EUR-Lex Access to European Union law

Back to EUR-Lex homepage

This document is an excerpt from the EUR-Lex website

Document 42021X0389

UN Regulation No 157 – Uniform provisions concerning the approval of vehicles with regards to Automated Lane Keeping Systems [2021/389]

PUB/2021/79

OJ L 82, 9.3.2021, p. 75–137 (BG, ES, CS, DA, DE, ET, EL, EN, FR, HR, IT, LV, LT, HU, MT, NL, PL, PT, RO, SK, SL, FI, SV)

Legal status of the document In force

ELI: http://data.europa.eu/eli/reg/2021/389/oj

9.3.2021   

EN

Official Journal of the European Union

L 82/75


Only the original UN/ECE texts have legal effect under international public law. The status and date of entry into force of this Regulation should be checked in the latest version of the UN/ECE status document TRANS/WP.29/343, available at:http://www.unece.org/trans/main/wp29/wp29wgs/wp29gen/wp29fdocstts.html

UN Regulation No 157 – Uniform provisions concerning the approval of vehicles with regards to Automated Lane Keeping Systems [2021/389]

Date of entry into force: 22 January 2021

This document is meant purely as documentation tool. The authentic and legally binding text is: ECE/TRANS/WP.29/2020/81.

CONTENTS

REGULATION

Introduction

1.

Scope and purpose

2.

Definitions

3.

Application for approval

4.

Approval

5.

System Safety and Fail-safe Response

6.

Human-Machine Interface/Operator Information

7.

Object and Event Detection and Response

8.

Data Storage System for Automated Driving

9.

Cybersecurity and Software Updates

10.

Modification of vehicle type and extension of type approval

11.

Conformity of production

12.

Penalties for non-conformity of production

13.

Production definitively discontinued

14.

Names and addresses of Technical Services responsible for conducting approval tests and of Type Approval Authorities

ANNEXES

1

Communication

2

Arrangements of approval marks

3

(Reserved)

4

Special requirements to be applied to the safety aspects of electronic control systems and Audit

5

Test Specifications for ALKS

INTRODUCTION

The intention of the Regulation is to establish uniform provisions concerning the approval of vehicles with regard to Automated Lane Keeping Systems (ALKS).

ALKS controls the lateral and longitudinal movement of the vehicle for extended periods without further driver command. ALKS is a system whereby the activated system is in primary control of the vehicle.

This Regulation is the first regulatory step for an automated driving system (as defined in ECE/TRANS/WP.29/1140) in traffic and it therefore provides innovative provisions aimed at addressing the complexity related to the evaluation of the system safety. It contains administrative provisions suitable for type approval, technical requirements, audit and reporting provisions and testing provisions.

ALKS can be activated under certain conditions on roads where pedestrians and cyclists are prohibited and which, by design, are equipped with a physical separation that divides the traffic moving in opposite directions and prevent traffic from cutting across the path of the vehicle. In a first step, the original text of this Regulation limits the operational speed to 60 km/h maximum and passenger cars (M1 vehicles).

This Regulation includes general requirements regarding the system safety and the failsafe response. When the ALKS is activated, it shall perform the driving task instead of the driver, i.e. manage all situations including failures, and shall not endanger the safety of the vehicle occupants or any other road users. There is however always the possibility for the driver to override the system, at any time.

The Regulation also lays down requirements on how the driving task shall be safely handed over from the ALKS to the driver including the capability for the system to come to a stop in case the driver does not reply appropriately.

Finally, the Regulation includes requirements on the Human-Machine Interface (HMI) to prevent misunderstanding or misuse by the driver. The Regulation for instance requires that on-board displays used by the driver for other activities than driving when the ALKS is activated, shall be automatically suspended as soon as the system issues a transition demand. These measures are without prejudice to driver behaviour rules on how to use these systems in the Contracting Parties as currently being discussed by the Global Forum for Road Traffic Safety (WP.1) at the time of drafting this document (See e.g. Informal Document 4 Revision 1 of the seventy-eighth session of WP.1).

1.   SCOPE AND PURPOSE

1.1.

This Regulation applies to the type approval of vehicles of Category M1 (1) with regards to their Automated Lane Keeping System.

2.   DEFINITIONS

For the purposes of this Regulation:

2.1.

‘Automated Lane Keeping System (ALKS)’ for low speed application is a system which is activated by the driver and which keeps the vehicle within its lane for travelling speed of 60 km/h or less by controlling the lateral and longitudinal movements of the vehicle for extended periods without the need for further driver input.

Within this Regulation, ALKS is also referred to as ‘ the system ’.

2.1.1.

‘Vehicle Type with regard to Automated Lane Keeping System (ALKS)’ means a category of vehicles which do not differ in such essential aspects as:

(a)

Vehicle features which significantly influence the performances of ALKS;

(b)

The system characteristics and design of ALKS.

2.2.

‘Transition demand’ is a logical and intuitive procedure to transfer the Dynamic Driving Task (DDT) from the system (automated control) to the human driver (manual control). This request is given from the system to the human driver.

2.3.

‘Transition phase’ means the duration of the transition demand.

2.4.

‘Planned event’ is a situation which is known in advance, e.g. at the time of activation such as a journey point (e.g. exit of a highway) etc. and which requires a transition demand.

2.5.

‘Unplanned event’ is a situation which is unknown in advance, but assumed as very likely in happening, e.g. road construction, inclement weather, approaching emergency vehicle, missing lane marking, load falling from truck (collision) and which requires a transition demand.

2.6.

‘Imminent collision risk’ describes a situation or an event which leads to a collision of the vehicle with another road user or an obstacle which cannot be avoided by a braking demand with lower than 5 m/s2.

2.7.

‘Minimum Risk Manoeuvre (MRM)’ means a procedure aimed at minimising risks in traffic, which is automatically performed by the system after a transition demand without driver response or in the case of a severe ALKS or vehicle failure.

2.8.

‘Emergency Manoeuvre (EM)’ is a manoeuvre performed by the system in case of an event in which the vehicle is at imminent collision risk and has the purpose of avoiding or mitigating a collision.

2.9.

Speed

2.9.1.

‘Specified maximum speed’ is the speed declared by the manufacturer up to which the system operates under optimum conditions.

2.9.2.

‘Maximum operational speed’ is the speed selected by the system up to which the system operates under current environmental and sensor conditions. It is the maximum vehicle speed at which the system may be active and shall be determined by the capability of the sensing system as well as the environmental conditions.

2.9.3.

‘Present speed’ or ‘speed’ is the current speed selected by the system due to traffic.

2.10.

‘Detection range’ of the sensing system is the distance at which the system can reliably recognise a target, taking account of the deterioration of components of the sensing system due to time and usage throughout the lifetime of the vehicle and generate a control signal.

2.11.

Failures

2.11.1.

An ‘ALKS failure’ is any single failure specific to the operation of the ALKS (e.g. single sensor failure, loss of necessary calculation data for the driving path of the vehicle).

2.11.2.

‘Failure mode’ is the operation status of the system in which the system operates with an ALKS failure.

2.11.3.

A ‘severe ALKS failure’ is a failure specific to the operation of the ALKS that affects the safe operation of the system when in failure mode with a very low probability of occurrence such as generally used for essential components as e.g. an electronic control unit. Single sensor failures are only considered as such when accompanied by another influence affecting the safe operation of the system.

2.11.4.

A ‘severe vehicle failure’ is any failure of the vehicle (e.g. electrical, mechanical) that affects the ability of the ALKS to perform the DDT and would also affect the manual operation of the vehicle (e.g. loss of power supply, failure of the braking system, sudden loss of tyre pressure).

2.12.

‘Self-check’ means an integrated function which checks for any system failure and for the detection range of the sensing system on a continuous basis.

2.13.

A ‘system override’ by the driver means a situation when the driver provides an input to a control which has priority over the longitudinal or lateral control of the system, while the system is still active.

2.14.

‘Dynamic Driving Task (DDT)’ is the control and execution of all longitudinal and lateral movements of the vehicle.

2.15.

‘Data Storage System for Automated Driving (DSSAD)’ enables the determination of interactions between the ALKS and the human driver.

2.16.

‘Lifetime of the system’ is the period of time during which the ALKS system is available, as a function, on the vehicle.

2.17.

‘Occurrences’ means, in the context of DSSAD provisions in paragraph 8, an action or instance of an arising event or incident, which requires storage within the data storage system.

2.18.

‘R157 Software Identification Number (R157 SWIN)’ means a dedicated identifier, defined by the vehicle manufacturer, representing information about the type approval relevant software of the Electronic Control System contributing to the UN Regulation No 157 type approval relevant characteristics of the vehicle.

2.19.

‘Electronic control system’ means a combination of units, designed to co-operate in the production of the stated automated lane keeping function by electronic data processing. Such systems, commonly controlled by software, are built from discrete functional components such as sensors, electronic control units and actuators and connected by transmission links. They may include mechanical, electro-pneumatic or electro-hydraulic elements.

2.20.

‘Software’ means the part of an Electronic Control System that consists of digital data and instructions.

3.   APPLICATION FOR APPROVAL

3.1.

The application for approval of a vehicle type with regard to the ALKS shall be submitted by the vehicle manufacturer or by the manufacturer’s authorized representative.

3.2.

It shall be accompanied by the documents mentioned below in triplicate:

3.2.1.

A description of the vehicle type with regard to the items mentioned in paragraph 2.1.1, together with a documentation package as required in Annex 4 which gives access to the basic design of the ALKS and the means by which it is linked to other vehicle systems or by which it directly controls output variables. The numbers and/or symbols identifying the vehicle type shall be specified.

3.3.

A vehicle representative of the vehicle type to be approved shall be submitted to the Technical Service conducting the approval tests.

4.   APPROVAL

4.1.

If the vehicle type submitted for approval pursuant to this Regulation meets the requirements of paragraph 5 to 9 below, approval of that vehicle shall be granted.

4.2.

An approval number shall be assigned to each type approved; its first two digits (at present 00 corresponding to the 00 series of amendments, its original version) shall indicate the series of amendments incorporating the most recent major technical amendments made to the Regulation at the time of issue of the approval. The same Contracting Party shall not assign the same number to another vehicle type.

4.3.

Notice of approval or of refusal or withdrawal of approval pursuant to this Regulation shall be communicated to the Parties to the Agreement which apply this Regulation by means of a form conforming to the model in Annex 1 and documentation supplied by the applicant being in a format not exceeding A4 (210 × 297 mm), or folded to that format, and on an appropriate scale or electronic format.

