2023

Advanced Driver Automation

Systems
MODULE: 7125CAA (CAV & HF)
PARVATHY PADMANABHAN
ID: 13039213
COVENTRY UNIVERSITY
 LIST OF FIGURES

Figure 1 Levels of Autonomous Vehicles 2.............................................................................................5

Figure 2 Simplified version of the standard system engineering V-model with STPA integrated. 8........8
Figure 3 Part I : System Source: Self......................................................................................................9
Figure 4 Control process of System.....................................................................................................11
Figure 5 Map of Broughton and Salford..............................................................................................15

1
 LIST OF TABLES

Table 1 Part 1 Loss table (Source: Self)..................................................................................................9

Table 2 Part 1 Hazard table (Source: Self)...........................................................................................10
Table 3 Part 1 Safety Constraints table (Source: Self)..........................................................................10
Table 4 UCA Table................................................................................................................................12
Table 5 Casual Factors and UCA Mapping...........................................................................................13
Table 6 Checklist..................................................................................................................................14
Table 7 Human Error Table..................................................................................................................16

2
 LIST OF ABBREVIATIONS

S.N Abbreviation Description

o
1 ADAS Advanced Driver Assistance Systems
2 ADS Aided Driving System
3 LKA Lane Keeping Assistance
4 ACC Adaptive Cruise Control
5 LDW Lane Departure Warning
6 HCI Human-Computer Interface
7 HMI Human Machine Interface
8 CAV Connected Autonomous Vehicle
9 ORU Other Road User
10 AV Autonomous Vehicle
11 FMEA Failure Mode and Effects Analysis
12 FTA Fault Tree Analysis
13 HAZOP Hazard and operability study
14 STAMP Systems-Theoretic Accident Model and Processes
15 STPA System Theoretic Process Analysis
16 UCA Unsafe Control Actions
17 CF Casual Factor
18 AC Autonomous Car
19 MD Manual Drive
20 AD Automatic Drive

3
 INDEX

S.No Description Page No

1 Introduction 5
1.1 ADAS vs ADS 5
1.2 Human - Machine Interfaces and CAVs 6
1.2.1 External HMI 6
1.2.2 Automotive User Interface 6
2 Testing the Ethics of Autonomous Vehicles 7
3 STPA: System-Theoretic Process Analysis Overview 7
4 Part I : Analysing STPA with the given scenario 8
4.1 Steps involved in STPA with respect to the scenario 8
4.1.1 Define the purpose of analysis 8
4.1.2 Model of the control structure 11
4.1.3 Identify UCAs 12
4.1.4 Identify loss scenarios 12
4.1.5 Checklist for Safety Constraints to avoid the UCA and Hazards 13
5 Part II: Analysis on Human Error based on a scenario. 14
5.1 Scenario & Human Error 14
5.2 Defining the Problem 16
6 Conclusion 16
7 References 17

4
 1. Introduction

1.1 ADAS vs ADS

Will 2023 mark the year when we get in our cars, fasten our seatbelts, and sit back, trusting
artificial intelligence to drive us to the grocery store in our completely autonomous vehicles?

Nowadays, autonomous, or self-driving automobiles are all the trend. For the time being,
only certain vehicles, in certain cities, on specific roads, at particular speeds, while adhering
to specific laws, can actually have this experience. There is a difference between autonomous
driving and self-driving, as well as between ADAS and autonomous driving, even though the
phrases are sometimes used interchangeably.

An electronic system of automatic vehicle safety features that uses cutting-edge sensor

technology to give drivers information, warnings, and assistance while they are on the road is
what can be defined as an ADAS. 1

The phrase "autonomous driving" describes a technology that enables automobiles to operate
independently without any human involvement. There are various levels for autonomous
vehicles, and each has its own set of capabilities and limitations.1

Figure 1 Levels of Autonomous Vehicles 2

5
Although ADAS really are not autonomous driving technology, they are crucial in getting
vehicles ready for full autonomy. ADAS makes it feasible for many of the features that go
into Level I or Level II systems.

