- AVs must be designed to protect first responders, injured persons, and bystanders against unintended vehicle operation or emission of toxic products after a crash.
AVs shall safely transition between political boundaries without increasing the risk of injury or death.
- AVs that transit across political boundaries with differing requirements or restrictions on AV operation must not increase risk to occupants, other motorists, or vulnerable road users by crossing that boundary.
- (An extreme example is an AV designed for right hand driving being used in a country that specifies left hand driving.)
- (Another example is a speed limit change from one within AV design limits to another that is beyond the safe control limits of the AV.)
During safety inspections AVs shall automatically confirm the validity of installed software and firmware versions for that vehicle, and assess and report nominal capability and/or failure(s) of safety- and life-critical features that are not visually verifiable.
- The AV must detect and report software/firmware conformance and deviations. AVs include safety and life critical software features that cannot be visually inspected and verified. Because of the complexity of AV software/firmware and its safety functionality, only authorized software/firmware versions may be allowed.
- AVs must be designed so that safety inspection officials including mechanics and law enforcement can evaluate AV conformance with its safe mechanical and data processing functionality limits and performance. (Similar to the way oxygen sensor readouts show conformance with pollution control requirements.)
- AVs must make safety- and life-critical operational safety data available through the OBD port or equivalent without proprietary restrictions.
AVs shall include a fool-proof capability to expedite safe egress on demand of its occupants (e.g., a big red stop button).
- AVs must provide a means for untrained occupants to initiate expedited safe vehicle stop and occupant egress at any time.
- (A big red STOP button might do the trick.)
- AVs must never falsely imprison occupants who desire for any reason to terminate a trip and egress from the vehicle.
AVs shall not sell or distribute personally identifiable information of any person to any third parties without their explicit consent.
- AVs generate tremendous amounts of data that may reveal intimate details of its passengers’ private lives. AVs must not provide any personally identifiable information to any third parties without explicit permission on a per-transaction basis.
- (In other words, AV passengers must opt-in to data release each and every time it has been collected by an AV.)
- The scope of the third-party data distribution prohibition must include not only the authorized user but also other passengers, occupants, and other persons who may have been identified by, for example, facial recognition algorithms.
AV OEMs, their agents, representatives, and dealers shall assume legal responsibility and liability for safe AV operation. In no case shall a vehicle occupant who is not actively driving an AV be held responsible for the actions or consequences of its automated controls.
- Liability for AV operation must lie with the entity that is controlling the vehicle. If no occupant is directly controlling the vehicle, then the liability must be vested in those who designed, built, and introduced the vehicle into commerce
- No one who is not actually controlling an AV may be held liable for its operation any more than a passenger in a taxi is responsible for its safe operation.
AVs shall collect and report operational data to support research and development to improve safety, performance, and reliability.
- As a quid pro quo for licensing or permission to operate on public roads and to assess the impact of AVs on highway safety, AVs must record and report on demand of responsible investigators video, parametric, and dynamic vehicle operational data needed to objectively determine AV safety, safety metrics, and safety trends.
- AVs must expedite and not make it difficult or impossible for responsible third party requests to recover or interpret data supporting investigations of failures, fires, crashes, or cybersecurity violations.
AVs shall not increase the transportation sector environmental burden over their design lifetime.
- AV manufacturers must plan for safe handling, post-deployment protection of humans and the environment, and end-of-life sequestration or recycling of hazardous chemicals and materials used in AV manufacturing or operation.
- AVs must not increase vehicle lifetime end-to-end fuel consumption compared to conventional vehicles with due consideration of electrical generation, distribution, conversion, and storage efficiencies and the impact of unoccupied operation.
AV Bill of Rights Feedback
Tell us what you think about our proposed, "AV Bill of Rights". What is important to you when it comes to automated vehicles and safety?