4.4.

There shall be affixed, conspicuously and in a readily accessible place specified on the approval form, to every vehicle conforming to a vehicle type approved under this Regulation, an international approval mark conforming to the model described in Annex 2, consisting of:

4.4.1.

A circle surrounding the letter ‘E’ followed by the distinguishing number of the country which has granted approval (2);

4.4.2.

The number of this Regulation, followed by the letter ‘R’, a dash and the approval number to the right of the circle prescribed in paragraph 4.4.1 above.

4.5.

If the vehicle conforms to a vehicle type approved under one or more other Regulations, annexed to the Agreement, in the country which has granted approval under this Regulation, the symbol prescribed in paragraph 4.4.1 above need not be repeated; in such a case, the Regulation and approval numbers and the additional symbols shall be placed in vertical columns to the right of the symbol prescribed in paragraph 4.4.1 above.

4.6.

The approval mark shall be clearly legible and be indelible.

4.7.

The approval mark shall be placed close to or on the vehicle data plate.

5.   SYSTEM SAFETY AND FAIL-SAFE RESPONSE

5.1.

General Requirements

The fulfilment of the provisions of this paragraph shall be demonstrated by the manufacturer to the technical service during the inspection of the safety approach as part of the assessment to Annex 4 (in particular for conditions not tested under Annex 5) and according to the relevant tests in Annex 5.

5.1.1.

The activated system shall perform the DDT shall manage all situations including failures, and shall be free of unreasonable risks for the vehicle occupants or any other road users.

The activated system shall not cause any collisions that are reasonably foreseeable and preventable. If a collision can be safely avoided without causing another one, it shall be avoided. When the vehicle is involved in a detectable collision, the vehicle shall be brought to a standstill.

5.1.2.

The activated system shall comply with traffic rules relating to the DDT in the country of operation.

5.1.3.

The activated system shall exercise control over systems required to support the driver in resuming manual control at any time (e.g. demist, windscreen wipers and lights).

5.1.4.

A transition demand shall not endanger the safety of the vehicle occupants or other road users.

5.1.5.

If the driver fails to resume control of the DDT during the transition phase, the system shall perform a minimum risk manoeuvre. During a minimum risk manoeuvre, the system shall minimise risks to safety of the vehicle occupants and other road users.

5.1.6.

The system shall perform self-checks to detect the occurrence of failures and to confirm system performance at all times (e.g. after vehicle start the system has at least once detected an object at the same or a higher distance than that declared as detection range according to paragraph 7.1).

5.1.7.

The effectiveness of the system shall not be adversely affected by magnetic or electrical fields. This shall be demonstrated by compliance with the 05 or later series of amendments to UN Regulation No 10.

5.1.8.

The manufacturer shall take measures to guard against reasonably foreseeable misuse by the driver and tampering of the system.

5.1.9.

When the system can no longer meet the requirements of this Regulation, it shall not be possible to activate the system.

The manufacturer shall declare and implement a process to manage the safety and continued compliance of the ALKS system over lifetime.

5.2.

Dynamic Driving Task

The fulfilment of the provisions of this paragraph shall be demonstrated by the manufacturer to the technical service during the inspection of the safety approach as part of the assessment to Annex 4 (in particular for conditions not tested under Annex 5) and according to the relevant tests in Annex 5.

5.2.1.

The activated system shall keep the vehicle inside its lane of travel and ensure that the vehicle does not cross any lane marking (outer edge of the front tyre to outer edge of the lane marking). The system shall aim to keep the vehicle in a stable lateral position inside the lane of travel to avoid confusing other road users.

5.2.2.

The activated system shall detect a vehicle driving beside as defined in paragraph 7.1.2 and, if necessary, adjust the speed and/or the lateral position of the vehicle within its lane as appropriate.

5.2.3.

The activated system shall control the speed of the vehicle.

5.2.3.1.

The maximum speed up to which the system is permitted to operate is 60 km/h.

5.2.3.2.

The activated system shall adapt the vehicle speed to infrastructural and environmental conditions (e.g. narrow curve radii, inclement weather).

5.2.3.3.

The activated system shall detect the distance to the next vehicle in front as defined in paragraph 7.1.1 and shall adapt the vehicle speed in order to avoid collision.

While the ALKS vehicle is not at standstill, the system shall adapt the speed to adjust the distance to a vehicle in front in the same lane to be equal or greater than the minimum following distance.

In case the minimum time gap cannot be respected temporarily because of other road users (e.g. vehicle is cutting in, decelerating lead vehicle, etc.), the vehicle shall readjust the minimum following distance at the next available opportunity without any harsh braking unless an emergency manoeuvre would become necessary.

The minimum following distance shall be calculated using the formula:

dmin= vALKS* tfront

Where:

dmin

=

the minimum following distance

vALKS

=

the present speed of the ALKS vehicle in m/s

tfront

=

minimum time gap in seconds between the ALKS vehicle and a leading vehicle in front as per the table below:

Present speed of the ALKS vehicle

Minimum time gap

Minimum following distance

(km/h)

(m/s)

(s)

(m)

7,2

2,0

1,0

2,0

10

2,78

1,1

3,1

20

5,56

1,2

6,7

30

8,33

1,3

10,8

40

11,11

1,4

15,6

50

13,89

1,5

20,8

60

16,67

1,6

26,7

For speed values not mentioned in the table, linear interpolation shall be applied.

Notwithstanding the result of the formula above for present speeds below 2 m/s the minimum following distance shall never be less than 2 m.

5.2.4.

The activated system shall be able to bring the vehicle to a complete stop behind a stationary vehicle, a stationary road user or a blocked lane of travel to avoid a collision. This shall be ensured up to the maximum operational speed of the system.

5.2.5.

The activated system shall detect the risk of collision in particular with another road user ahead or beside the vehicle, due to a decelerating lead vehicle, a cutting in vehicle or a suddenly appearing obstacle and shall automatically perform appropriate manoeuvres to minimize risks to safety of the vehicle occupants and other road users.

For conditions not specified in paragraphs 5.2.4, 5.2.5 or its subparagraphs, this shall be ensured at least to the level at which a competent and careful human driver could minimize the risks. This shall be demonstrated in the assessment carried out under Annex 4 and by taking guidance from Appendix 3 to Annex 4.

5.2.5.1.

The activated system shall avoid a collision with a leading vehicle which decelerates up to its full braking performance provided that there was no undercut of the minimum following distance the ALKS vehicle would adjust to a leading vehicle at the present speed due to a cut in manoeuvre of this lead vehicle.

5.2.5.2.

The activated system shall avoid a collision with a cutting in vehicle:

(a)

Provided the cutting in vehicle maintains its longitudinal speed which is lower than the longitudinal speed of the ALKS vehicle; and

(b)

Provided that the lateral movement of the cutting in vehicle has been visible for a time of at least 0,72 seconds before the reference point for TTCLaneIntrusion is reached;

(c)

When the distance between the vehicle’s front and the cutting in vehicle’s rear corresponds to a TTC calculated by the following equation:

Image 1

Where:

Vrel

=

relative velocity between both vehicles, positive for vehicle being faster than the cutting in vehicle

TTCLaneIntrusion

=

The TTC value, when the outside of the tyre of the intruding vehicle’s front wheel closest to the lane markings crosses a line 0,3 m beyond the outside edge of the visible lane marking to which the intruding vehicle is being drifted.

5.2.5.3.

The activated system shall avoid a collision with an unobstructed crossing pedestrian in front of the vehicle.

In a scenario with an unobstructed pedestrian crossing with a lateral speed component of not more than 5 km/h where the anticipated impact point is displaced by not more than 0,2 m compared to the vehicle longitudinal plane, the activated ALKS shall avoid a collision up to the maximum operational speed of the system.

5.2.5.4.

It is recognised that the fulfilment of the requirement in paragraph 5.2.5 may not be fully achieved in other conditions than those described above. However, the system shall not deactivate or unreasonably switch the control strategy in these other conditions. This shall be demonstrated in accordance with Annex 4 of this Regulation.

5.3.

Emergency Manoeuvre (EM)

The fulfilment of the provisions of this paragraph shall be demonstrated by the manufacturer to the technical service during the inspection of the safety approach as part of the assessment to Annex 4 and according to the relevant tests in Annex 5.

5.3.1.

An Emergency Manoeuvre shall be carried out in case of an imminent collision risk.

5.3.1.1.

Any longitudinal deceleration demand of more than 5,0 m/s2 of the system shall be considered to be an EM.

5.3.2.

This manoeuvre shall decelerate the vehicle up to its full braking performance if necessary and/or may perform an automatic evasive manoeuvre, when appropriate.

If failures are affecting the braking or steering performance of the system, the manoeuvre shall be carried out with consideration for the remaining performance.

During the evasive manoeuvre the ALKS vehicle shall not cross the lane marking (outer edge of the front tyre to outer edge of the lane marking).

After the evasive manoeuvre the vehicle shall aim at resuming a stable position.

5.3.3.

An emergency manoeuvre shall not be terminated, unless the imminent collision risk disappeared, or the driver deactivated the system.

5.3.3.1.

After an emergency manoeuvre is terminated the system shall continue to operate.

5.3.3.2.

If the emergency manoeuvre results in the vehicle being at standstill, the signal to activate the hazard warning lights shall be generated. If the vehicle automatically drives off again, the signal to deactivate the hazard warning lights shall be generated automatically.

5.3.4.

The vehicle shall implement a logic signal indicating emergency braking as specified in UN Regulation No 13-H.

5.4.

Transition demand and system operation during transition phase

The fulfilment of the provisions of this paragraph shall be demonstrated by the manufacturer to the technical service during the inspection of the safety approach as part of the assessment to Annex 4 (in particular for conditions not tested under Annex 5) and according to the relevant tests in Annex 5.

5.4.1.

The activated system shall recognise all situations in which it needs to transition the control back to the driver.

Types of situations in which the vehicle will generate a transition demand to the driver shall be declared by the vehicle manufacturer and included in the documentation package required in Annex 4.

5.4.2.

The initiation of the transition demand shall be such that sufficient time is provided for a safe transition to manual driving.

5.4.2.1.