Without sensors to detect objects around the car, features like LKA and ACC, for instance,
would not be possible. Similar to how cameras or other sensors that can track the position of
the automobile on the road are necessary for the ADAS feature LDW system to function. 1

1.2 Human – Machine Interfaces and CAVs

When considering Autonomous vehicles that are effective in communication, how trust is
developed between consumers and machines must also be considered. The definition of trust
varies depending on the field, like psychology, human-computer interface (HCI), economics,
and computer science. The majority of trust in HCI research focuses on developing a
measurable model of trust so that the degree of trust can be tracked.

The combination of hardware and software components known as the human machine
interface (HMI) is used to facilitate communication between Automated vehicles and
individuals, including passengers and other road users. By communicating information,
instructions, and intention to those both within and outside the vehicle, well-designed HMIs
assist in establishing successful communication and subsequently trust in this dynamic
connection. It is crucial that the human component features of AV communication systems
are examined carefully when the world is at the edge of developing  full self-driving Level 5 
autonomous vehicles. 3 The two major HMI for CAV is being discussed in this report.

1.2.1 External HMI

This HMI is used to facilitate communication between ORUs and AVs. This component of
the vehicle communicates with pedestrians through sounds, light, and other sensory means.
For eHMIs to be adopted on a long-term basis by the general population, they must be
dependable and effective.3

1.2.2 Automotive User Interfaces

An AV's interior defines how the user interface may be improved for communication with
passengers and to foster trust. The interaction between the passenger and the digital assistant
was is very essential to enhancing the user experience and increasing confidence. The kind
and volume of data to be displayed to the driver on the automotive interface is also an

6
important factor. The correct data can lower adoption barriers by making AVs safer and
offering passengers a high-quality user experience.

2. Testing the Ethics of Autonomous Vehicles

The number of accidents caused by human errors is increasing rapidly. Many of these

accidents can be avoided by the use of autonomous cars. One could counter that research has
demonstrated that accidents do occur, even with driverless vehicles. And according to a
study, human error is to blame for 99% of accidents involving autonomous vehicles.4

Therefore, it may be said that autonomous vehicles are more dependable than their manual
counterparts. Nonetheless, there are still some moral dilemmas that autonomous cars
encounter today, raising concerns about their ethics.4

Some examples of ethical issues faced by CAVs include:

I. Predetermined Choices Always Prevail Over Random Solutions :

To prove the point, it can be said that a random human-caused accidents are more acceptable
than the predetermined death of a person or animal by an autonomous vehicle. Who is
responsible for the death? the Manufacture? the Programmer or the Car itself?

II. Giving Control to Driver :

In cars like Tesla driver should be ready to take over at any time and needs to have a hand on
the steering. If accident happens who is responsible? the Car? the Driver? or the reckless
Pedestrian?

III. Who are rightful to decide on Ethics of CAV

It can be argued on who is the rightful authority to decide on the ethics. The Engineers? Or
the Govt. of the driving country?

IV. Digital security: Dilemma of being Hacked

What if a car gets hacked by a cybercriminal and is asked to make an accident. Who to blame
then? The Cybercriminal? The driver? the manufacturer who did not add more security to the
programme?

3. STPA: System-Theoretic Process Analysis Overview

7
Hazard models are used to conceptualise accident-specific characteristics and determine why
accidents happen by linking its causes and effects. In a highly technological systems like
defence, aviation, aerospace, maritime, telecommunications, petroleum industry, automobile
and healthcare, the level of complexity is rising, creating new types of safety concerns and
potentially catastrophic failure modes. The analysis of accidents that happen in contemporary
socio - technical systems, when accident cause is not the consequence of a single system
failures or human mistakes, cannot be done effectively using traditional accident modelling
methodologies. 5 There are numerous techniques for performing risk analysis at the system's
low level like FMEA, FTA and HAZOP5. Instead of studying individual cause-effect
relationships and repercussions, a new group of systemic modelling has been created to
identify how a system functions as a whole. STAMP and STPA are examples of such
methods.

