While there are still many technical challenges confronting developers of Self-Driving Cars (SDC), also called Autonomous Vehicles, the two most important social issues yet to be settled are the questions of ‘control’ and ‘ethics’ – as they relate to compliance with the road rules, safe driving and responsibility for accidents.

  • Read the new and free Which-50 Magazine. Edition 1 :  leadership and digital transformation

This essay considers one possible approach to the question of ‘Control’. The thorny problem of ‘Ethics’ is tackled in an upcoming post.


There are two sides to control: 1) who or what is ‘legally’ in control of the car, and 2) who or what has ‘actual’ control.

Ideally, the same entity (the car or the person) should have both legal and actual control at all times .

Definition of Actual Control

Actual control is taken to mean control of steering at a minimum, combined with the ability to take immediate control of braking and accelerating. Steering is critical to ‘actual control’ as, in order to steer, the driver is required to pay attention to the road at all times.

As an example, if Active Cruise Control (ACC) is activated, the car can automatically brake and accelerate to maintain speed and/or distance from the car in front, up to the speed limit. However, the person must still steer.

In these circumstances, the person retains both legal and actual control because they can override the ACC at any moment, by touching the brake, accelerator or cruise control knob.

Separately, Advanced Driver Assistance Systems (ADAS) such as ‘Forward Collision Avoidance’ (FCA) and ‘Lane-Keeping’ (L-K) can be activated in the background, as safety features.

Forward Collision Avoidance

The FCA is there solely to assist the driver. Its purpose is to stop the car before a collision; if the driver fails to react in time.

If the FCA fails to respond as warranted, the driver may have a claim against the manufacturer and/or maintenance provider. This would be a civil matter. It could also trigger a recall, depending on the nature of the failure.

The manufacturer (or maintenance provider) would have no liability to third parties for any failure in the FCA. The reason is simple: the driver remains in legal control of the car at all times, and should not drive in a way that allows a crash to happen that is their fault (eg running into the back of the car in front).

If a collision occurs, the driver would be liable for all damages (subject to any mitigating circumstances).

If a collision is avoided by the FCA, immediately the car is stopped, all functions should be returned to the control of the driver in order to proceed.


In the case of lane-keeping, the system may first give a warning to the driver that the car is drifting to the edge of its lane, and then take active control of steering to bring it back on to the centre-line – if the driver does not respond to the warning.

To ensure the driver remains in actual control, once back on the centre-line, the system should immediately return control of steering to the driver, ideally with a verbal warning that they are in control of the vehicle and must steer at all times. This should be an industry standard process.

Conversely, the driver must be able to over-ride lane-keeping (to actively drive into another lane), say by using the indicator, or touching the brake or accelerator as they veer away. For example, to avoid a potential collision with an object in its path that has not been picked up by an FCA system that is still in ‘beta’ mode. This capability ensures the person in the driver’s seat has actual control (as well as legal control) at all times. Again, this should be an industry standard process that ensures the driver is making the manoeuvre intentionally.

System may take Legal and Actual Control

As a further safety measure (as GM is proposing with its ‘Super Cruise’ system), if after ‘x’ times or ‘y’ seconds (which should be an industry standard number in each case), the driver fails to take back and maintain control, or if the driver monitoring system determines the person is no longer alert (ideally, also in accord with some industry standard); the car could pull over and stop when it is safe to do so.

At the time that the car takes over full control (to stay in its lane or pull over), the system would have actual control and ought to then have legal liability for compliance with the road rules and for any accident during the time it remains in actual control.  This puts the onus on the manufacturer to ensure its system is safe to carry out such manoeuvres, including signalling and safe merging. Unless and until it accepts this liability, it should not be permitted to offer the system as an option.

Traffic Violation and Automatic Reporting

Any time the system has to take actual control of steering, accelerating and braking to pull over, it ought to be a major traffic violation for the human driver. (The system only takes over when the driver has illegally relinquished actual control by letting the car drift in its lane after repeated warnings and/or a specified period of seconds).