In case of a planned event that would prevent the ALKS from continuing the operation, a transition demand shall be given early enough to ensure the minimal risk maneuver, in case the driver would not resume control, would bring the vehicle to standstill before the planned event occurs.

5.4.2.2.

In case of an unplanned event, a transition demand shall be given upon detection.

5.4.2.3

In case of any failure affecting the operation of the system, the system shall immediately initiate a transition demand upon detection.

5.4.3.

During the transition phase the system shall continue to operate. The system may reduce the speed of the vehicle to ensure its safe operation but shall not bring it to standstill unless required by the situation (e.g. due to vehicles or obstacles obstructing the path of the vehicle) or when caused by a haptic warning according to paragraph 6.4.1 started at speeds below 20 km/h.

5.4.3.1.

Once in standstill the vehicle may remain in this condition and shall generate the signal to activate the hazard warning lights within 5 s.

5.4.3.2.

During the transition phase, the transition demand shall be escalated latest after 4 s after the start of the transition demand.

5.4.4.

A transition demand shall only be terminated once the system is deactivated or a minimum risk manoeuvre has started.

5.4.4.1.

In case the driver is not responding to a transition demand by deactivating the system (either as described in paragraph 6.2.4 or 6.2.5), a minimum risk manoeuvre shall be started, earliest 10 s after the start of the transition demand.

5.4.4.1.1.

Notwithstanding paragraph 5.4.4.1 a minimum risk manoeuvre may be initiated immediately in case of a severe ALKS or severe vehicle failure.

In case of a severe ALKS or vehicle failure the ALKS may no longer be capable of fulfilling the requirements of this Regulation, but it shall aim at enabling a safe transition of control back to the driver.

5.4.4.1.2.

The manufacturer shall declare the types of severe vehicle failures and severe ALKS failures that will lead the ALKS to initiate a MRM immediately.

5.5.

Minimum Risk Manoeuvre (MRM)

The fulfilment of the provisions of this paragraph shall be demonstrated by the manufacturer to the technical service during the inspection of the safety approach as part of the assessment to Annex 4 (in particular for conditions not tested under Annex 5) and according to the relevant tests in Annex 5.

5.5.1.

During the minimum risk manoeuvre the vehicle shall be slowed down inside the lane or, in case the lane markings are not visible, remain on an appropriate trajectory taking into account surrounding traffic and road infrastructure, with an aim of achieving a deceleration demand not greater than 4,0 m/s2.

Higher deceleration demand values are permissible for very short durations, e.g. as haptic warning to stimulate the driver’s attention, or in case of a severe ALKS or severe vehicle failure.

Additionally, the signal to activate the hazard warning lights shall be generated with the start of the minimum risk manoeuvre.

5.5.2.

The minimum risk manoeuvre shall bring the vehicle to standstill unless the system is deactivated by the driver during the manoeuvre.

5.5.3.

A minimum risk manoeuvre shall only be terminated once the system is deactivated or the system has brought the vehicle to a standstill.

5.5.4.

The system shall be deactivated at the end of any minimum risk manoeuvre.

The hazard warning lights shall remain activated unless deactivated manually and the vehicle shall not move away after standstill without manual input.

5.5.5.

Reactivation of the system after the end of any minimum risk manoeuvre shall only be possible after each new engine start/run cycle.

6.   HUMAN-MACHINE INTERFACE/OPERATOR INFORMATION

6.1.

Driver Availability Recognition System

The fulfilment of the provisions of this paragraph shall be demonstrated by the manufacturer to the technical service during the inspection of the safety approach as part of the assessment to Annex 4 and according to the relevant tests in Annex 5.

6.1.1.

The system shall comprise a driver availability recognition system.

The driver availability recognition system shall detect if the driver is present in a driving position, if the safety belt of the driver is fastened and if the driver is available to take over the driving task.

6.1.2.

Driver presence

A transition demand shall be initiated according to paragraph 5.4 if any of the following conditions is met:

(a)

When the driver is detected not to be in the seat for a period of more than one second; or

(b)

When the driver’s safety belt is unbuckled.

The second level warning of the safety-belt reminder according to UN-R16 may be used instead of an acoustic warning of the Transition Demand.

6.1.3.

Driver availability

The system shall detect if the driver is available and in an appropriate driving position to respond to a transition demand by monitoring the driver.

The manufacturer shall demonstrate to the satisfaction of the technical service the vehicle’s capability to detect that the driver is available to take over the driving task.

6.1.3.1.

Criteria for deeming driver availability

The driver shall be deemed to be unavailable unless at least two availability criteria (e.g. input to driver-exclusive vehicle control, eye blinking, eye closure, conscious head or body movement) have individually determined that the driver is available in the last 30 seconds.

At any time, the system may deem the driver unavailable.

As soon as the driver is deemed to be unavailable, or fewer than two availability criteria can be monitored, the system shall immediately provide a distinctive warning until appropriate actions of the driver are detected or until a transition demand is initiated. At the latest, a transition demand shall be initiated according to paragraph 5.4 if this warning continues for 15s.

Justification for the number and combination of availability criteria, in particular with regard to the corresponding time interval, shall be provided by the manufacturer by documented evidence. However, the time interval required for any availability criteria shall not exceed 30 seconds. This shall be demonstrated by the manufacturer and assessed by the technical service according to Annex 4.

Image 2

6.1.4.

‘Other activities than driving’ through on-board displays available upon activation of the ALKS shall be automatically suspended (i) as soon as the system issues a Transition Demand; or (ii) as soon as the system is deactivated, whichever comes first.

6.2.

Activation, Deactivation and Driver Input

The fulfilment of the provisions of this paragraph shall be demonstrated by the manufacturer to the technical service during the inspection of the safety approach as part of the assessment to Annex 4 and according to the relevant tests in Annex 5.

6.2.1.

The vehicle shall be equipped with dedicated means for the driver to activate (active mode) and deactivate (off mode) the system. When the ALKS is activated, the means to deactivate ALKS shall be permanently visible to the driver.

6.2.2.

The default status of the system shall be the off mode at the initiation of each new engine start/run cycle.

This requirement does not apply when a new engine start/run cycle is performed automatically, e.g. by the operation of a stop/start system.

6.2.3.

The system shall become active only upon a deliberate action by the driver and if all the following conditions are met:

(a)

The driver is in the driver seat and the driver’s safety belt is fastened according to paragraphs 6.1.1 and 6.1.2;

(b)

The driver is available to take over control of the DDT according to paragraph 6.1.3;

(c)

No failure affecting the safe operation or the functionality of the ALKS is present;

(d)

DSSAD is operational;

(e)

The environmental and infrastructural conditions allow the operation;

(f)

Positive confirmation of system self-check; and

(g)

The vehicle is on roads where pedestrians and cyclists are prohibited and which, by design, are equipped with a physical separation that divides the traffic moving in opposite directions.

If any of the above conditions is no longer fulfilled, the system shall immediately initiate a transition demand unless specified differently in this Regulation.

6.2.4

It shall be possible to manually deactivate (off-mode) the system by an intentional action of the driver using the same means as to activate the system, as mentioned in paragraph 6.2.1.

The means of deactivating shall provide protection against unintentional manual deactivation for example by requiring a single input exceeding a certain threshold of time or a double press, or two separate but simultaneous inputs.

Additionally, it shall be ensured the driver is in lateral control of the vehicle at the time of the deactivation, by e.g. placing the deactivation means on the steering control or confirming the driver is holding the steering control.

6.2.5.

In addition to paragraph 6.2.4, the system shall not be deactivated by any driver input other than those described below in paragraphs 6.2.5.1 to 6.2.5.4.

6.2.5.1.

Deactivation by input to driving controls

The system shall be deactivated when at least one of the following conditions is met:

(a)

The driver overrides the system by steering while holding the steering control and this override is not suppressed, as specified in paragraph 6.3; or

(b)

The driver is holding the steering control and overrides the system by braking or accelerating, as specified in paragraph 6.3.1 below.

6.2.5.2.

Deactivation during an ongoing transition demand or an ongoing minimum risk manoeuvre

In case a transition demand or a minimum risk manoeuvre is on-going, the system shall only be deactivated:

(a)

As defined in paragraph 6.2.5.1; or

(b)

Upon detection that the driver has taken hold of the steering control as a response to the transition demand or the minimum risk manoeuvre and provided the system confirms the driver is attentive as defined in paragraph 6.3.1.1.

6.2.5.3.

Deactivation during an ongoing emergency manoeuvre

In case of an ongoing emergency manoeuvre, the deactivation of the system may be delayed until the imminent collision risk disappeared.

6.2.5.4.

Deactivation in case of a severe vehicle failure or a severe ALKS failure

In case of a severe vehicle failure or a severe ALKS failure the ALKS may employ different strategies with regard to deactivation.

These different strategies shall be declared by the manufacturer and their effectiveness shall be assessed by the Technical Service with regard to ensuring a safe transition of control from the system to the human driver according to Annex 4.

6.2.6.

On deactivation of the system, there shall not be an automatic transition to any function, which provides continuous longitudinal and/or lateral movement of the vehicle (e.g. ACSF of Category B1 function).

After deactivation, Corrective Steering Function (CSF) may be active with the aim at accustoming the driver to execute the lateral control task by gradually reducing lateral support.

Notwithstanding both paragraphs above, any other safety system delivering longitudinal or lateral support in imminent collision situations (e.g. Advanced Emergency Braking System (AEBS), Electronic Stability Control (ESC), Brake Assist System (BAS) or Emergency Steering Function (ESF)) shall not be deactivated in case of deactivation of ALKS.

6.2.7.

Any deactivation shall be indicated to the driver as defined in paragraph 6.4.2.3.

6.3.

System override

6.3.1.

A driver input to the steering control shall override the lateral control function of the system when the input exceeds a reasonable threshold designed to prevent unintentional override.

This threshold shall include a specified force and duration and shall vary depending on parameters that include criteria used for driver attentiveness to be checked during the drivers input as defined in paragraph 6.3.1.1.

These thresholds and the rational for any variation shall be demonstrated to the Technical Service during the assessment according to Annex 4.

6.3.1.1.

Driver attentiveness

The system shall detect if the driver is attentive. The driver is deemed to be attentive when at least one of the following criteria is met:

(a)

Driver gaze direction is confirmed as primarily looking at the road ahead;

(b)

Driver gaze direction is being confirmed as looking at the rear-view mirrors; or,

(c)

Driver head movement is confirmed as primarily directed towards the driving task.