Leveson created System Theoretic Process Analysis to identify risky control actions and
states that could result in system losses or accidents and to generate specific safety
requirements to prevent the occurrence of the identified risky scenarios. 6

The cost of engineering for safety can be significantly reduced, as well as its efficiency and
losses reduced, by integrating STPA analysis into the overall system engineering process.
Rework can be decreased as well, which lowers expense and time.7

Figure 2 Simplified version of the standard system engineering V-model with STPA integrated. 8

8
 4. Part I : Analysing STPA with the given scenario
IV.1 Steps involved in STPA with respect to the scenario
IV.1.1 Define the purpose of analysis :

The system here is a Level 4 automated vehicle used to complete 20 minutes long journey.
System is required to go through different road conditions, from a residential area to a dual
carriageway to a motorway, then to a city centre and should be parked in an underground
carpark. The same journey is completed in reverse at the end of the day and take place at rush
hrs in varying traffic. Vehicle is required to choose route dynamically.
Organization

Weather
Govt. Authorities Manufacturer
Varying traffic

Road Condition

Other Criteria
Conventional cars and other vehicles
Pedestrians Time of Journey : 20 mints
Traffic

Autonomous Level 4 car Cyclist Underground parking

Residential Area
Area involved

City Centre
Complete Journey safely within time.

Motor Way Dual Carriage Way

Vehicle to choose best route dynamically

Requirement

Figure 3 Part I : System Source: Self

 System Losses:
These are the situations considered unacceptable by stake holders. Stakeholders in this
situation are all road users, manufacturer, regulators.
No Title Description
1 Serious Injuries or Loss Due to accident/ collision losing life or having major injuries
of life
2 Property Damage Due to accident property damaged for others and the user
and or the govt.

9
 3 Not reaching on time Due to unexpected traffic or situations loss of travel time.
4 Loss of Reputation : Traffic and Road condition’s unreliability causing loss of
Govt. reputation for govt authorities
5 Loss of Reputation: Lack of safety and unreliability of vehicle causing loss of
Manufacturer reputation for the manufacturer.

Table 1 Part 1 Loss table (Source: Self)

 System Level Hazard:

Hazard refers to situations or conditions that may lead to the above-mentioned loss. Hazards
can be linked to one or more identified losses. Some of the identified hazards are listed
below:

No Title Description
H1 Driving without following When humans on road do not follow the rules and
rules/ Illegal driving regulations
H2 Poor Communication Intent is communicated by body language, including eye
contact, posture, gesture, and external vehicle interface or
signals.
H3 Wrong Judgement, At a junction, poor perception and decision-making
Misunderstanding and increase the likelihood of an accident.
wrong decision making
H4 Not keeping a safe distance Not keeping safe distance with nearby infrastructure can
from nearby infrastructure lead to an accident.
H5 Not keeping safe distance Not keeping safe distance with nearby vehicles can lead to
from other vehicles an accident or catastrophic results.
H6 Unreliable functionalities If functionalities are not reliable it may lead to accident.
of a CAV
H7 Careless Pedestrians When passengers behave recklessly in road
H8 Bad Weather Heavy rain, snowfall, or fog can be a cause of accident
H9 Cyclists driving recklessly When cyclists drive recklessly it can cause accidents and if
proper safety gears are not there then the casualties can be
high

Table 2 Part 1 Hazard table (Source: Self)

 Safety Constraints

It refers to the constraints that must be fulfilled to prevent the system from being in a hazard
state. It is there to avoid any potential loss. Some of the safety constraints to avoid the
hazards are:

No Title
S1 Drive by following rules and keeping it legal.
S2 Communication in and out of the vehicle should be proper
S3 Do proper judgement of the situation and make the vehicle capable of making the

10
 RIGHT decision
S4 Keep a safe distance from nearby infrastructure
S5 Keep safe distance from other vehicles
S6 Functionalities of CAV should be reliable and designed properly by Manufacturer
S7 Pedestrians should follow rules.
S8 Consider weather before starting the journey
S9 Cyclists should follow rules and gear up properly.

