1 Introduction

There is a huge push of automated driving functionality, with many manufacturers indicating their intention to bring highly automated cars to the market in the near future. Vehicles that are truly driverless have no requirement to be operated directly by a human via active controls, apart from the input of the required destination or a need, in the unlikely event of an emergency stop, to overrule the entire system. However, for the foreseeable future there will be an extremely wide variety of non-driverless vehicles, offering different levels of automation functionality. The correct functioning of that automation depends on the collaboration between human and vehicle. If that collaboration works as intended, the human driver can surrender some, most or all driving control to the vehicle, and the vehicle can similarly require human takeover in the event of failure or system awareness that it cannot handle the current or an upcoming situation. Alternatively, the human may request to take over and be granted that request by the vehicle.

With these automated functions, the vehicle and human can be seen as a joint cognitive system, with both elements required to collaborate to deliver safe and comfortable driving. The main communication means between vehicle and human in that collaboration is the human machine interface (HMI). That HMI cannot be seen narrowly as just a set of visual and auditory displays which relay information and settings in both directions. It also includes all the vehicle controls, since those controls provide channels for both human input into the vehicle and for vehicle feedback to the driver. The feedback can include both the traditional feel transmitted by pedals and steering, but also the vehicle’s dynamics within a specific context and additional haptic elements—resistance, pulses, vibrations, physical guidance—used to guide and assist the human. The term “HMI” will here be used in that broad sense to encompass the full range of explicit as well as implicit communication between human operator and the vehicle.

Drivers of vehicles with automated functions may not understand that these systems cannot work in all conditions. Therefore, there is a fundamental need for the HMI to help the human to understand the capabilities of the automated functions as these functions vary over time. The role of the HMI is to make humans understand what is expected of them in terms of monitoring and active intervention. Such understanding is a pre-requisite for correctly calibrated trust and indeed for safe and comfortable operation in general. Misunderstanding between the vehicle and the human about what the other party will do has the potential to result in false expectations on the part of the system about what the human will notice, as well as over-reliance by the human on system capability and consequent disaster, as evidenced by the fatal crash of a Tesla in Florida in May 2016. At the opposite end of the spectrum, if users have too little trust in system capabilities, they may decide not to buy or use systems that could potentially be helpful and safety-enhancing.

We can establish goals for the HMI that are needed to achieve this transparency, along the lines of the “ten challenges” of Klein et al. (2004). Their ten challenges were based on four principles for the proper operation of a joint human-agent activity: there should be an agreement that the actors will work together; the actors must be mutually predictable in their actions; they must be mutually directable; and they must maintain common ground. The individual goals laid out in this paper are based on the overriding principle for road vehicle operation that the top-level goal should be to ensure the overall safety of the joint system, by providing the human supervisor with sufficient understanding of how the automation is operating and of what is expected of the human. That understanding of necessity encompasses both the state and status of the automation and the relationship between the automation and the external road, traffic and weather environment. Since at higher levels of automation, the automated vehicles may be making decisions at all three levels of the driving task (strategic, tactical and control—Michon 1985), there is an argument for a need to inform the human about each level. However, when referring to a joint cognitive system, both elements of the system need to take the other into account and not just offer one-way communication about all actions. The assumption that the human wants to be informed about every level of the automated driving task and will be constantly monitoring or supervising the system is, therefore, not the right approach and needs to be discussed. The role for the HMI is not only to provide information to a highly alert monitor, but also to ensure that the attention level is sufficient and that mutual expectations are correct.

Many studies report the HMIs they have used for their research, but there is remarkably little systematic research about the overall requirements and design of HMI for automated vehicles and no general review of principles and overall user needs. The European HAVEit project carried out a driving simulator study to evaluate a number of proposed designs to handle driver-initiated transitions of automated driving (Schieben et al. 2011) and also initiated an HMI design process to arrive at prototype designs for the project’s demonstrator automated vehicles (Flemisch et al. 2011). Bengler et al. (2012) proposed that multi-modal interfaces including haptic should be used in human–machine cooperation, for example with driver assistance systems, but did not provide any further specifics. In the U.S., a NHTSA-funded project investigated a number of specific human factors challenges for level 2 and level 3 vehicles, using prototype vehicles operating on a test track (Blanco et al. 2015). The first challenge was how to issue a take-over request to the human in level 2 driving; the second was how to prompt operators to pay attention to the roadway in level 2 driving; and the third was how to issue a take-over request in level 3 driving. These studies are valuable, but they by no means address the overall requirements of an HMI to support operators as they share driving with an automated system. Additionally, there is a commercial report by Fitch (2015) which reviews current concepts and designs for the HMI for automated vehicles and includes statements made by a number of system developers and researchers. The report recognises the importance of HMI for safe vehicle operation, sees HMI as a unique feature to differentiate automotive brands and encourages a user-centred and careful design approach. It does not provide a conclusive a set of overriding principles for HMI in this particular context or make recommendations on appropriate, or for that matter inappropriate, designs.