Perhaps too, the violation should be automatically reported by the system to police, together with the vehicle’s location. As well, the car may be disabled for, say, 30 mins?

Depending on the reason for the loss of control (e.g. biometrics indicate a heart attack, stroke or loss of consciousness), an ambulance could also be summoned.

In-car cameras and phone videos are already being used in evidence, so having the car automatically report the loss of control (after repeated warnings/time) would seem a logical extension of this trend.

This may be contentious on privacy or civil liberty grounds, but a dangerous driver is breaching the civil liberties of everyone else on the road (by endangering their lives), and ought to be liable for that breach. If there is no breach, there is nothing to report. (Reporting specific breaches of the law is very different to central monitoring of all drivers at all times. While it can be argued central monitoring does breach civil liberties; in cities at least, it appears inevitable to eliminate congestion, but that is a separate issue).

An argument against automatic reporting is that it would discourage our worst offenders from using ADAS. However, there is no reason why FCA, L-K and ‘Super Cruise’ systems (including automatic reporting of loss of control) could not be made mandatory following a serious traffic violation – as an alternative to loss of licence; especially important where the person needs to drive to earn their living. Mandatory breath test interlocks for drink-driving offenders are already required in Australia.

Current Guidelines for ADAS Permit Separation of Legal and Actual Control

The current US NHTSA/SAE guide includes 0-5 levels of automation, with L5 being full automation in all circumstances.

Unfortunately, it is possible for the driver to have legal control, but not actual control at Level 2. This arises where both centre-line lane keeping and active cruise control are activated together.

At this level, the person is still required to pay attention to the road and to what the car is doing. However, they may have no role in actually driving the car, and may even be able to ‘let go the wheel’ for a period of time in some cases. It means, in effect, that the car is driving itself, and the person is assigned to a passive monitoring role. On an interstate freeway, this state of affairs could last for hours.

It is well recognised that people are very poor at passive monitoring tasks. And, the better the technology is at driving and the longer it keeps control without intervention, the more likely people will be lulled into a false sense of security (it is ‘false’ if the tech cannot be relied on to handle all eventualities while activated).

This seems to be the most likely cause of the Tesla accident on 7 May 2016 where the car ran into the side of a truck that had turned in front of it on the freeway. Had the driver been required to actively steer the car, it is most likely he would have kept his eyes on the road, realised the car was not braking, and done so himself.

It is difficult to see any safety advantage (for the driver or the community) in being able to take your hands off the wheel and (due to human nature) your eyes off the road, while you remain in legal control of the car. An accident can occur in just a few seconds of inattention.

Hands-free driving at L2 appears to be a dangerous novelty. As it clearly separates legal control from actual control, it ought not to be allowed.

Applying the Lessons Learned

Tesla seems to have learned its lesson and has now implemented its latest technology to operate in the background, without actually controlling the car. It means the company can still gather all the data it needs to refine its systems (by comparing the driver’s actual responses with what the system would have done had it been in control), without imperilling the driver, or anyone else.

Once Tesla is satisfied that its systems can operate safely (within specified areas and conditions), it is to be hoped that they (and the law) will accept that as soon as the car has actual control of all dynamic functions (steering, accelerating and braking) that it also has legal control.

Benefits of Aligning Legal and Actual Control

With lane-keeping (but not lane-centring) combined with active cruise control and forward collision avoidance we get the best of all worlds until full SDCs are released:

  • Competent drivers are not lulled into relying on beta tech that could fail to keep them safe; because to steer, they must remain on alert, ready to brake or accelerate as needed.
  • Delinquent/impaired drivers are protected from their own bad behaviour, and more importantly, so is everyone else protected when they fail to keep control of steering and braking.
  • Other drivers and, as importantly, the police are alerted to the fact that the person is no longer in control of the car (as it wanders inside its lane for a short time, before pulling over), so both can take appropriate action. In the case of other drivers by giving the car a wide berth, and in the case of the police by apprehending the delinquent driver. Also, medical help could be summoned if the biometrics indicate ill health is the problem.
  • Car companies can continue to test the full range of their driverless tech without putting drivers or anyone else at risk due to ‘passive monitoring syndrome’.