Table 3 Part 1 Safety Constraints table (Source: Self)

4.1.2 Model of the control structure

Control structure consist of connected feedbacks and control loops forming a system model.
The controlled process provides input or feedbacks to the controller, which it utilises to make
observations and alter decisions.

Other criteria
Govt. Organisation/ Road Authority affecting traffic
Rules for Manufacturers
Car Manufacturer
Performance Analysis Performance Analysis

AV Controller: Level 4 Autonomous car Conventional Vehicle Weather

Controller: Human Driver
Planning & Traffic Rules Fog
Traffic Rules Decisions Sunny
Actuator Human
AV Actuator Rainy
Action Sensory
Action AV Sensor Communication Snowy
Throttle Eye Sight
Throttle Forward camera
Steering Hearing
Steering Rear Camera Infrastructure
Braking Physical
Braking Side Camera
Indicator Cond
Indicator Ultrasonic sensor Road sign
Sound Mental
Sound Signal IMU, GPS Street light
Signal Cond
V2V Data Transfer RADAR, LIDAR Lane marking
V2V Data Receiver Pavement
Lane width
Controlled Process:
AV Controlled Process: Level 4 Fully Speed limit
Conventional Vehicles
Autonomous car

Communication Communication Area

Distractions Residential
City Centre
Annoyance/ Phone Calls/ Attractions Dual
Carriage
Motorway
Traffic Rules
Traffic Rules Cyc Controller: Cyclist Ped Controller: Human Undergrou
nd Parking
11
Cyc Human
Sensory

Eye Sight
 Cyc Actuator Action
Ped Actuator
Ped Human
Action Sensory
Steering Communication
Brake Walking Eye Sight
Paddle Stopping Hearing
Signal Turning Physical Cond
Sound Mental Cond

4.1.3 IdentifyProcess:
UCAs Bicycle Ped Controlled Process:
Cyc Controlled
Human
Here we identify the UCAs. These are4 the
Figure control
Control actions
process of System that can lead to a hazard in its
worst-case circumstance.

Control Action Not Given Given Incorrectly Wrong order/ timing Stopped too soon

UCA1: Breaking Lvl 4 AC does not AC breaks too early/ AC breaks abruptly
stop when not too late after/before
having right of way stop line

UCA2: Turning Cannot turn at Incorrect turning

at Intersection intersection at intersection
Fails to Misleading Delay in
communicate communication communication
UCA3:
Communication Fails to receive Receives Delay in receiving
intent from others misleading info information
UCA4: Driver not Accidently Mode switching not Transitioned
Transition to transitioning to transitioned to done correctly in before getting
MD from AD MD on warning MD order confirmation from
HMI
UCA5: Speed Not having speed Wrong speed Increasing/
Control limit idea of limit info given Decreasing speed in
different areas wrong time

UCA6: Distance Sensor to maintain Safe distance Identifying safe Stopping when it
Maintained safe distance is not value given distance after is too late to
given wrong to sensor stopping maintain safe
distance
UCA7: GPS GPS Signal Incorrect map Wrong order of Stopped before
Signal connection is not information needed data correct data is
Connection maintained/ lost provided load

UCA8: Parking Parking Open area parking Parking advice given Stopped before
functionality not steps given instead when on a signal/ in the vehicle is in
updated for of underground a traffic correct parking
underground parking spot
parking
Table 4 UCA Table
12
 4.1.4 Identify loss scenarios

These are the scenarios that result from the combination of several causal factors (CFs) that
may lead to UCAs and potential loss.