2 What should be the goals of HMI for AVs?

In designing an HMI, it is pertinent to apply ecological interface design (EID) principles (Rasmussen and Vicente 1989; Vicente and Rasmussen 1992). The goal is to prevent insofar as possible escalation to higher levels of cognitive control, i.e. to maintain the human at the skills and, where needed, the rules levels, and thus to avoid the slower and less effective (and thus potentially more unsafe) knowledge level (for more information about the skill-based, rule-based and knowledge-based behaviour hierarchy, see Rasmussen 1983, 1987). In other words, reflexes are to be preferred over reflection. Here, as carried out by Vicente and Rasmussen (1992) for general interface design, it is possible to identify the major challenges presented by collaboration of vehicle and human in automated driving and, from those challenges, derive design principles or goals. As indicated above, a similar process was adopted by Klein et al. (2004) for automation in general.

The identified elements, crucial for HMI design in automated vehicles, are each discussed separately in this paper. They are:

  1. 1.

    Provide required understanding of the AV capabilities and status (minimise mode errors).

  2. 2.

    Engender correct calibration of trust.

  3. 3.

    Stimulate appropriate level of attention and intervention.

  4. 4.

    Minimise automation surprises.

  5. 5.

    Provide comfort to the human user, i.e. reduce uncertainty and stress.

  6. 6.

    Be usable.

After discussing these requirements, a simplified model of the impact of these items is presented, together with implications for HMI design.

3 Provide required understanding of the AV capabilities and status

It is a basic requirement for the human operator, when working with automation, to comprehend what automated functionalities are being provided by the vehicle, and in counterpart what is expected of the human in terms of supervision, attention to both automation state and status and readiness to resume control. If a vehicle is operating in driverless automation, with no requirement for human attention or intervention, then indeed the human can be totally disengaged from driving, i.e. be a mere passenger who can be immersed in any non-driving tasks or even asleep. If properly designed, the passenger then requires only journey-related (strategic) information as defined by Michon (1985) together with information about costs, ride sharing or emergency situations.

On the other hand, when take-over might be needed (SAE level 3, conditional automation, or level 4, high automation) or when supervision is required (SAE level 2, partial automation), then the human has a set of information needs that need to be provided by the visual and acoustic displays of the HMI, as well as potentially by haptics in the form of vibrations in the seat and longitudinal or lateral jerks instigated by the vehicle control. The human will also feel vehicle behaviour, e.g. potentially be alerted to altered traffic conditions by sensing the deceleration and acceleration of the vehicle. At lower levels of automation, up to level 3, the human is the main fallback. The nominal difference between SAE levels 2 and 3 is that in the former the human is responsible for monitoring the driving environment, whereas in the latter the system has that responsibility and supposedly alerts the human when intervention is required.

That distinction is both highly technical and highly tenuous. It almost suggests that for level 3 driving, continuous display of how the automation is interacting with the external environment is not needed, which if followed would lead to near-complete human disengagement from vehicle operation. A number of questions can be asked:

  • Can the human understand the implications of the differences between level 2 and level 3 automation?

  • How is the human supposed to know what action might be required if he/she is not monitoring the environment and, therefore, both physically decoupled from the vehicle and mentally decoupled if not required to pay attention?

  • Without an HMI to provide information about current automation status and preview of automation actions, how is the human supposed to comprehend the interaction between “the driving environment” and the automation?

  • How is the human supposed to know the current capability of the automated systems—which features are enabled and which are not?

Certainly, it can neither be expected that the human will understand the impact of the levels on every day driving situations, nor indeed that declaring to the human what exact level of automation is currently enabled or available for selection will be useful. The levels are far too coarse to be helpful and do not indicate anything about what functionality is in operation. The human might want to know whether the vehicle is performing longitudinal control (ACC and stop and go functionality), whether it is controlling lane-keeping, whether it has the ability and authority to change lane, whether it can overtake a lead vehicle and what other manoeuvres it can perform (e.g. handling intersections and roundabouts). Those authorities are by no means indicated by the SAE levels, but are the ones that a human driver would understand. Given the huge number of tasks and sub-tasks involved in driving (McKnight and Adams 1970), it is clearly not feasible to convey to the human whether the vehicle is capable of performing each separate element. Even more so, it may be that a vehicle can handle one situation but cannot handle a similar or even identical one. At a minimum, it is necessary to indicate whether the vehicle under automation can handle longitudinal and lateral vehicle control under the current conditions, whether it can manoeuvre in the current environment and situation (e.g. handle a roundabout) and whether it can perform strategic aspects of driving (i.e. switch from one road to another or change route). Without indication and consequent comprehension, there is a likelihood of mode confusion and resulting mode errors, which could just be annoying but could also be dangerous if the automation is expecting an action that the human fails to perform or if the human believes that the automation has more capability than it actually has. Marketing by OEMs can contribute to such confusion. The labelling by Tesla of their level 2 driver support as “Autopilot” may have contributed to the circumstances behind the fatal crash in Florida in May 2017. Additionally, the proliferation of names and trademarks for similar functionality is not helpful: BMW market their automated functions as partly or fully automated driving; the Volvo V90 is branded as semi-autonomous; and many media or blogs refer to self-driving vehicles when in fact they are discussing partially automated functions.