The specification for confirming these or equally safe criteria must be declared by the manufacturer and supported by documented evidence. This shall be assessed by the technical service according to Annex 4.

6.3.2.

A driver input to the braking control resulting in a higher deceleration than that induced by the system or maintaining the vehicle in standstill by any braking system, shall override the longitudinal control function of the system.

6.3.3.

A driver input to the accelerator control may override the longitudinal control function of the system. However, such an input shall not cause the system to no longer meet the requirements of this Regulation.

6.3.4.

Any driver input to the accelerator or brake control shall immediately initiate a transition demand as specified in paragraph 5.4, when the input exceeds a reasonable threshold designed to prevent unintentional input.

6.3.5.

Notwithstanding the provisions laid down in paragraphs 6.3.1 to 6.3.3, the effect of the driver input on any control may be reduced or suppressed by the system in case the system has detected an imminent collision risk due to this driver input.

6.3.6.

In case of a severe vehicle failure or a severe ALKS failure the ALKS may employ different strategies with regard to system override. These different strategies shall be declared by the manufacturer and their effectiveness shall be assessed by the Technical Service with regard to ensuring a safe transition of control from the system to the human driver.

6.3.7.

The fulfilment of the provisions in paragraph 6.3 and its subparagraphs shall be demonstrated by the manufacturer to the technical service during the inspection of the safety approach as part of the assessment to Annex 4.

6.4.

Information to the driver

6.4.1.

The following information shall be indicated to the driver:

(a)

The system status as defined in paragraph 6.4.2;

(b)

Any failure affecting the operation of the system with at least an optical signal unless the system is deactivated (off mode);

(c)

Transition demand by at least an optical and in addition an acoustic and/or haptic warning signal.

At the latest 4 s after the initiation of the transition demand, the transition demand shall:

(i)

Contain a constant or intermittent haptic warning unless the vehicle is at standstill; and

(ii)

Be escalated and remain escalated until the transition demand ends;

(d)

Minimum risk manoeuvre by at least an optical signal and in addition an acoustic and/or a haptic warning signal; and

(e)

Emergency manoeuvre by an optical signal.

The optical signals above shall be adequate in size and contrast. The acoustic signals above shall be loud and clear.

6.4.2.

System status

6.4.2.1.

System unavailability indication

In case activation of the system following the deliberate action of the driver is denied by the system due to system unavailability, this shall be at least visually displayed to the driver.

6.4.2.2.

System status display when activated

Upon activation the system status (active mode) shall be displayed by a dedicated optical signal to the driver.

The optical signal shall contain an unambiguous indication including:

(a)

A steering control or a vehicle, with an additional ‘A’ or ‘AUTO,’ or the standardized symbols in accordance with UN Regulation No 121; and additionally

(b)

An easily perceptible indication in the peripheral field of vision and located near the direct line of driver’s sight to the outside in front of the vehicle, e.g. prominent indication in the instrument cluster or on the steering control covering part of the outer rim perimeter facing towards the driver.

The optical signal shall indicate the active system state until the system is deactivated (off mode).

The optical signal shall be constant while the system is in regular operation and with the initiation of a transition demand at least the indication according to (b) shall change its characteristics, e.g. to an intermittent signal or a different colour.

When an intermittent signal is used, a low frequency shall be used in order to not unreasonably alert the driver.

During the transition phase and minimum risk manoeuvre, the indication according to (a) may be replaced by the instruction to take over manual control according to paragraph 6.4.3.

6.4.2.3.

System status display when deactivated

Upon deactivation when the system status changes from active mode to off mode this shall be indicated to the driver by at least an optical warning signal. This optical signal shall be realized by non-displaying the optical signal used to indicate the active mode or non-displaying the instruction to take over manual control.

Additionally, an acoustic warning signal shall be provided unless the system is deactivated following a transition demand which contained an acoustic signal.

6.4.3.

Transition Phase and Minimum Risk Manoeuvre

During the transition phase and the Minimum Risk Manoeuvre, the system shall instruct the driver in an intuitive and unambiguous way to take over manual control of the vehicle. The instruction shall include a pictorial information showing hands and the steering control and may be accompanied by additional explanatory text or warning symbols, as shown in the example below.

Image 3

6.4.3.2.

With the start of the minimum risk manoeuvre, the given signal shall change its characteristics to emphasize the urgency of an action by the driver. e.g. by red flashing of the steering control and moving hands of the pictorial information.

6.4.4.

Where examples are given above, an adequate and equally perceptible interface design for the optical signals may be used instead. This shall be demonstrated by the manufacturer and shall be supported by documented evidence. This shall be assessed by the Technical Service according to Annex 4.

6.4.5.

Prioritization of ALKS warnings

The warnings of an ALKS during a transition phase, a Minimal Risk Manoeuvre or an Emergency Manoeuvre may be prioritized over other warnings in the vehicle.

The prioritization of different acoustic and optical warnings during the ALKS operation shall be declared by the manufacturer to the Technical Service during Type Approval.

7.   OBJECT AND EVENT DETECTION AND RESPONSE (OEDR)

7.1.

Sensing requirements

The fulfilment of the provisions of this paragraph shall be demonstrated by the manufacturer to the technical service during the inspection of the safety approach as part of the assessment to Annex 4 and according to the relevant tests in Annex 5.

The ALKS vehicle shall be equipped with a sensing system such that, it can at least determine the driving environment (e.g. road geometry ahead, lane markings) and the traffic dynamics:

(a)

Across the full width of its own traffic lane, the full width of the traffic lanes immediately to its left and to its right, up to the limit of the forward detection range;

(b)

Along the full length of the vehicle and up to the limit of the lateral detection range.

The requirements of this paragraph are without prejudice to other requirements in this Regulation, most notably paragraph 5.1.1.

7.1.1.

Forward detection range

The manufacturer shall declare the forward detection range measured from the forward most point of the vehicle. This declared value shall be at least 46 metres.

The Technical Service shall verify that the distance at which the vehicle sensing system detects a road user during the relevant test in Annex 5 is equal or greater than the declared value.

7.1.2.

Lateral detection range

The manufacturer shall declare the lateral detection range. The declared range shall be sufficient to cover the full width of the lane immediately to the left and of the lane immediately to the right of the vehicle.

The Technical Service shall verify that the vehicle sensing system detects vehicles during the relevant test in Annex 5. This range shall be equal or greater than the declared range.

7.1.3.

The ALKS shall implement strategies to detect and compensate for environmental conditions that reduce the detection range, e.g. prevent enabling the system, disabling the system and transferring the control back to the driver, reducing the speed when visibility is too low. These strategies shall be described by the manufacturer and assessed according to Annex 4.

7.1.4.

The vehicle manufacturer shall provide evidence that the effects of wear and ageing do not reduce the performance of the sensing system below the minimum required value specified in paragraph 7.1 over the lifetime of the system/vehicle.

7.1.5.

The fulfilment of the provisions of paragraph 7.1 and its subparagraphs shall be demonstrated to the technical service and tested according to the relevant tests in Annex 5.

7.1.6.

A single perception malfunction without failure should not induce hazardous event. The design strategies put in place shall be described by the vehicle manufacturer and their safety shall be demonstrated to the satisfaction of the technical service in accordance with Annex 4.

8.   DATA STORAGE SYSTEM FOR AUTOMATED DRIVING

8.1.

Each vehicle equipped with ALKS (the system) shall be fitted with a DSSAD that meets the requirements specified below. The fulfilment of the provisions of paragraph 8 shall be demonstrated by the manufacturer to the technical service during the inspection of the safety approach as part of the assessment to Annex 4.

This Regulation is without prejudice to national and regional laws governing access to data, privacy and data protection.

8.2.

Recorded occurrences

8.2.1.

Each vehicle equipped with a DSSAD shall at least record an entry for each of the following occurrences upon activation of the system:

(a)

Activation of the system.

(b)

Deactivation of the system, due to:

(i)

Use of dedicated means for the driver to deactivate the system;

(ii)

Override on steering control;

(iii)

Override by accelerator control while holding steering control;

(iv)

Override by braking control while holding steering control.

(c)

Transition Demand by the system, due to:

(i)

Planned event;

(ii)

Unplanned event;

(iii)

Driver unavailability (as per para. 6.1.3);

(iv)

Driver not present or unbuckled (as per para. 6.1.2);

(v)

System failure;

(vi)

System override by braking input;

(vii)

System override by accelerator input.

(d)

Reduction or suppression of driver input;

(e)

Start of Emergency Manoeuvre;

(f)

End of Emergency Manoeuvre;

(g)

Event Data Recorder (EDR) trigger input;

(h)

Involved in a detected collision;

(i)

Minimum Risk Manoeuvre engagement by the system;

(j)

Severe ALKS failure;

(k)

Severe vehicle failure.

8.3.

Data elements

8.3.1.

For each event listed in paragraph 8.2, the DSSAD shall at least record the following data elements in a clearly identifiable way:

(a)

The occurrence flag, as listed in paragraph 8.2;

(b)

Reason for the occurrence, as appropriate, and listed in paragraph 8.2;

(c)

Date (Resolution: yyyy/mm/dd);

(d)

Timestamp:

(i)

Resolution: hh/mm/ss timezone e.g. 12:59:59 UTC;

(ii)

Accuracy: +/- 1,0 s.

8.3.2.

For each event listed in paragraph 8.2, the R157SWIN for ALKS, or the software versions relevant to ALKS, indicating the software that was present at the time when the event occurred, shall be clearly identifiable.

8.3.3.

A single timestamp may be allowed for multiple elements recorded simultaneously within the timing resolution of the specific data elements. If more than one element is recorded with the same timestamp, the information from the individual elements shall indicate the chronological order.

8.4.

Data availability

8.4.1.

DSSAD data shall be available subject to requirements of national and regional law (3).

8.4.2.

Once the storage limits of the DSSAD are achieved, existing data shall only be overwritten following a first in first out procedure with the principle of respecting the relevant requirements for data availability.

Documented evidence regarding the storage capacity shall be provided by the vehicle manufacturer.

8.4.3.

The data shall be retrievable even after an impact of a severity level set by UN Regulations Nos 94, 95 or 137. If the main on-board vehicle power supply is not available, it shall still be possible to retrieve all data recorded on the DSSAD, as required by national and regional law.

8.4.4.

Data stored in the DSSAD shall be easily readable in a standardized way via the use of an electronic communication interface, at least through the standard interface (OBD port).