The UCAs are mapped to certain Casual factors which can be done to avoid certain loss/
accident. List of Casual Factors based on the UCA are given below

Casual
Description UCA Mapping
Factor
Poor financing of road authority activities due to political or administrative UCA2
CF1 issues to build and maintain infrastructure necessary for AVs to function
properly
Poor road infrastructure management and planning by road authority due to UCA2
CF2
administrative and lack of expertise in the transportation departments
Poor traffic law awareness by authority. Laws for conventional vehicles can UCA2
CF3
not be enforced for AVs which can give rise to a hazardous situation
CF4 Inadequate vehicle automation design by manufacturer. UCA1
CF5 Missing road signs at intersection. UCA2
CF6 No road lane markings at intersection. UCA2
CF7 Intersection and speed signs too close/ too far to intersection. UCA1, UCA2
CF8 Obstructed vision UCA1, UCA2
CF9 Faulty internet communication infrastructure UCA3, UCA7
CF10 Incorrect roadway geometry at intersection UCA2
AV planning and decision error. UCA1, UCA2,
CF11
UCA4, UCA8
CF12 AV has wrong speed perception of other motorized traffic participants. UCA5, UCA6
CF13 AV lacks ability to transfer non-verbal communication cues. UCA3,
CF14 AV information system security breach UCA1
CF15 AV has wrong locality perception UCA2, UCA8
CF16 Conventional vehicle driver does not follow traffic laws UCA1, UCA2
CF17 Actuator component failure or Perception component failure. UCA1, UCA6
CF18 Controller is fetched with wrong input data UCA1, UCA6
CF19 Lack of awareness about the vehicle UCA4

Table 5 Casual Factors and UCA Mapping

4.1.5 Checklist for Safety Constraints to avoid the UCA and Hazards

13
 Hazard
S.No: Constraint Description
Prevented

Forward camera H3, H4, H5

Rear Camera H3, H4, H5

Side Camera H3, H4, H5

Check for sensors if its working Ultrasonic sensor H3, H4, H5

1
accurately and efficiently
IMU H6

GPS H6

RADAR H6

LIDAR H6

V2V Data Receiver H6

Check the weather before the journey Clear and Good

2 H8
Vision
Follow the rules All the participants in
3 H1,H7,H9
road
Throttle H6

Steering H6

Check if the system as whole is working Braking

4 H6
correctly Indicator H6
Sound Signal
H6

V2V Data Transfer H6

Within and outside

5 Maintain proper communication H2
the system
Algorithm should be
6 Planning & Decisions by System H3
proper and updated
Table 6 Checklist

Can be avoided but not completely Can be avoided completely

5. Part II: Analysis on Human Error, Human Machine Interaction and Human
Information processing based on a scenario.

5.1 Scenario & Human Error

In this example the person wanted to travel from Norwich to Salford, Greater Manchester via
Broughton. Since all the familiar roads are closed, he trusted the AV with rerouting. The
vehicle rerouted via Norfolk country lanes  Newmarket. Again, due to some issues it
rerouted again to outskirts of Newmarket towards Cambridge. After sometime the vehicle

14
 reached Buckinghamshire as the final destination instead of Salford in Greater Manchester.
To know why this happened let us have a quick look on the geography.

Figure 5 Map of Broughton and Salford

As seen in the map both the names Broughton and Salford unfortunately refers to places in
two different areas. One being in Manchester (original destination) and the other being near
to Buckinghamshire.

This is a clear example on Human Error. Factors leading to such an Error can be described as
follow:

Category :
Driver Error Description
Haste: The person just finished his final meeting and is
in a hurry to reach for his early meeting the following
day.
Attentional Stress: It was the end of the working day and was a
Failures long and stressful day

15
Unintended Lack of attention: Without giving proper attention on
traffic or the route the person is busy preparing for the
Action : Slip
meeting
Inadequate Information: It’s a brand new, autonomous
Knowledge- based Phoenix Stratocruiser delivered two days ago so the
Intended Action :
mistake person lacks proper knowledge of the system
Mistake Inadequate Information: Lack of knowledge about
different places having same names.
External It was dark and Raining
Unavoidable by Environment

driver Road Condition Familiar roads were closed which led to re routing
Category:
Error Description
Manufacturer
Poor Design The map is very small and unclear. Even though scale
Intended Action: is large map should be clear
Lack of Journey started without confirming the destination.
Mistake Confirmation on Wrong data used
data.
Table 7 Human Error Table

