A brief review about the history, philosophy and current trends concerning automotive safety automation
...and why we won't have automatic cars during the next few decades
Can't Roll Up Your Audi A4 Power Window Let's Uncover the Issue!
Review: Development and trends in vehicle safety automation
1. Review: Development and trends in vehicle safety automation
Dominic Portain
04/25/10
Abstract
Objective: This review covers the recent 50 years of driving-related research and oers an out-
look into future developments of vehicle safety automation from the perspective of human factors
and ergonomic design. Background: Safety features in automotive design and engineering feature an
increasing amount of automated processes, creating the need for evaluation of driver behavior and
interaction. Structure: A brief comparison of the contemporary, basic approaches regarding automa-
tion is presented to provide a solid foundation for the following topics. After a brief historcal overview
of the related ndings in automotive safety, the focus is changed towards present issues and trends:
the example of intelligent seatbelt indicators is used as an introduction to the discussion between
hard and soft automation. Finally, the combined remarks are compiled into an outlook about the
future development of safety automation in automotive design.
Introduction
Ever since the introduction of the personal automobile, considerable eort was expended to increase
safety for the passengers while driving. The safety devices for early cars were directly adopted from
horse carriers, as both were travelling at approximately the same speed and weight. However, when
automobile parts became more powerful and the electric systems were increasingly portable, new features
- such as the brake light - became neccessary to prevent frequent accidents. Along with the increasingly
miniaturized electronics, essential- as well as comfort and safety features were subject to a strong trend
towards automation. Quickly, indicator lights were blinking in a steady rhythm and the engine didn't
require a crank for startup any more.
Approximately in the early 70s, a paradigm that would later be described as performance-oriented by
Parasuraman Ridley (1997), peaked in its popularity among automotive engineers and designers. Trac
accidents were seen as consequence of lacking mechanic properties of the vehicle parts. As the historic
solutions often excerted undesired behavior in extreme situations (such as self-oscillating suspensions
that cause a barrel roll after aprupt changes of direction), this explanation followed sound reasoning.
Only when the major technical issues were resolved - trac accidents dropping by almost 80% -, another
contributing factor for accidents became increasingly evident. The human in the driver's seat - and his,
often unexplicably low, performance - had to be incorporated into future safety measures as well.
Performance versus Behavior
The major paradigm shift in those decades was led by the increasingly important distinction between
performance and behavior (Lee 2008b). While performance in the traditional sense could be (and, in
military context, was) described as the limit of physical and mental capabilites, behavior was a better
description for the processes in daily trac. In contrast to the military denition, the possible limits
of man and machine were found to be rarely reached even in extreme situations: Casual drivers neither
dispose of the extensive training nor of the clear objectives that make the performance paradigm a valid
assumption in combat situations. Several other factors prove to be inuental to the drivers' behavior:
• limits of perception and attention (especially in heavy trac) decrease the information basis on
which the reactions are based;
1
2. • the three most common impairments - fatigue, distraction and alcohol - decrease reaction speed
and accuracy;
• priorities, safety margins and trade-os (such as the cost of an accident versus the time of arrival)
eectively decrease the general limit of performance;
• personal goals, needs and motivations lead to subjectively biased - and, consequently, unpredictable
- decisions.
Additional to these factors - which are more or less valid for every human driver - individual dierences
play an essential role in modelling the causes of an accident. For example, the risk of having a fatal
accident is increased by ve times for elderly people (80 and beyond), compared to the age group between
40 and 50 years. Although the risk is - similarly - increased tenfold when comparing drivers under the
age of 20 to the reference group, the underlying reason is completely dierent. In order to understand
why the pure risk percentages are insucient in the process of planning a future safety feature, one must
rst acknowledge the inherent complexity and inhomogeneity within its user group. Made possible by
advances in the young eld of cognitive psychology and -ergonomics, several studies were conducted that
introduced a certain amount of transparency into the eld of complex interactions between man and
machine.