To provide people with feedback about level 2 functionality and what the human is supposed to do, a visual interface is typically presented in current commercially available systems. The most basic feedback a system can provide is showing whether the system or a function is activated or not. To avoid mode confusion, it should be possible to ascertain this with one short glance. A second detail is whether the system can detect the required input to be able to perform the requested task (quality of performance when on). Most road users will not look for this information since they assume that the system will function well once it is switched on. Although most SAE level 2 systems (lane centring and ACC) are designed in a way that system activation by the driver is prevented when road markings or lane edges are not detected, detectable warnings may not be provided when the system, after having been switched on by the driver, loses the detection of road markings. This is a concept that is very difficult for people to grasp and leaves room for major improvement. Users are likely to assume that, when the system is on, it will function well, and, if not, a warning will be provided.

It is useful here to refer to some specific current designs of HMIs for level 2 systems. Most current vehicle displays show a green/yellow/blue steering wheel when the system is on and road markings or lane edges are detected (see Fig. 1). Some brands (e.g. Tesla and BMW) also show the road markings/lane edges in colour when properly detected and in grey or white when not properly detected. Some examples are provided in Fig. 1. Note that all the indications depicted here and in subsequent figures are shown either in the normal dashboard area and are sometimes duplicated in a dedicated screen just above the dashboard in the driver’s forward field of view.

Fig. 1
figure 1

(Photos copyright UTAC CERAM and FONDATION MAIF)

The Volvo S90, Mercedes E Class, the Tesla and BMW 7 Series indications of activated steering (in the Volvo case without ACC) and proper detection of road markings

Neither the Volvo S90 nor the Mercedes E show the specific detection of road markings or lane edges. In both cases, the steering wheel turns grey when it is switched on but not working properly. This is a very subtle change from green to grey, especially if no auditory warnings are emitted. In case a system falls out of automation without any auditory warning, this leaves the driver to only discover that the system has been switched off when noticing vehicle drift on the road. Especially since a driver should be monitoring the road, this change in symbol would not be detected other than by chance or by constantly checking the display and not looking outside. A head-up display, as some brands provide, reduces the eyes-off-road time. Some vehicles provide an auditory warning when falling out of automation only if the driver does not hold the steering wheel.

Tesla provides a more advanced display, with additional information for the driver to understand what the vehicle is detecting (Fig. 2). This means that it actually provides detailed information of the position of the ego and surrounding vehicles in the lanes, the type of road markings and the relative position of the own vehicle compared to vehicles in other lanes, as well as the vehicle in front of the lead car. Although this is very interesting for a driver to observe to increase trust in automation (‘do not worry as the vehicle has seen all this’), it is quite detailed for a level 2 system. Since in level 2 the driver needs to be ready to intervene at any time, it is difficult for a driver to understand what the vehicles does not detect. Only by inferring what the system does not see, might a driver be able to figure out what that means in terms of traffic safety and required action. Additionally, it visually and cognitively distracts the driver for longer times, whereas at level 2 the driver needs to look outside at the road. Therefore, the visual display seems to be more suitable to build up trust than to ensure that drivers are ready to intervene at the right moment. Arguably, it would be more appropriate for a level 3 and 4 function.

Fig. 2
figure 2

(copyright Tesla.com)

T Model S with latest update of extended Autopilot function (version 8.1) showing a detailed image of what the vehicle sees around it

4 Engender correct calibration of trust

Trust in automation is commonly described as an important factor for system use and acceptance. If drivers do not trust the systems (undertrust), they will not buy them or activate them. Trust, once lost, is hard to regain (Muir 1994). With undertrust, functions may be overruled when the system could actually have coped, negatively affecting acceptance, comfort and possibly even safety. However, if drivers overtrust the functionalities, this may certainly lead to unsafe situations. Various studies have shown that drivers are more engaged in secondary tasks while driving with ACC or highly automated functions, and pay less attention to the road, even if they are being told that the systems may fail. The internet is full of videos showing overtrust, with people engaging automated functions and then leaving their seat or sabotaging hands-on wheel requests. Such videos have the potential to inspire misconceptions about the capability of information and hence inspire misuse. Studies have shown up to three times as much non-driving related tasks when driving with ACC (Malta et al. 2012), 30–70% less eyes-on-the-road time with highly automated driving (de Winter et al. 2014), and people falling asleep on test tracks despite being warned that the system may fail (Omae et al. 2005). In case of system failure just before a curve, participants were not able to keep the vehicle on the road (Flemisch et al. 2008) (for an overview of more of these examples, see de Winter et al. 2014).