8.4.5.

Instructions from the manufacturer shall be provided on how to access the data.

8.5.

Protection against manipulation.

8.5.1.

It shall be ensured that there is adequate protection against manipulation (e.g. data erasure) of stored data such as anti-tampering design.

8.6.

Availability of DSSAD operation

8.6.1.

DSSAD shall be able to communicate with the system to inform that the DSSAD is operational.

9.   CYBERSECURITY AND SOFTWARE UPDATES

9.1.

The effectiveness of the system shall not be adversely affected by cyber-attacks, cyber threats and vulnerabilities. The effectiveness of the security measures shall be demonstrated by compliance with UN Regulation No 155.

9.2.

If the system permits software updates, the effectiveness of the software update procedures and processes shall be demonstrated by compliance with UN Regulation No 156.

9.3.

Requirements for software identification

9.3.1.

For the purpose of ensuring the software of the System can be identified, an R157SWIN may be implemented by the vehicle manufacturer. If R157SWIN is not implemented, an alternative software identification system (i.e. software version) shall be implemented.

9.3.2.

If the manufacturer implements an R157WIN the following shall apply:

9.3.2.1.

The vehicle manufacturer shall have a valid approval according to UN Regulation No 156 (Software Update Regulation).

9.3.2.2.

The vehicle manufacturer shall provide the following information in the communication form of this Regulation:

(a)

The R157SWIN;

(b)

How to read the R157SWIN or software version(s) in case the R157SWIN is not held on the vehicle.

9.3.2.3.

The vehicle manufacturer may provide in the communication form of this Regulation a list of the relevant parameters that will allow the identification of those vehicles that can be updated with the software represented by the R157SWIN. The information provided shall be declared by the vehicle manufacturer and may not be verified by an Approval Authority.

9.3.3.

The vehicle manufacturer may obtain a new vehicle approval for the purpose of differentiating software versions intended to be used on vehicles already registered in the market from the software versions that are used on new vehicles. This may cover the situations where type approval regulations are updated or hardware changes are made to vehicles in series production. In agreement with the testing agency, duplication of tests shall be avoided where possible.

10.   MODIFICATION OF VEHICLE TYPE AND EXTENSION OF TYPE APPROVAL

10.1.

Every modification to an existing vehicle type shall be notified to the Type Approval Authority which approved the vehicle type.

The Authority shall then either:

(a)

Decide, in consultation with the manufacturer, that a new type-approval is to be granted; or

(b)

Apply the procedure contained in paragraph 10.1.1 (Revision) and, if applicable, the procedure contained in paragraph 10.1.2 (Extension).

10.1.1.

Revision

When particulars recorded in the information documents have changed and the Type Approval Authority considers that the modifications made are unlikely to have appreciable adverse effects and that in any case the foot controls still meet the requirements, the modification shall be designated a ‘revision’.

In such a case, the Type Approval Authority shall issue the revised pages of the information documents as necessary, marking each revised page to show clearly the nature of the modification and the date of re-issue.

A consolidated, updated version of the information documents, accompanied by a detailed description of the modification, shall be deemed to meet this requirement.

10.1.2.

Extension

The modification shall be designated an ‘extension’ if, in addition to the change of the particulars recorded in the information documents,

(a)

Further inspections or tests are required; or

(b)

Any information on the communication document (with the exception of its attachments) has changed; or

(c)

Approval to a later series of amendments is requested after its entry into force.

10.2.

Confirmation or refusal of approval, specifying the alteration, shall be communicated by the procedure specified in paragraph 4.3 above to the Contracting Parties to the Agreement applying this Regulation. In addition, the index to the information documents and to the test reports, attached to the communication document of Annex 1, shall be amended accordingly to show the date of the most recent revision or extension.

10.3.

The competent authority issuing the extension of approval shall assign a serial number to each communication form drawn up for such an extension.

11.   CONFORMITY OF PRODUCTION

11.1.

Procedures concerning conformity of production shall comply with those set out in the 1958 Agreement, Schedule 1 (E/ECE/TRANS/505/Rev.3) and meet the following requirements:

11.2.

A vehicle approved pursuant to this Regulation shall be so manufactured as to conform to the type approved by meeting the requirements of this regulation;

11.3.

The Type Approval Authority which has granted approval may at any time verify the conformity of control methods applicable to each production unit. The normal frequency of such inspections shall be once every two years.

12.   PENALTIES FOR NON-CONFORMITY OF PRODUCTION

12.1.

The approval granted in respect of a vehicle type pursuant to this Regulation may be withdrawn if the requirements laid down in paragraph 8, above are not complied with.

12.2.

If a Contracting Party withdraws an approval it had previously granted, it shall forthwith so notify the other Contracting Parties applying this Regulation by sending them a communication form conforming to the model in Annex 1 to this Regulation.

13.   PRODUCTION DEFINITIVELY DISCONTINUED

13.1.

If the holder of the approval completely ceases to manufacture a type of vehicle approved in accordance with this Regulation, he shall so inform the Type Approval Authority which granted the approval, which in turn shall forthwith inform the other Contracting Parties to the Agreement applying this Regulation by means of a communication form conforming to the model in Annex 1 to this Regulation.

13.2.

The production is not considered definitely discontinued if the vehicle manufacturer intends to obtain further approvals for software updates for vehicles already registered in the market.

14.   NAMES AND ADDRESSES OF TECHNICAL SERIES RESPONSIBLE FOR CONDUCTING APPROVAL TESTS AND OF TYPE APPROVAL AUTHORITIES

The Contracting Parties to the Agreement applying this Regulation shall communicate to the United Nations Secretariat (4) the names and addresses of the Technical Services responsible for conducting approval tests and of the Type Approval Authorities which grant approval and to which forms certifying approval or extension or refusal or withdrawal of approval are to be sent.


(1)  As defined in the Consolidated Resolution on the Construction of Vehicles (R.E.3.), document ECE/TRANS/WP.29/78/Rev.6, para. 2 –www.unece.org/trans/main/wp29/wp29wgs/wp29gen/wp29resolutions.html

(2)  The distinguishing numbers of the Contracting Parties to the 1958 Agreement are reproduced in Annex 3 to the Consolidated Resolution on the Construction of Vehicles (R.E.3), document ECE/TRANS/WP.29/78/Rev. 6 – www.unece.org/trans/main/wp29/wp29wgs/wp29gen/wp29resolutions.html

(3)  Note: based on a recent quantitative study of a Contracting Party, GRVA is considering that the text specifies several timestamps specifications of 2 500 timestamps to correspond with a period of 6 months of use.

(4)  Through the online platform (‘/343 Application’) provided by UNECE and dedicated to the exchange of such information:https://www.unece.org/trans/main/wp29/datasharing.html


ANNEX 1

Communication

(Maximum format: A4 (210 × 297 mm)

Image 4

 (1)

issued by:

Name of administration:


Concerning (2):

Approval granted

Approval extended

Approval refused

Approval withdrawn

Production definitively discontinued

of a vehicle type with regard to Automated Lane Keeping System pursuant to UN Regulation No 157

Approval No …

Reason for extension or revision: …

1.   

Trade name or mark of vehicle …

2.   

Vehicle type …

3.   

Manufacturer's name and address …

4.   

If applicable, name and address of manufacturer’s representative …

5.   

General construction characteristics of the vehicle:

5.1.   

Photographs and/or drawings of a representative vehicle: …

6.   

Description and/or drawing of the ALKS including:

6.1.   

Specified maximum speed of the ALKS declared by the manufacturer: …

6.2   

Sensing system (incl. components): …

6.3.   

Installation of the ALKS sensing system: …

6.4.   

Software Identification of the ALKS (if applicable): …

7.   

Written description and/or drawing of the ALKS Human-Machine Interface including:

7.1.   

Methods to detect driver availability …

7.2.   

Means to activate, deactivate and override the system …

7.3.   

Methods to determine driver attentiveness …

7.4.   

Any system limitations due to environmental or road conditions…

8.   

Written description and/or drawing of the information given to the driver including:

8.1.   

System status: …

8.2.   

Transition demand: …

8.3.   

Minimum Risk Manoeuvre: …

8.4.   

Emergency Manoeuvre: …

9.   

Data Storage System for Automated Driving (DSSAD):

9.1.   

DSSAD performance verified after the tests performed according to Annex 5: …yes/no

9.2.   

DSSAD documentation concerning data retrievability, data integrity self-check and protection against manipulation of stored data verified: yes/no

10.   

Cyber Security and Software updates

10.1.   

Cyber Security Type Approval Number (if applicable): …

10.2.   

Software Update Type approval number (if applicable): …

11.   

Special requirements to be applied to the safety aspects of electronic control systems (Annex 4)

11.1.   

Manufacturers document reference for Annex 4 (including version number): …

11.2.   

Information document form (Appendix 2 of Annex 4) …

12.   

Technical Service responsible for conducting approval tests…

12.1.   

Date of report issued by that service…

12.2.   

(Reference) Number of the report issued by that service…

13.   

Approval granted/extended/revised/refused/withdrawn2

14.   

Position of approval mark on vehicle…

15.   

Place…

16.   

Date…

17.   

Signature…

18.   

Annexed to this communication is a list of documents in the approval file deposited at the administration services having delivered the approval and which can be obtained upon request.

Additional information

19.   

R157SWIN: …

19.1.   

Information on how to read the R157SWIN or software version(s) in case the R157SWIN is not held on the vehicle: …

19.2.   

If applicable, list the relevant parameters that will allow the identification of those vehicles that can be updated with the software represented by the R157SWIN under item 19.1: …


(1)  Distinguishing number of the country which has granted/extended/refused/withdrawn approval (see approval provisions in UN Regulation No 157).

(2)  Strike out what does not apply.