5.2 Why the problem was not picked up both at the beginning and while the driver was
enroute to their destination.

The problem was not identified in the beginning or during the journey as the user was
unaware of the problem. He was distracted in the first place and had a blinded trust on the
System and the Vehicle. Because of this he did not double check the destination and even
when due to unexpected situations the vehicle rerouted multiple times, the user was busy
preparing for the meeting showing a blind trust in the system and the manufacturer.

Some external factors like the time of the day and weather conditions are also a factor in
promoting the error. It was night time and was raining which obstructed the user’s vision and
he was unable to identify the places outside.

But the major reason for such Human error is the Inattention and physical and mental
condition of the user who was stressed and tired.

Due to the lack of awareness of the geographical details regarding the destination he was
unaware of the problem until the last.

6. Conclusion

16
 One of the key steps in the system hazard analysis is the identification of hazardous events.
Traditional hazard analysis techniques, such as STPA, have limitations when studying
autonomous vehicles. The control structure, all essential system components, and their
relationships must be defined as part of STPA since they serve as the framework for creating
an organised list of potential scenarios that could result in hazards. Once the causative
scenarios have been found, they may be utilised to provide precise specifications to the
designers so that the hazards can be avoided and the causal factors can be reduced or
eliminated.

7. References
1. Ronsky, Robin. “ADAS vs Autonomous Driving | ADAS Levels & More.” CARADAS, Apr.
2022, caradas.com/adas-vs-autonomous-driving/.
2. Cloud Factory. “Where Do ADS and ADAS Fall into the Levels of Driving Automation?”
Blog.cloudfactory.com, Jan. 2022, blog.cloudfactory.com/where-do-ads-and-adas-fall-into-
levels-of-driving-automation.
3. Zhang, Jiehuang, et al. “Human-Machine Interaction for Autonomous Vehicles: A Review.”
Social Computing and Social Media: Experience Design and Social Network Analysis, 2021,
pp. 190–201, https://doi.org/10.1007/978-3-030-77626-8_13. Accessed 1 Mar. 2023.
4. Joshi, Naveen. “5 Moral Dilemmas That Self-Driving Cars Face Today.” Forbes, Aug. 2022,
www.forbes.com/sites/naveenjoshi/2022/08/05/5-moral-dilemmas-that-self-driving-cars-face-
today/?sh=165624e2630d. Accessed 1 Mar. 2023.
5. Qureshi, Zahid. A Review of Accident Modelling Approaches for Complex Critical
Sociotechnical Systems RELEASE LIMITATION Approved for Public Release. 2008.
6. Leveson, Nancy. “A New Accident Model for Engineering Safer Systems.” Safety Science,
vol. 42, no. 4, 2004, pp. 237–270, sunnyday.mit.edu/accidents/safetyscience-single.pdf,
https://doi.org/10.1016/s0925-7535(03)00047-x. Accessed 14 Apr. 2019.
7. Karatzas, Stylianos, and Athanasios Chassiakos. “System-Theoretic Process Analysis (STPA)
for Hazard Analysis in Complex Systems: The Case of “Demand-Side Management in a
Smart Grid.”” Systems, vol. 8, no. 3, 1 Sept. 2020, p. 33, www.mdpi.com/2079-
8954/8/3/33/htm, https://doi.org/10.3390/systems8030033. Accessed 10 Feb. 2022.

17
8. Karatzas, Stylianos K., and Athanasios P. Chassiakos. “Systems-Theoretic Process Analysis
(STPA) in Building Energy Risk Management.” Ec-3.org, University College Dublin, 2019,
ec-3.org/publications/conference/paper/?id=EC32019_183. Accessed 1 Mar. 2023.

18