Trust has been referred to as having many different meanings (Williamson 1993), definitions being a confusing potpourri (Shapiro 1987) and leading to conceptual confusion (Lewis and Weigert 1985). Therefore, it is important to define here with what we mean by trust in automation and in our case specifically about trust in automated driving functions from the driver perspective.

In our definition, trust in automation is “having confidence that the system will act according to what the driver expects it to do with additional benefits of this system for the driver”. The aspect of additional benefits for the driver needs to be added in the definition, since just having the right expectations does not lead to trust if this means that the system is correctly perceived as not working well. This also links with the definition used by Verberne et al. (2015), describing trust in automated systems as “…an antecedent to reliant behaviour, a willingness to accept vulnerability in expectation of a positive outcome”. Verberne adjusted his definition for automated vehicles based on Mayer et al. (1995) who used vulnerability to the action of another party.

Lee and See (2004) specified calibration of trust as one of three components of appropriate trust. They described calibration of trust as having accurate knowledge of the system’s capabilities. Calibration is needed for a driver to know when human action is required. However, there is more to trust calibration than just avoiding overtrust and undertrust. Trust may be perfectly calibrated with a system that is very unreliable. In that case there is a very low level of trust, but well calibrated. One could even argue that undertrust is good for traffic safety since the driver will have a high level of attention and a high readiness to take back control. So although trust calibration is an important issue in automated driving, a minimum level of trust seems to be required to have any benefits for the user, and overtrust is more dangerous than undertrust.

Trust is not a unidimensional or a binary concept, either being present or absent. Especially when we refer to trust in vehicle automation, trust is best reflected in actual driving situations, since the level of trust in automated driving is likely to be related to specific scenarios (approaching an intersection with crossing pedestrians or driving straight on a motorway), the settings and characteristics of the vehicle (e.g. maximum speed set by the driver, acceleration profile) and whether a driver has experience with the specific functionalities (and, therefore, knows that the system can or cannot cope). These issues are not often reflected in research which uses questionnaires with rather general questions about trust. This difference between opinions as measured via questionnaires and signs of trust when experiencing automated driving has also been described as the Trust Fall (Miller et al. 2016). An explanation, as provided in Miller et al. (2016), is that in questionnaires more time is available to come to a decision. A third explanation is that in questionnaires there is no direct risk perceived in case of automation failure (Lee 1991; Muir and Moray 1996). Miller and colleagues found differences between what people claim they will do in a questionnaire and what they actually do when confronted with that situation in a driving simulator. Many people intervened with the automated systems in a simulator even though they had stated in the questionnaires that they thought the system could handle the situation. However, there were also people that did not act even when they had indicated that the car could not handle the situation.

Since trust evolves over time, based on experience with these systems and knowledge that people have about these systems and perceived risk (risk awareness), there is a potential role for HMI. Designing an HMI that guides the driver in actual driving conditions under specific settings and encourages appropriate trust is in our view of crucial importance to ensure safe and comfortable use.

5 Stimulate appropriate level of attention and intervention

The appropriate level of attention and intervention is directly related to the level of safety we require. Theoretically, if the desired level of safety were merely that the number of accidents and conflicts should not increase compared to manual driving, then the required level of attention could potentially be set accordingly. However, as Toyota Research Institute chief executive Gill Pratt stated in the Sydney Morning Herald (16th of February 2017), one of the key challenges is: “how safe is safe enough”? He claims that it is unlikely that people will accept a significant number of deaths attributable to autonomous vehicles that we do accept from human drivers. So as long as vehicles need some level of control from a human, creating the right level of attention to allow a safe intervention when needed is vital.

If the reliability of the system is continuously and accurately known, we could know the level of attention that may be required at any moment in time. However, this does not seem realistic since a system may fail or unexpected situations may arise due to weather, other traffic participants or an obstacle on the road. In addition, it is not acceptable in terms of comfort and workload to continuously interfere with the attention level, allowing secondary tasks for some seconds, asking for eyes on the road for the next 10 s and allowing the driver engage in other activities shortly after.