Appendix

Addendum to Type approval Communication No … concerning the type approval of a vehicle type with regard to ALKS pursuant to Regulation No 157

Additional information

Contracting Party regions where the vehicle manufacturer has declared that the ALKS had been assessed to comply with local traffic rules:

Country

Assessed

Comments on any restrictions

E 1 Germany

Yes/No

 

E 2 France

 

 

E 3 Italy

 

 

E 4 Netherlands

 

 

E 5 Sweden

 

 

E 6 Belgium

 

 

E 7 Hungary

 

 

E 8 Czech Republic

 

 

E 9 Spain

 

 

E 10 Serbia

 

 

E 11 United Kingdom

 

 

E 12 Austria

 

 

E 13 Luxembourg

 

 

E 14 Switzerland

 

 

E 16 Norway

 

 

E 17 Finland

 

 

E 18 Denmark

 

 

E 19 Romania

 

 

E 20 Poland

 

 

E 21 Portugal

 

 

E 22 Russian Federation

 

 

E 23 Greece

 

 

E 24 Ireland

 

 

E 25 Croatia

 

 

E 26 Slovenia

 

 

E 27 Slovakia

 

 

E 28 Belarus

 

 

E 29 Estonia

 

 

E 30 Republic of Moldova

 

 

E 31 Bosnia and Herzegovina

 

 

E 32 Latvia

 

 

E 34 Bulgaria

 

 

E 35 Kazakhstan

 

 

E 36 Lithuania

 

 

E 37 Turkey

 

 

E 39 Azerbaijan

 

 

E 40 North Macedonia

 

 

E 43 Japan

 

 

E 45 Australia

 

 

E 46 Ukraine

 

 

E 47 South Africa

 

 

E 48 New Zealand

 

 

E 49 Cyprus

 

 

E 50 Malta

 

 

E 51 Republic of Korea

 

 

E 52 Malaysia

 

 

E 53 Thailand

 

 

E 54 Albania

E 55 Armenia

 

 

E 56 Montenegro

 

 

E 57 San Marino

 

 

E 58 Tunisia

 

 

E 60 Georgia

 

 

E 62 Egypt

 

 

E 63 Nigeria

 

 

[E 64 Pakistan]

 

 

 (*)

 

 


(*)  The list of Contracting Parties applying UN Regulation No 157 is available online:https://treaties.un.org/Pages/ViewDetails.aspx?src=TREATY&mtdsg_no=XI-B-16-15[X]&chapter=11&clang=_en


ANNEX 2

Arrangements of approval marks

MODEL A

(See paragraph 4.4 of this Regulation)

Image 5

a = 8 mm min

The above approval mark affixed to a vehicle shows that the vehicle type concerned has, with regard to ALKS, been approved in the Netherlands (E 4) pursuant to UN Regulation No 157 under approval No 002439. The approval number indicates that the approval was granted in accordance with the requirements of UN Regulation No 157 in its original version.

MODEL B

(See paragraph 4.5 of this Regulation)

Image 6

a = 8 mm min

The above approval mark affixed to a vehicle shows that the vehicle type concerned has been approved in the Netherlands (E 4) pursuant to Regulations Nos 157 and 31. (1) The approval numbers indicate that, at the dates when the respective approvals were given, UN Regulation No 157 was in its original version and UN Regulation No 31 included the 02 series of amendments.


(1)  The second number is given merely as an example.


ANNEX 3

(Reserved)


ANNEX 4

Special requirements to be applied to the functional and operational safety aspects of Automated Lane Keeping Systems (ALKS)

1.   GENERAL

This annex is intended to ensure that an acceptable thorough consideration of functional and operational safety for the automated system that provides the function(s) regulated by the ALKS Regulation has been performed by the manufacturer during the design and development processes and will continue to be done throughout the vehicle type lifecycle (design, development, production, field operation, decommissioning).

It covers the documentation which must be disclosed by the manufacturer to the type-approval authority or the technical Service acting on its behalf (hereafter referred as type-approval authority), for type approval purposes.

This documentation shall demonstrate that automated lane keeping system meets the performance requirements specified in this UN Regulation, that it is designed and developed to operate in such a way that it is free of unreasonable safety risks to the driver, passengers and other road users.

The type approval authority granting the approval shall verify through targeted spot checks and tests that the argumentation provided by the documentation is strong enough and that the design and processes described in documentation are actually implemented by the manufacturer.

While based on the provided documentation, evidence and process audits/product assessments carried out to the satisfaction of the type approval authority concerning this Regulation, the residual level of risk of the assessed automated lane keeping system is deemed to be acceptable for the entry into service of the vehicle type, the overall vehicle safety during the automated lane keeping system lifetime in accordance with the requirements of this regulation remains the responsibility of the manufacturer requesting the type-approval.

2.   DEFINITIONS

For the purposes of this annex,

2.1.

‘The system’ means a ‘Higher-Level Electronic Control’ system and its electronic control system(s) that provide the automated driving function. This also includes any transmission links to or from other systems that are outside the scope of this Regulation that acts on the automated lane keeping function.

2.2.

‘Safety Concept’ is a description of the measures designed into the system, for example within the electronic units, so that the vehicle operates in such a way that it is free of unreasonable safety risks to the driver, passengers and other road users under faults and non-fault conditions. The possibility of a fallback to partial operation or even to a back-up system for vital vehicle functions shall be a part of the safety concept.

2.3.

‘Electronic control system’ means a combination of units, designed to co-operate in the production of the stated automated lane keeping function by electronic data processing. Such systems, commonly controlled by software, are built from discrete functional components such as sensors, electronic control units and actuators and connected by transmission links. They may include mechanical, electro-pneumatic or electro-hydraulic elements.

2.4.

‘Higher-Level Electronic Control’ systems are those which employ processing and/or sensing provisions to realize the dynamic driving task.

2.5.

‘Units’ are the smallest divisions of system components which will be considered in this annex, since these combinations of components will be treated as single entities for purposes of identification, analysis or replacement.

2.6.

‘Transmission links’ are the means used for inter-connecting distributed units for the purpose of conveying signals, operating data or an energy supply. This equipment is generally electrical but may, in some part, be mechanical, pneumatic or hydraulic.

2.7.

‘Range of control’ refers to an output variable and defines the range over which the system is likely to exercise control.

2.8.

‘Boundary of functional operation’ defines the boundaries of the external physical limits within which the system is able to perform the dynamic driving tasks (i.e. including the transition demands and minimum risk manoeuvres).

2.9.

‘Operational Design Domain (ODD)’ of the automated lane keeping system defines the specific operating conditions (e.g. environmental, geographic, time-of-day, traffic, infrastructure, speed range, weather and other conditions) within the boundaries fixed by this regulation under which the automated lane keeping system is designed to operate without any intervention by the driver.

2.10.

‘Automated Driving Function’ means a function of ‘The System’ that is capable of performing the dynamic driving task of the vehicle.

2.11.

‘Control strategy’ means a strategy to ensure robust and safe operation of the function(s) of ‘The System’ in response to a specific set of ambient and/or operating conditions (such as road surface condition, traffic intensity and other road users, adverse weather conditions, etc.). This may include the automatic deactivation of a function or temporary performance restrictions (e.g. a reduction in the maximum operating speed, etc.).

2.12.

‘Functional safety’: absence of unreasonable risks under the occurrence of hazards caused by a malfunctioning behaviour of electric/electronic systems (safety hazards resulting from system faults).

2.13.

‘Fault’: abnormal condition that can cause an element (system, component, software) or an item (system or combination of systems that implement a function of a vehicles) to fail.

2.14.

‘Failure’ means the termination of an intended behaviour of an element or an item.

2.15.

‘Operational safety’ means the absence of unreasonable risk under the occurrence of hazards resulting from functional insufficiencies of the intended functionality (e.g. false/missed detection), operational disturbances (e.g. environmental conditions like fog, rain, shadows, sunlight, infrastructure) or by reasonably foreseeable misuse/errors by the driver, passengers and other road users (safety hazards – without system faults).

2.16.

‘Unreasonable risk’ means the overall level of risk for the driver, vehicle occupants and other road users which is increased compared to a competently and carefully driven manual vehicle.

3.   DOCUMENTATION

3.1.

Requirements

The manufacturer shall provide a documentation package which gives access to the basic design of ‘The System’ and the means by which it is linked to other vehicle systems or by which it directly controls output variables.

The function(s) of ‘The System’, including the control strategies, and the safety concept, as laid down by the manufacturer, shall be explained.

Documentation shall be brief, yet provide evidence that the design and development has had the benefit of expertise from all the system fields which are involved.

For periodic technical inspections, the documentation shall describe how the current operational status of ‘The System’ can be checked.

Information about how the software version(s) and the failure warning signal status can be readable in a standardized way via the use of an electronic communication interface, at least be the standard interface (OBD port).

The Type-approval authority shall assess the documentation package to show that ‘The System’:

(a)

Is designed and was developed to operate in such a way that it is free from unreasonable risks for the driver, passengers and other road users within the declared ODD and boundaries;

(b)

Respects, under the performance requirements specified elsewhere in this UN Regulation;

(c)

Was developed according to the development process/method declared by the manufacturer and that this includes at least the steps listed in paragraph 3.4.4.

3.1.1.

Documentation shall be made available in three parts:

(a)

Application for type approval: The information document which is submitted to the type approval authority at the time of type approval application shall contain brief information on the items listed in Appendix 2. It will become part of the approval.

(b)

The formal documentation package for the approval, containing the material listed in this paragraph 3 (with the exception of that of paragraph 3.4.4) which shall be supplied to the Type Approval Authority for the purpose of conducting the product assessment / process audit. This documentation package shall be used by the Type Approval Authority as the basic reference for the verification process set out in paragraph 4 of this annex. The Type Approval Authority shall ensure that this documentation package remains available for a period determined of at least 10 years counted from the time when production of the vehicle type is definitely discontinued.

(c)

Additional confidential material and analysis data (intellectual property) of paragraph 3.4.4 which shall be retained by the manufacturer, but made open for inspection (e.g. on-site in the engineering facilities of the manufacturer) at the time of the product assessment / process audit. The manufacturer shall ensure that this material and analysis data remains available for a period of 10 years counted from the time when production of the vehicle type is definitely discontinued.

3.2.

Description of the functions of ‘The System’ including control strategies

A description shall be provided which gives a simple explanation of all the functions including control strategies of ‘The System’ and the methods employed to perform the dynamic driving tasks within the ODD and the boundaries under which the automated lane keeping system is designed to operate, including a statement of the mechanism(s) by which control is exercised. The manufacturer shall describe the interactions expected between the system and the driver, vehicle occupants and other road users as well as Human-Machine Interface (HMI).

Any enabled or disabled automated driving functions for which the hardware and software are present in the vehicle at the time of production, shall be declared and are subject to the requirements of this annex, prior to their use in the vehicle. The manufacturer shall also document the data processing in case of continuous learning algorithms are implemented.

3.2.1.