Adoption of Technology
Parasuraman Ridley (1997) have introduced four rudamentary but robust categories that describe the
basic forms of interaction: Use, Abuse, Misuse and Disuse. The distinction is reasonably robust because
it is based on the interaction of underlying long-term factors, such as personal skills or design usability.
First, the concept Use describes the ideal type of interaction: the system provides valuable support to
the user's task, and the user decides to engage the automation during adequate situations (e.g., the rain-
intensity dependent windscreen wiper that prevents the user from constantly switching the wiping speed).
In automotive design, solutions that promote use are highly desired because of the decreasing cognitive
workload ( CWL; see Patten et al., 2004) by enabling cognitive outsourcing. In cases of abuse, the user
is willing to accept the system's intervention. However, most likely due to an unforseen combination of
circumstances, the automation does either not provide adequate support, or even counteracts the user. A
prominent example features the safety system in modern aircrafts that prevents full reverse throttle when
no weight is measured on the landing wheels. This principle also holds when the responsible sensor has
failed, preventing a safe landing. Unfortunately, this design aw only becomes apparent at the moment
when the catastrophe is already inevitable.
To understand the following two aspects of awed man-machine interaction, grasping the concept of
operator condence or trust is imperative. Due to a series of psychological factors - including several
misattributed heuristics from social psychology - the operator of a complex system begins to develop
a decision bias in whether to trust in the automated process. As a general rule, trust increases with
the regularity of expected behavior; and is severely decreased after an unexpected event. An operator
condence level that is too high (overestimation of reliability) is attributed with the term misuse, while
a overly low condence level creates disuse. Both processes lead to awed operator decisions concerning
the use of existing automation - either through trusting a system which is not adequately equipped to
cope with the situation (e.g. a parking sensor that is expected to detect light bushes) or through not
engaging the automation even when it could righteously support the user (e.g. turning the parking sensor
o before reversing into one's garage).
For those aspects, it is not only imperative to estimate the amount of perceived condence in the early
design, but also to consider the method of enabling or disabling one specic automation. Additional
to the operator's evaluation whether or not to trust the automation (decision bias), the action also can
inuence the perceived control and risk normalization : current risk psychology assumes that operators
behave in an equilibrium of (perceived) risk and control. The activation of an additional safety mechanism
can lead to an inadequate increase of perceived safety, causing a greater tolerance towards other risks.
For example, this mechanism leads to more careless driving behavior (higher speeds, less safety distance)
when the adaptive cruise control is perceived as capable to execute the neccessary braking maneuvers.
2
3. If, additionally, either road or trac conditions fall outside the implemented parameters, the situation
imperceptibly degrades to misuse. When the safety automation isn't consciously perceived - as, for
example, is the case with seatbelts or airbags - the negative inuence through risk normalization is far
smaller then the actual increase in safety, causing an overall positive eect.
To prevent the occurence of each of the several biases (condence, perceived risk and control pose only a
small, although signicant, sample), current ergonomic design strives to reach a balance of authority (Lee,
2008a): The operator is in complete control as long as he is capable of resolving the situation, yet the
automation takes initiative when it is adequate to provide support. This balance requires an excellent
evaluation of capabilities from either the user or the automation - and careful consideration from the
designer, when including the interface to enable or disable certain automatic safety systems. As these
issues require increasingly detailed psychological insights much more than physical performance data, the
view on automation has generally shifted towards an operator-centric perspective.
Hard or Soft Driving?
The balance of authority is a rather recent prospect to automotive engineers. However, the issue has
already received sucient attention in aviation over the past two decades. The two opposite approaches,
soft and hard automation, are represented prominently through the design paradigms by Boeing and
Airbus. If the process of pulling up a Boeing 777 exceeds the plane's safety limit of structural strength,
the yoke becomes stier - increasing the required force to fulll the critical action (soft automation). In
contrast, the Airbus 380 limits the actions of its pilots to the predened safety margins (hard automation).