Once testing demonstrates they can safely accept full liability, manufacturers can gradually expand the areas and conditions where their cars are rated to operate in ‘autonomous mode’ – providing all the benefits of SDC, without incurring undue risk in the process.

Obviously, this takes away a bit of ‘fun’ from the semi-autonomous driving experience. However, this technology should be first and foremost for safety.

New Regulatory Guideline 

It would seem that for safety’s sake, as well as to limit lawsuits, it would be better to dispense with ‘levels of automation’ and recognise only two legal modes of operation:

  1. Driver Mode: Driver in Legal and Actual Control (of steering as a minimum, as outlined above, combined with zero to any level of ADAS support)
  2. Autonomous Mode: System in Legal and Actual Control (within specified areas and conditions, from highly restricted to unlimited)

It is then up to each manufacturer to determine in regard to ‘Driver Mode’, what combination of ADAS support they will provide by model; and in regard to ‘Autonomous Mode’, the areas and conditions in which any of their cars may operate.

Autonomous Mode is when the ‘Fun’ Starts

It is only after the car has both legal and actual control that the ‘fun’ should start; with no requirement for the person to pay attention to the road, or the operation of the car.

A person should only need to become re-engaged with the driving task when the car warns that it is approaching the limit of the area or conditions where it is rated to operate (e.g. say, it is only rated to operate on freeways and is approaching the exit, or it appears that snow is likely, and it is not rated to operate safely in the snow, or it encounters an unfamiliar situation that forces it to slow or stop to allow the driver time to respond).

Managed Change in Control

Except where the system takes over control in an emergency (eg to avoid a forward collision), any change in control (from the person to the car, and the car to the person), ought to be a ‘managed’ process, with clearly defined steps (much like a handover between pilots in an aircraft).

The ‘handover’ process should be seen as ‘safety critical’ and developed as an industry standard, so any person is able to drive any autonomous car in manual mode (if they have a driving licence) without having to familiarise themselves with a new handover process each time they get into a different car.

Ideally, drivers should know how long they have before they are expected to be ready after a warning that they will be required to take back control, what steps they have to take to resume control, what tests the car will carry out to determine that they are capable of taking control and that they do in fact, have control on handover; and what happens when they are deemed to be incapable, because they are (say) too sleepy, or drug or alcohol affected, or otherwise impaired (eg taken ill, etc).

Standard Safety Processes

Ideally, the industry and regulators should be collaborating to design a set of standard processes relating to vehicle control:

  1. No vehicle should have the capability to take full control of all dynamic functions without assuming legal control; at the same time releasing the person from any requirement to monitor the road or the car.
  2.  To ensure the driver remains in actual control of steering, if for safety’s sake, the system needs to re-centre the car in its lane, the system should immediately return control of steering to the driver, ideally with a verbal warning that they are in control of the vehicle and must steer at all times.
  3. If after ‘x’ times or ‘y’ seconds (to be regulated numbers), the driver fails to take back and maintain control, the car pulls over when safe to do so.
  4. Driver ‘alert’ tests based on monitoring biometrics and/or change in driving behaviour that require the car to take control and pull over.
  5. Automatic call the police and/or for help when the car is forced to take control and pull over.
  6. Except where the car takes over emergency control, the managed handover process from driver to car, and car to driver, at either the request of the car, or the driver.
Previous post

Online travel booking market worth US$179 billion: Statista

Next post

The net widens: DOJ pulls WPP into price fixing investigation

Join the digital transformation discussion and sign up for the Which-50 Irregular Insights newsletter.