In general, it is fair to say that, with the level of technology commercially available today, driver attention to the road needs to be as high as during manual driving to ensure the highest level of safety. However, there is a difference between the level of attention that is formally required and the level of attention that seems reasonable to expect based on human factors expertise. The higher the reliability of the system as experienced by the driver, the lower will be the attention level of the driver, and the higher the impact of a failure or system limitation. It can also be argued that, from the human perspective there is a major difference between being coupled to the vehicle via some active control and being decoupled and simply monitoring the operation of the vehicle and of the vehicle systems. This distinction is illustrated in Fig. 3. Under manual driving, both loops operate, but under automated driving, especially at level 2, only the outer loop is (supposed to be) present. So, we can deduce that there are two levels of being “out of the loop”: being removed from the control loop, and being removed from both the control and the monitoring loops.

Fig. 3
figure 3

The monitoring and control loops

Here the reflections of Bainbridge (1983) are highly apposite:

We know from many ‘vigilance’ studies … that it is impossible for even a highly motivated human being to maintain effective visual attention towards a source of information on which very little happens, for more than about half an hour. This means that it is humanly impossible to carry out the basic function of monitoring for unlikely abnormalities, which, therefore, has to be done by an automatic alarm system connected to sound signals.

A more serious irony is that the automatic control system has been put in because it can do the job better than the operator, but yet the operator is being asked to monitor that it is working effectively.

One relevant question here is whether users will interpret being removed from the control loop as implying no need to monitor. Hands-off driving is likely to be equated with no need to monitor continuously, so that in effect hands-off leads to eyes-off, which is a further irony. That effect was observed by Carsten et al. (2012) in a driving simulator experiment where participants were given the freedom to engage in a range of secondary when they so choose. Those participants who had previously experienced a hands-off lane-keeping system together with ACC were willing to watch a video for 43% of their motorway driving time when in “high automation” (combination of ACC and lane-keeping). They did this entirely voluntarily—there was no encouragement to do so.

From a user’s perspective, it is perfectly logical that a system that takes over lateral control by keeping the vehicle in its lane means that one does not have to steer oneself. It does not make sense to have a system that performs a task for you but where you still need to do at least some of the task. And if the vehicle can keep the vehicle in its lane, why does the driver need to keep the hands on the wheel? It is a consequence of which the vehicle manufacturers are aware; hence the issuance of warnings when a hands-off state is detected for a certain amount of time.

Although this is often being sold as required for legal reasons only, the basis lies in safety. Since current SAE level 2 systems are still fallible at fairly unpredictable moments in time, it is not yet feasible to indicate in sufficient time when the human is needed. Thus, timely warnings to take back control cannot (yet) be provided. This necessitates constant monitoring by the human, so that a system that is supposed to be relaxing may actually be quite demanding.

Different OEMs use different strategies for counteracting the effects of being out of the control loop and hence also out of the monitoring loop. Commercially available vehicles at this moment provide a symbol of a green/yellow or a blue steering wheel to indicate the system is switched on by the driver. However, since hands on wheel is still (formally) required, the vehicles will provide a warning when the hands are not on the wheel. The timing of the warning for hands off wheel differs between brands, with times varying between some seconds and even some minutes. Some brands show a yellow/orange steering wheel if a driver needs to get his hands on the wheel, with or without auditory warnings. Examples of the interface of the BMW 7 series are shown in Fig. 4. The yellow icon is shown about 4 s after taking the hands off the wheel without any auditory warning. If the driver does not put his hands on the wheel, the steering wheel turns red with an auditory warning and the automated steering is switched off (after about 25–40 s hands off in total).

Fig. 4
figure 4

(Photos copyright UTAC CERAM and FONDATION MAIF)

Visual interface for the BMW 7 series

For the Volvo V90, one can keep the hands off the wheel for about 12 s without any warnings. The first visual warning is issued without any auditory cue. After 5 s a soft tone is played, and 5 s later the system is deactivated with a warning sound and text showing it has been de-activated. Examples of the visual display are shown in Fig. 5.

Fig. 5
figure 5

(Photos copyright UTAC CERAM and FONDATION MAIF)

Visual display of the V90 for hands on wheel required and system de-activated

The Mercedes E class only requests hands back on the wheel after about 30 s, by means of displaying red hands on the steering icon. Thirty seconds later (so about 1 min after the first hands-off wheel), the car will actually start using acoustic signals. If no action is taken, the auditory warnings become more intrusive and in the end the vehicle will automatically reduce speed and bring the car to a complete stop within its lane. Note that some brands actually only require hands on the wheel, while others require an actual steering input, whether or not that input is appropriate. The visual interface of the Mercedes E Class and the Tesla Model S is shown in Fig. 6.