A list of all input and sensed variables shall be provided and the working range of these defined, along with a description of how each variable affects system behaviour.

3.2.2.

A list of all output variables which are controlled by ‘The System’ shall be provided and an explanation given, in each case, of whether the control is direct or via another vehicle system. The range of control (paragraph 2.7) exercised on each such variable shall be defined.

3.2.3.

Limits defining the boundaries of functional operation including ODD-limits shall be stated where appropriate to automated lane keeping system performance.

3.2.4.

Interaction concept with the driver when ODD limits are reached shall be explained including the list of types of situations in which the system will generate a transition demand to the driver.

3.2.5.

Information shall be provided about the means to activate, override or deactivate the system including the strategy how the system is protected against unintentional deactivation. This shall also include information about how the system detects that the driver is available to take over driving control along with specification and documented evidence of the used parameter to identify driver attentiveness as well as the influence on the steering thresholds.

3.3.

System layout and schematics

3.3.1.

Inventory of components.

A list shall be provided, collating all the units of ‘The System’ and mentioning the other vehicle systems which are needed to achieve the control function in question.

An outline schematic showing these units in combination, shall be provided with both the equipment distribution and the interconnections made clear.

This outline shall include:

(a)

Perception and objects detection including mapping and positioning;

(b)

Characterization of Decision-making;

(c)

Remote supervision and remote monitoring by a remote supervision centre (if applicable);

(d)

The data storage system (DSSAD).

3.3.2.

Functions of the units

The function of each unit of ‘The System’ shall be outlined and the signals linking it with other units or with other vehicle systems shall be shown. This may be provided by a labelled block diagram or other schematic, or by a description aided by such a diagram.

3.3.3.

Interconnections within ‘The System’ shall be shown by a circuit diagram for the electric transmission links, by a piping diagram for pneumatic or hydraulic transmission equipment and by a simplified diagrammatic layout for mechanical linkages. The transmission links both to and from other systems shall also be shown.

3.3.4.

There shall be a clear correspondence between transmission links and the signals carried between Units. Priorities of signals on multiplexed data paths shall be stated wherever priority may be an issue affecting performance or safety.

3.3.5.

Identification of units

Each unit shall be clearly and unambiguously identifiable (e.g. by marking for hardware, and by marking or software output for software content) to provide corresponding hardware and documentation association. Where software version can be changed without requiring replacement of the marking or component, the software identification must be by software output only.

Where functions are combined within a single unit or indeed within a single computer, but shown in multiple blocks in the block diagram for clarity and ease of explanation, only a single hardware identification marking shall be used. The manufacturer shall, by the use of this identification, affirm that the equipment supplied conforms to the corresponding document.

3.3.5.1.

The identification defines the hardware and software version and, where the latter changes such as to alter the function of the unit as far as this Regulation is concerned, this identification shall also be changed.

3.3.6.

Installation of sensing system components

The manufacturer shall provide information regarding the installation options that will be employed for the individual components that comprise the sensing system. These options shall include, but are not limited to, the location of the component in/on the vehicle, the material(s) surrounding the component, the dimensioning and geometry of the material surrounding the component, and the surface finish of the materials surrounding the component, once installed in the vehicle. The information shall also include installation specifications that are critical to the system’s performance, e.g. tolerances on installation angle.

Changes to the individual components of the sensing system, or the installation options, shall be notified to the Type Approval Authority and be subject to further assessment.

3.4.

Safety concept of the manufacturer

3.4.1.

The manufacturer shall provide a statement which affirms that the ‘The System’ is free from unreasonable risks for the driver, passengers and other road users.

3.4.2.

In respect of software employed in ‘The System’, the outline architecture shall be explained and the design methods and tools used shall be identified (see 3.5.1). The manufacturer shall show evidence of the means by which they determined the realization of the system logic, during the design and development process.

3.4.3.

The manufacturer shall provide the Type Approval Authority with an explanation of the design provisions built into ‘The System’ so as to ensure functional and operational safety. Possible design provisions in ‘The System’ are for example:

(a)

Fall-back to operation using a partial system.

(b)

Redundancy with a separate system.

(c)

Removal of the automated driving function(s).

3.4.3.1.

If the chosen provision selects a partial performance mode of operation under certain fault conditions (e.g. in case of severe failures), then these conditions shall be stated (e.g. type of severe failure) and the resulting limits of effectiveness defined (e.g. initiation of a minimum risk manoeuvre immediately) as well as the warning strategy to the driver.

3.4.3.2.

If the chosen provision selects a second (back-up) means to realise the performance of the dynamic driving task, the principles of the change-over mechanism, the logic and level of redundancy and any built in back-up checking features shall be explained and the resulting limits of back-up effectiveness defined.

3.4.3.3.

If the chosen provision selects the removal of the automated driving function, this shall be done in compliance with the relevant provisions of this regulation. All the corresponding output control signals associated with this function shall be inhibited.

3.4.4.

The documentation shall be supported, by an analysis which shows, in overall terms, how the system will behave to mitigate or avoid hazards which can have a bearing on the safety of the driver, passengers and other road users.

The chosen analytical approach(es) shall be established and maintained by the manufacturer and shall be made open for inspection by the Type Approval Authority at the time of the type approval.

The Type Approval Authority shall perform an assessment of the application of the analytical approach(es):

(a)

Inspection of the safety approach at the concept (vehicle) level.

This approach shall be based on a Hazard / Risk analysis appropriate to system safety.

(b)

Inspection of the safety approach at the system level including a top down (from possible hazard to design) and bottom up approach (from design to possible hazards). The safety approach may be based on a Failure Mode and Effect Analysis (FMEA), a Fault Tree Analysis (FTA) and a System-Theoretic Process Analysis (STPA) or any similar process appropriate to system functional and operational safety.

(c)

Inspection of the validation/verification plans and results including appropriate acceptance criteria. This shall include validation testing appropriate for validation, for example, Hardware in the Loop (HIL) testing, vehicle on-road operational testing, testing with real end users, or any other testing appropriate for validation/verification. Results of validation and verification may be assessed by analysing coverage of the different tests and setting coverage minimal thresholds for various metrics.

The inspection shall confirm that at least each of the following items is covered where applicable under (a)-(c):

(i)

Issues linked to interactions with other vehicle systems (e.g. braking, steering);

(ii)

Failures of the automated lane keeping system and system risk mitigation reactions;

(iii)

Situations within the ODD when a system may create unreasonable safety risks for the driver, passengers and other road users due to operational disturbances (e.g. lack of or wrong comprehension of the vehicle environment, lack of understanding of the reaction from the driver, passenger or other road users, inadequate control, challenging scenarios);

(iv)

Identification of the relevant scenarios within the boundary conditions and management method used to select scenarios and validation tool chosen;

(v)

Decision making process resulting in the performance of the dynamic driving tasks (e.g. emergency manoeuvres), for the interaction with other road users and in compliance with traffic rules;

(vi)

Reasonably foreseeable misuse by the driver (e.g. driver availability recognition system and an explanation on how the availability criteria were established), mistakes or misunderstanding by the driver (e.g. unintentional override) and intentional tampering of the system;

(vii)

Cyberattacks having an impact on the safety of the vehicle (can be done through the analysis done under the UN Regulation No 155 on Cyber Security and Cyber Security Management System).

The assessment by the approval authority shall consist of spot checks of selected hazards (or cyber threats) to establish that argumentation supporting the safety concept is understandable and logical and implemented in the different functions of the systems. The assessment shall also check that validation plans are robust enough to demonstrate safety (e.g. reasonable coverage of chosen scenarios testing by the validation tool chosen) and have been completed.

It shall demonstrate that the vehicle is free from unreasonable risks for the driver; vehicle occupants and other road users in the operational design domain, i.e. through:

(a)

an overall validation target (i.e., validation acceptance criteria) supported by validation results, demonstrating that the entry into service of the automated lane keeping system will overall not increase the level of risk for the driver, vehicle occupants, and other road users compared to a manually driven vehicles; and

(b)

A scenario specific approach showing that the system will overall not increase the level of risk for the driver, passengers and other road users compared to a manually driven vehicles for each of the safety relevant scenarios; and

The Type Approval Authority shall perform or shall require performing tests as specified in paragraph 4 to verify the safety concept.

3.4.4.1.

This documentation shall itemize the parameters being monitored and shall set out, for each failure condition of the type defined in paragraph 3.4.4 of this annex, the warning signal to be given to the driver/vehicle occupants/other road users and/or to service/technical inspection personnel.

3.4.4.2.

This documentation shall also describe the measures in place to ensure the ‘The System’ is free from unreasonable risks for the driver, vehicle occupants, and other road users when the performance of ‘The System’ is affected by environmental conditions e.g. climatic, temperature, dust ingress, water ingress, ice packing.

3.5.

Safety management system (Process Audit)

3.5.1.

In respect of software and hardware employed in ‘The System’, the manufacturer shall demonstrate to the type approval authority in terms of a safety management system that effective processes, methodologies and tools are in place, up to date and being followed within the organization to manage the safety and continued compliance throughout the product lifecycle (design, development, production, operation including respect of traffic rules, and decommissioning).

3.5.2.

The design and development process shall be established including safety management system, requirements management, requirements’ implementation, testing, failure tracking, remedy and release

3.5.3.

The manufacturer shall institute and maintain effective communication channels between manufacturer departments responsible for functional/operational safety, cybersecurity and any other relevant disciplines related to the achievement of vehicle safety.

3.5.4.

The manufacturer shall have processes to monitor safety-relevant incidents/ crashes/collisions caused by the engaged automated lane keeping system and a process to manage potential safety-relevant gaps post-registration (closed loop of field monitoring) and to update the vehicles. They shall report critical incidents (e.g. collision with another road users and potential safety-relevant gaps) to the type-approval authorities when critical incidents.

3.5.5.

The manufacturer shall demonstrate that periodic independent internal process audits are carried out to ensure that the processes established in accordance with paragraphs 3.5.1 to 3.5.4 are implemented consistently.

3.5.6.

Manufacturers shall put in place suitable arrangements (e.g. contractual arrangements, clear interfaces, quality management system) with suppliers to ensure that the supplier safety management system comply with the requirements of paragraphs 3.5.1 (except for vehicle related aspects like ‘operation’ and ‘decommissioning’), 3.5.2, 3.5.3 and 3.5.5.

4.   VERIFICATION AND TESTS

4.1.