In an incident that involved a critical engine failure in a China Airlines 747 in 1985 (see Young, Stanton
and Harris, 2007), the airplane suered signicant structural damage while losing almost 30.000 feet in
an uncontrollable dive. Because the control inputs that led to the recovery of control had exceeded the
safety limits, the plane would have crashed under a hard automation. Overall, the Airbus paradigm is
designed to overrule small control mistakes or human overreactions that could result in larger accidents;
in turn taking control from the pilots when an unforeseen situation occurs (bias towards abuse : designers
ignore operators' skills). The Boeing paradigm, in contrast, is designed to refrain from taking control
even over apparent errors (bias towards disuse : operators ignore automation capabilities) and providing
adequate feedback instead.
Young et al. performed a meta-study to provide an indication which paradigm results in more desirable
results. The indicator in air trac can be directly compared to automotive trac: number of accidents
caused by automation errors in either of the two aircraft types. The data reveals that more than twice as
many major faults were caused by awed automation systems that followed the hard approach. Addition-
ally, many of the Boeing-related accidents were only barely tenuously related to automation, as primarily
being caused by a lack of situational awareness among the crew. In the aviation industry, conclusions
were drawn according to those tendencies. Overly automated systems seem to develop animacy : they are
perceived to have an own will, that has to be defeated when the intentions of humans and automation do
not match. This problem was condensated to a lack of mode awareness : the crew couldn't understand the
procedure that was currently executed by the automation, provoking a blind wrestling for control. For
example, when an automated ight level change was overridden by a manual increase of climb rate, an
invisible mode was activated; resulting in a surprising behavior when this mode causes an error during
the landing procedure (several hours later).
As a resolution to the conict between soft and hard automation, the authors introduce a third philosophy
- again, based on the concept of shared authority. To improve communication between operator and
machine and prevent errors (e.g., of mode awareness), an intuitive feedback system is proposed to be
constructed using usability engineering.
Application
One of the earliest technologies in vehicle safety that incorporate the principle of shared authority is the
concept of intelligent seatbelt indicators (Lie, 2006). This implementation, although technically following
the hard paradigm, refrains from taking control over any driving functions. As an early example of
3
4. successfully shared authority, the safety feature only provides (visible and audible) constant feedback to
the operator when his seatbelt is not engaged yet. The swedish researchers compared seatbelt use in
automobiles with or without seatbelt indicators within urban areas across Europe. The results showed
that the lack of this device is connected to a vefold increased rate of driving without seatbelt. The
seatbelt indicator design uses the risk normalization to its advantage: The actual seatbelt use is perceived
as almost neutral when risk prevention is concerned (see Lee, 2008b). By bringing the lack of a seatbelt to
the drivers' attention, the perceived risk is increased - causing either more careful driving behavior or the
engagement of the seatbelt. An interesting factor concerns perceived control, as drivers' risk perception
is also inuenced by their actual choice whether to wear the seatbelt or not. The system is currently
designed to stop after at least 90 seconds of signaling; the ratio of seatbelt use is expected to decrease
slightly when this is not the case (and drivers feel forced into engaging the seatbelt).
Currently, automobile automation can be classied into one of two categories: vehicle automation and
driving automation (Bishop, 2000). The former (e.g., automatic transmissions, ABS, ESP, classic cruise
control) aects only the lowest level of driving: brakes, gears, accelerator; controlled by the direct prox-
imity (traction, motor revolutions or wheel speed). Driving automation techniques (e.g., adaptive cruise
control, collision avoidance system, parking aids) are, in contrast, context-dependent - inuenced and
controlled by cues from a complex environment. As a result from this inherent complexity, errors and
design aws become much more apparent and inuential when driving automation is implemented under
the paradigm of hard automation: the user has no means, in contrast to the soft paradigm, to override
an erronous intention in a critical situation. Generally, driving automation is therefore better suited for
soft paradigms. The context-independent vehicle control, in comparison, has a far smaller spectrum of
possibilities - which, additionally, are not as well perceived by the driver. Therefore, hard paradigms tend
to be suited better for automation systems that increase the safety and stability of vehicle control. Even
if this categorization already seems to crystallize from concurrent implementations, the sharp separation
of the two paradigms is not only unneccessary, but prevents the incorporation of essential feedback that
could prove useful against human mode errors and cognitive biases.