Fig. 6
figure 6

(Photos copyright UTAC CERAM and FONDATION MAIF)

Visual interface of the Mercedes E (left) and the Tesla Model S (right)

In the case of the Tesla Model S, the hands off wheel time is about 3 min before a text message “hold steering wheel” is shown (Tenez le volant) without any sound warning. The outer line of the display starts flashing with decreasing intervals. About 15 s after the first visual warning, the system starts to beep. The steering wheel symbol is now grey and warning beeps increase in intensity and with smaller intervals. About 15 s after the first auditory warning the system will cause the vehicle to brake, play continuous warning sounds and show that Autosteer is no longer available for the rest of the drive. These additional consequence of not being able to switch the system on for the rest of the drive and bringing the vehicle to a standstill were not installed in the first version of Tesla Autopilot that featured in the vehicle involved in the Florida fatal crash in 2016. This has now been changed in the latest update of Tesla (NTSB 2017). Note that these warnings all concern planned warnings for hands-off wheel. When automated steering is deactivated by the system because of system limitations, some systems warn with an auditory warning, some fall out of automation silently (visual icon change only) and some systems provide an auditory cue only when the hands are off the wheel.

When referring to inattention in driving, secondary tasks and driver distraction are often discussed. Driver distraction is defined as a diversion of attention away from activities critical for safe driving towards a competing activity (Lee et al. 2008). However, how distraction affects traffic safety while driving with automated functions may be different than in the case of manual driving. While several studies have shown that long glances away from the front view have a direct effect on accident risk (e.g. Klauer et al. 2010; Liang et al. 2012), this will be slightly different with automated functions. Under normal conditions, we need to almost continuously monitor the road to keep the vehicle in lane and avoid colliding with lead or opposing vehicles. However, with automated systems, the level of attention or distraction could in theory be tuned to the level of reliability of the automation under these conditions. This would mean that, under conditions in which the system were able to reliably control the vehicle, the driver could be distracted or have a decreased level of attention without any safety consequence. However, to allow a sufficient level of attention and, therefore, appropriate intervention, various features are required:

  1. 1.

    When the system is known to have limitations within a specific drive from one instant to the next, as is the case with SAE level 2 systems, the driver should be almost continuously monitoring the outer world. The driver should be able to detect when the system is deviating from the required path or not responding in correspondence with what a driver considers to be safe. There can even be a transition from perfectly being able to keep the vehicle within lane boundaries on a straight road to system failure when entering a curve or not detecting a lead vehicle from one instance to the next. Since these changes in performance depend on the road and traffic circumstances, the driver should continuously be monitoring the exterior world to detect any of these changes. However, for intervention, eyes on the road and mind on the road is not sufficient, drivers should also have their foot ready (braking pedal), and two (minimum one) hands on the steering wheel. Especially in case of entering a curve with high speed, overruling the system should be done instantly to keep the vehicle on the road. This situation is highly critical and it is hard to explain to the driver why the vehicle cannot deal with these tight curves despite the road being a motorway, having clear road markings. It may even be that a driver experienced the system working fine in that same curve due to the fact that speeds were lower and there was a lead vehicle that reduced its speed because of the curve. To limit this time, hands should be at the wheel at all time when systems have some chance to fail and visual attention should be on the road. However, as we claimed already, this is not very acceptable from a user point of view while driving in partially automated mode. And even if drivers have their hands on the wheel and are looking outside, the driver should be warned with an auditory warning if the system falls out of automation.

  2. 2.

    Systems that are known to be unsafe in very specific conditions should be able to detect these conditions. If the system is only to be used on high quality roads it should realise what sort of road it is driving on and not allow activation on other road types. If the system only works at lower speeds, it should be linked to the driving speed and act if these conditions are not met (not allow activation at higher speeds or not allow higher speeds when activated). With the current systems commercially available, this is often just described in the manual or in small notifications on the display, but activation is often still possible on lower quality roads. The restriction to lower speeds is generally included in the design of the system, combined with an active warning to the driver. This approach is to be preferred.

6 Minimise automation surprises

A well-designed automation system should have the capacity to be able to predict insofar as possible when it can no longer handle an environment or situation and, therefore, requires human takeover. And the human should be (pre-) alerted by that prediction, so as to minimise surprise. For level 2 systems, this means that a driver should at least be alerted when the systems falls out of automation. For SAE level 3 and 4 systems, that means that a vehicle should provide timely information to the driver prior to reaching an operational boundary, for example prior to exit from a motorway onto lower quality roads or city streets. The human will, provided adequate notification is given, hopefully be ready to take back control. This may be a challenge in terms of HMI design. However, most navigation systems provide preview of the road and route ahead. For level 3 and 4 systems, there is a need for the system to inform that it cannot cope, why it cannot cope and provide a countdown to the required takeover. An electronic horizon (preview of the upcoming road) and geofencing is an essential element here, and had it been applied would have been one means to prevent the Tesla intersection crash on 7 May 2016 in Florida, since the Tesla Autopilot system was known to be incapable of safe negotiation of an intersection.