The functional operation of ‘The System’, as laid out in the documents required in paragraph 3, shall be tested as follows:

4.1.1.

Verification of the function of ‘The System’

The Type approval authority shall verify ‘The System’ under non-failure conditions by testing on a track a number of selected functions from those described by the manufacturer in paragraph 3.2 above, and by checking the overall behaviour of the system in real driving conditions including the compliance with traffic rules.

These tests shall include scenarios whereby the system is overridden by the driver.

Tests according to this Annex shall take into account tests already conducted in Annex 5 of this Regulation.

4.1.1.1.

The verification results shall correspond with the description, including the control strategies, provided by the manufacturer in paragraph 3.2 and shall comply with the requirements of this regulation.

4.1.2.

Verification of the safety concept of paragraph 3.4.

The reaction of ‘The System’ shall be checked under the influence of a faults in any individual unit by applying corresponding output signals to electrical units or mechanical elements in order to simulate the effects of internal failure within the unit. The Type approval authority shall conduct this check for at least one individual unit, but shall not check the reaction of ‘The System’ to multiple simultaneous failures of individual units.

The Type Approval Authority shall verify that these tests include aspects that may have an impact on vehicle controllability and user information (HMI aspects e.g. transition scenarios).

4.1.2.1.

The Type Approval Authorities shall also check a number of scenarios that are critical for the Object and Event Detection and Response (OEDR) and characterization of the decision-making and HMI functions of the system (e.g. object difficult to detect, when the system reaches the ODD boundaries, traffic disturbance scenarios) as defined in the regulation.

4.1.2.2.

The verification results shall correspond with the documented summary of the hazard analysis, to a level of overall effect such that the safety concept and execution are confirmed as being adequate and in compliance with the requirements of this regulation.

4.2.

Simulation tool and mathematical models for verification of the safety concept may be used in accordance with Schedule 8 of Revision 3 of the 1958 Agreement, in particular for scenarios that are difficult on a test track or in real driving conditions. Manufacturers shall demonstrate the scope of the simulation tool, its validity for the scenario concerned as well as the validation performed for the simulation tool chain (correlation of the outcome with physical tests).

5.   REPORTING

Reporting of the assessment shall be performed in such a manner that allows traceability, e.g. versions of documents inspected are coded and listed in the records of the Technical Service.

An example of a possible layout for the assessment form from the Technical Service to the Type Approval Authority is given in Appendix 1 to this Annex. The listed items in this Appendix are outlined as minimum set of items which need to be covered.

6.   COMMUNICATION TO OTHER TYPE APPROVAL AUTHORITIES (Appendix 2) containing:

(a)

Description of the ODD and the high-level functional architecture focusing on the functions available to the driver, vehicle occupants and other road users.

(b)

Test results during the verification process by the type approval authorities.

7.   COMPETENCE OF THE AUDITORS/ASSESSORS

The assessments under this Annex shall only be conducted by auditors/assessors with the technical and administrative knowledge necessary for such purposes. They shall in particular be competent as auditor/assessor for ISO 26262-2018 (Functional Safety – Road Vehicles), and ISO/PAS 21448 (Safety of the Intended Functionality of road vehicles); and shall be able to make the necessary link with cybersecurity aspects in accordance with UN Regulation No 155 and ISO/SAE 21434). This competence should be demonstrated by appropriate qualifications or other equivalent training records.

Appendix 1

Model assessment form for Automated Lane Keeping System

Test report No: …

1.   

Identification

1.1.   

Make: …

1.2.   

Vehicle Type: …

1.3.   

Means of system identification on the vehicle: …

1.4.   

Location of that marking: …

1.5.   

Manufacturer’s name and address: …

1.6.   

If applicable, name and address of manufacturer’s representative: …

1.7.   

Manufacturer’s formal documentation package:

Documentation reference No: …

Date of original issue: …

Date of latest update: …

2.   

Test vehicle(s)/system(s) description

2.1.   

General description: …

2.2.   

Description of all the control functions of ‘The System’, and methods of operation: …

2.3.   

Description of the components and diagrams of the interconnections within ‘The System’:

3.   

Manufacturer’s safety concept

3.1.   

Description of signal flow and operating data and their priorities: …

3.2.   

Manufacturer’s declaration:

The manufacturer(s) … affirm(s) that the ‘The System’ is free from unreasonable risks for the driver, vehicle occupants and other road users.

3.3.   

Software outline architecture and the design methods and tools used: …

3.4.   

Explanation of the safety concept of ‘The System’: …

3.5.   

Documented analyses of the behaviour of ‘The System’ under individual hazard or fault conditions: …

3.6.   

Description of the measures in place for environmental conditions: …

3.7.   

Provisions for the periodic technical inspection of ‘The System’: …

3.8.   

Results of ‘The System’ verification test, as per para. 4.1.1 of Annex 4 to UN Regulation No 157: …

3.9.   

Results of safety concept verification test, as per para. 4.1.2 of Annex 4 to UN Regulation No 157: …

3.10.   

Date of test(s): …

3.11.   

This test(s) has been carried out and the results reported in accordance with ….. to UN Regulation No 157 as last amended by the ..... series of amendments.

Technical Service carrying out the test

Signed: … Date: …

3.12.   

Comments: …

Appendix 2

Information document form for automated lane keeping systems to be provided by the manufacturer for the approval

1.   SYSTEM DESCRIPTION AUTOMATED LANE KEEPING SYSTEM

1.1.

Operational Design Domain (Speed, road type, country, Environment, Road conditions, etc.)/ Boundary conditions/ Main conditions for Minimum risk manoeuvres and transition demands …

1.2.

Basic Performance (e.g. Object and Event Detection and Response (OEDR) …) …

1.3.

The means to activate, override or deactivate the system. …

2.   DESCRIPTION OF THE FUNCTIONS OF ‘THE SYSTEM’ INCLUDING CONTROL STRATEGIES

2.1.

Main automated Driving Functions (functional architecture, environmental perception). …

2.1.1.

Vehicle-internal …

2.1.2.

Vehicle-external (e.g. back-end) …

3.   OVERVIEW MAJOR COMPONENTS (UNITS) OF ‘THE SYSTEM’

3.1.

Control Units…

3.2.

Sensors…

3.3.

Maps/Positioning…

4.   SYSTEM LAYOUT AND SCHEMATICS

4.1.

Schematic system layout including sensors for the environmental perception (e.g. block diagram) …

4.2.

List and schematic overview of interconnections (e.g. block diagram) …

5.   SPECIFICATIONS

5.1.

Means to check the correct operational status of the system…

5.2.

Means implemented to protect against simple unauthorized activation/operation and interventions into the system…

6.   SAFETY CONCEPT

6.1.

Safe Operation – Vehicle Manufacturer Statement…

6.2.

Outline software architecture (e.g. block diagram) …

6.3.

Means by which the realization of the system logic is determined…

6.4.

General explanation of the main design provisions built into ‘The System’ so as to generate safe operation and interaction with other road users under fault conditions, under operational disturbances and the occurrence of planned/unplanned conditions that would exceed the ODD. …

6.5.

General description of failure handling main principles, fall-back level strategy including risk mitigation strategy (minimum risk manoeuvre) …

6.6.

Driver, vehicle occupants and other road users interaction including warning signals and transition demands to be given to driver. …

6.7.

Validation by the manufacturer for the performance requirements specified elsewhere in the regulation including the OEDR, the HMI, the respect of traffic rules and the conclusion that the system is designed in such a way that it is free from unreasonable risks for the driver, vehicle occupants and other road users. …

7.   VERIFICATION AND TEST BY THE AUTHORITIES

7.1.

Verification of the basic function of ‘The System’…

7.2.

Examples for checking the system reaction under the influence of a failure or an operational disturbance, emergency conditions and boundary conditions…

8.   DATA STORAGE SYSTEM

8.1.

Type of Data stored…

8.2.

Storage location…

8.3.

Recorded occurrences and data elements means to ensure data security and data protection…

8.4.

Means to access the data…

9.   CYBERSECURITY (CROSS REFERENCE TO THE CYBER REGULATION IS POSSIBLE)

9.1.

General description of the cybersecurity and software update management scheme…

9.2.

General description of the different risks and measures put in place to mitigate these risks. …

9.3.

General description of the update procedure. …

10.   INFORMATION PROVISIONS TO USERS

10.1.

Model of the information provided to users (including expected driver’s tasks within the ODD and when going out of the ODD) …

10.2.

Extract of the relevant part of the owner’s manual…

Appendix 3

Guidance on Traffic disturbance critical scenarios for ALKS

1.   GENERAL

1.1

This document clarifies derivation process to define conditions under which Automated Lane Keeping Systems (ALKS) shall avoid a collision. Conditions under which ALKS shall avoid a collision are determined by a general simulation program with following attentive human driver performance model and related parameters in the traffic critical disturbance scenarios.

2.   TRAFFIC CRITICAL SCENARIOS

2.1.

Traffic disturbance critical scenarios are those which have conditions under which ALKS may not be able to avoid a collision.

2.2.

Following three are traffic critical scenarios:

(a)

Cut-in: the ‘other vehicle’ suddenly merges in front of the ‘ego vehicle’;

(b)

Cut-out: the ‘other vehicle’ suddenly exits the lane of the ‘ego vehicle’;

(c)

Deceleration: the ‘other vehicle’ suddenly decelerates in front of the ‘ego vehicle’;

2.3.

Each of these traffic critical scenarios can be created using the following parameters/elements:

(a)

Road geometry;

(b)

Other vehicles’ behaviour/ manoeuvre.

3.   PERFORMANCE MODEL OF ALKS

3.1.

Traffic critical scenarios of ALKS are divided into preventable and unpreventable scenarios. The threshold for preventable/unpreventable is based on the simulated performance of a skilled and attentive human driver. It is expected that some of the ‘unpreventable’ scenarios by human standards may actually be preventable by the ALKS system.

3.2.

In a low-speed ALKS scenario, the avoidance capability of the driver model is assumed to be only by braking. The driver model is separated into the following three segments: ‘Perception’; ‘Decision’; and, ‘Reaction’. The following diagram is a visual representation of these segments:

3.3.

To determine conditions under which Automated Lane Keeping Systems (ALKS) shall avoid a collision, performance model factors for these three segments in the following table should be used as the performance model of ALKS considering attentive human drivers’ behaviour with ADAS.