The consequence of these ndings not only aects future automation in automotive and aviation design,
but also coincides with the paradigm shift that can simultaneously be observed in computer science:
the trend towards steadily increasing automation has come to a standstill. The increasingly important
focus on usability, together with the retention from clustering multiple services to one bundle (e.g., the
Yahoo search portal, the Adobe Creative Suite), provides the user with a perception of greater relevance.
Software and automotive systems become increasingly aware of their limitations, and - as formerly,
the quality of intelligent behavior - balance of authority will become the next most relevant design
consideration. As a result of this subtle paradigm shift, interaction with technical devices will be much
more eortless in the near future - allowing the intuitive incorporation of several automative solutions
into our daily procedures. As the all-in-one paradigm will further decrease in relevance, we will be using
(and depending on) several dierent devices throughout our day - each interface optimized to present
only the most neccessary choices and information.
Finally, the increasingly strong prognosis about the development of fully automated automobiles (ex-
claimed univocally by both futurologists and engineers) will probably not become reality in the next few
decades - until the automation can retain the vehicle control without the need for human intervention.
Ironically, when the automation is more capable than a human driver in all situations, the driver not
only becomes utterly superuous .
Conclusions
The view on interface design and safety automation has undergone a shift towards a user-centric per-
spective. One of the essential aspects concerns the balance of authority between driver and automated
system, which can additionally be inuenced by a variety of psychological factors. The choice for one or
another type of design (e.g., hard or soft automation) can strongly inuence the actual increase of safety
in daily usage.
Designers are strongly adviced to incorporate the users and their cognitive biases already in the early
stages of design. Not only increases usability optimization cost exponentially with the elapsed progress;
the intimate cooperation prevents all involved parties from falling victim to common engineering fallacies.
4
5. References
[Bishop(2000)] R. Bishop. A survey of intelligent vehicle applications worldwide. In Proceedings of the
IEEE Intelligent Vehicles Symposium, volume 2000, 2000.
Human Factors: The Journal of the
[Lee(2008a)] John D. Lee. Fifty years of driving safety research.
Human Factors and Ergonomics Society, 50(3):521528, June 2008a. doi: 10.1518/001872008X288376.
URL http://hfs.sagepub.com/cgi/content/abstract/50/3/521.
[Lee(2008b)] John D. Lee. Review of a pivotal human factors article: Humans and automation: Use,
misuse, disuse, abuse. Human Factors: The Journal of the Human Factors and Ergonomics Society,
50(3):404410, June 2008b. doi: 10.1518/001872008X288547. URL http://hfs.sagepub.com/cgi/
content/abstract/50/3/404.
[Lie et al.(2008)Lie, Krat, Kullgren, and Tingvall] A. Lie, M. Krat, A. Kullgren, and C. Tingvall. In-
telligent seat belt RemindersDo they change driver seat belt use in europe? Trac Injury Preven-
tion, 9(5):446449, 2008.
[Parasuraman and Riley(1997)] R. Parasuraman and V. Riley. Humans and automation: Use, misuse,
disuse, abuse. Human Factors, 39(2), 1997.
[Patten et al.(2004)Patten, Kircher, Östlund, and Nilsson] C. J.D Patten, A. Kircher, J. Östlund, and
L. Nilsson. Using mobile telephones: cognitive workload and attention resource allocation. Accident
analysis prevention, 36(3):341350, 2004.
[Young et al.(2007)Young, Stanton, and Harris] M. S Young, N. A Stanton, and D. Harris. Driving au-
tomation: learning from aviation about design philosophies. International Journal of Vehicle Design,
45(3):323338, 2007.
5