A specific type of surprise, known as “automation surprise” has first been defined in the aviation domain (Sarter et al. 1997; Woods et al. 1994; Dekker 2009). Dekker (2009) used the following definition: “The automation does something without immediately preceding crew input related to the automation’s action and in which that automation action is inconsistent with crew expectation”. Hurts and de Boer (2015) mention that this means that automation surprise may even take place before a pilot becomes aware of it. When linked to car driving and driving automation, we want to use the term automation surprise primarily for situations where the driver actually notices the action is inconsistent with drivers expectation. In theory, automation surprise may also be positive, with a system being able to handle a situation that the driver does not expect it to, but in terms of safety and human factors, the most interesting case is where a driver is negatively surprised by an action (or absence of action) of the automated system.

In this respect, we distinguish two different types of automation surprise:

  • Absence of expected action: driver is surprised that the system does not perform a specific action without any apparent safety risk or stress. Examples are the system not increasing speed when the speed limits goes up or not driving off after having come to a standstill when the lead car starts moving, or not changing lane when the indicator is switched on.

  • Presence of unexpected action: driver is surprised because the system performs an action that is not in correspondence to what a driver expects and provides the driver with an increase in arousal and stress. Examples are accelerating when leaving the motorway ahead of a curve in the absence of (the detection of) a lead vehicle, not decreasing speed on approach to a traffic light in the absence of a lead vehicle, or increasing speed when the driver turns on the indicator in anticipation of a lane change. This second category may lead to imminent danger if a driver is not fully aware of the operational envelop of the vehicle, his/her attention level is too low and if subsequent the response from the driver is rather brusque.

Automation surprise of the second kind always needs to be avoided because of the safety risk involved. This means that drivers should be aware of vehicle capabilities, have timely warnings and need to be monitoring the road at proper times to recognise that a situation is not according to what they expect. As Johnson et al. (2014) have described, the best interface will fail for the user if system operation is not observable, predictable and directable at an appropriate level of granularity and timeliness.

Thus the following four qualities can be seen to be important in an HMI to minimise automation surprise:

Observability (can a driver understand or detect system status, such as system mode and if the system receives the required information). In this, the HMI can play an important role by providing specific signals and vehicle behaviour to have a driver understand what the system does and does not do. An interesting new concept is the idea of a “health bar” indicating the self-driving vehicle’s technical reliability. However, it is questionable whether self-diagnosis for a failing technical system is really useful. At this moment, the HMI often displays the current state and whether the required information is being detected. However, it does not predict that the system cannot cope with the same situation in 0.002 s, and often, the system indicates it detects the required road markings but still drives out of the lane.

Predictability (the actions of the system should be sufficiently observable, understandable and reliable so that a driver can plan his/her own actions accordingly). In this, the HMI should help the driver predict, when being confronted with a situation if a system can cope or cannot cope. This is highly correlated with whether the system fails in specific situations that are clearly defined (e.g. road works) or whether the exact system boundaries are less clearly defined (e.g. being able to cope with some curves but not all), depending also on the set speed and the presence of a lead vehicle.

Directability (the ability to influence and be influenced to come to the best joint performance). This directly links to both explicit and implicit commands provided by the HMI, both from the driver to the system and vice versa. This also means that a system should accept and use and interpret specific user input and maybe even decide to ignore that input if this improves safety.

Timeliness (is the information or warning provided early enough so that the driver can take proper action). In this case, information needs to be provided earlier when a driver has been out of the loop than when a driver has actively been monitoring the outer world and has his/her hands on the wheel.

7 Provide comfort to the human user, i.e. reduce uncertainty and stress

Providing comfort to the user is one of the selling arguments for automated functions. Marketing automated functions as comfort systems instead of safety systems also implicitly suggests that the driver is still responsible for safe driving. However, with increasing levels of automation, offering comfort may go beyond offering driver support. Additional comfort may be offered by allowing the person in the vehicle the possibility to do something else than driving and using time in a more valuable way.

Comfort contains both a physical and a psychological component, although a comprehensive definition of ride comfort is lacking (Kudritzki 1999). The definition that we will use for driver comfort is “the subjective feeling of pleasantness of driving/riding in a vehicle in the absence of both physiological and psychological stress”. Physical comfort is related to elements such as vehicle or seat vibrations (e.g. Kudritzki 1999), forces on the body (lateral and longitudinal accelerations), the design of the chair, position of the seat (for an overview see Wertheim and Hogema 1997). Psychological comfort refers to more subjective feelings of ease or pleasantness (or lack of unpleasantness). Note that both physical and psychological comfort are highly subjective and vary from person to person. Most studies reporting comfort of driving with automated functions do not provide a definition of comfort.

7.1 Physical comfort

With respect to accelerations, comfort is not necessarily a function of stimulus strength. A very important intervening factor is time. A slight stimulus may not cause any discomfort when it is brief, but if it lasts long enough, or occurs often enough, it may certainly begin to cause discomfort after a while (Wertheim and Hogema 1997). Kudritzki (1999) addressed that the experienced comfort (in his case vibrations) is also related to expectations. When someone sees a smooth road surface, (s)he also expects a lack of vibrations, making vibrations even less comfortable when they do occur. In terms of automated driving, one can imagine that this effect of expectations of vehicle behaviour on comfort will also be present. If an automated vehicle does not behave the way people expect, discomfort may result. For instance, under normal manual driving conditions, specific lateral and longitudinal forces on the body are avoided by drivers. While approaching a signalised intersection, drivers tend not to stop when the required deceleration exceeds 3–3.5 ms2 at the time of amber onset (Baguley 1988; Niittymaki and Pursula 1994; van der Horst and Wilmink 1986). The design of the vehicle should respect these preferences in automated vehicle behaviour, although it is clear that a vehicle under automated control cannot violate a red light. In more extreme scenarios, uncomfortable forces will be acceptable if they help avoid ending up in highly safety–critical situations. In this sense, the experienced comfort of a driver support system under normal conditions is valued differently than under safety–critical conditions.

In discussing physical comfort, one concern with automated vehicles is potential motion sickness. Even though one can debate whether motion sickness is causing physical or psychological discomfort, we will discuss it as physical discomfort since the basis is not psychological by nature. Diels and Bos (2016) refer to this as self-driving motion sickness, caused by an incongruence between what people feel and what they see. Especially in case of a person being engaged in non-driving activities or even being seated in a backward position in future automated vehicles, there is a risk of motion sickness. Watching something that does not correspond to what the organs or balance are feeling is a plausible cause for visually induced motion sickness (Bos et al. 2008). Diels et al. (2016) found that after 15 min of looking at a head-down display, 25% of the participants experienced some discomfort due to motion sickness. After 35 min, this increased to 50%. For a head-up display, the percentages were almost half, with 13% after 15 min and 27% after 35 min. This indicates that some solutions may be found in the position of tablets and screens.

Motion sickness is primarily related to horizontal accelerations caused by accelerating, braking and cornering (Guignard and McCauley 1990; Turner and Griffin 1999a, b). Although there is some variation between people and circumstances, the onset time of signals for motion sickness for passengers in normal vehicles is normally between 10 and 20 min (O’Hanlon and McCauley 1974), indicating it is something that needs some time to build up. Besides discomfort, motion sickness may also pose serious threat to the performance in case of request to take back control. Diels and Bos (2016) write that this does not necessarily have to refer to a driver vomiting at the time of an emergency situation, but also to more subtle effects such as reduced situation awareness and increased response times. Motion sickness can be avoided by adjusting vehicle behaviour, adjusting the location or characteristics of the display or providing additional displays. These solutions will be discussed in Sect. 9.5.

7.2 Psychological comfort

Psychological comfort relates to being in a state of well-being and hence minimising stress. Outside the driving context, being in one’s comfort zone has been described as a behavioural state within which a person operates in an anxiety-neutral condition, using a limited set of behaviours to deliver a steady level of performance, usually without a sense of risk (White 2009). There is also extensive literature on stress from the driving situation, e.g. Gstalter (1985) and Desmond and Matthews (2009).

For automated functions, the typical measure of psychological comfort is the subjective indication of the ease or pleasantness of use, related to whether the vehicle performs in a manner congruent to the wishes of the user. Psychological comfort is experienced when the drivers feels at ease, has confidence that the vehicle will exhibit the right behaviour and is driving to the right destination without losing control.

Since automated driving is relatively new, not too many people have had the chance to experience it, and since it has various different forms, people may feel uncomfortable with its behaviour due to uncertainty about its capabilities. De Vos et al. (1997) already found that comfort levels decreased with decreasing headway in automated vehicle platooning. However it is very plausible that, when people get more experience with platooning and gain more trust, shorter headways would also be experienced as comfortable. This may also hold for specific automated vehicle behaviour. It is, therefore, highly likely that in the case of automated vehicles, psychological comfort would be related to the predictability of the vehicle’s actions and the trust that it will cope with the situation, and that it will change with time and experience.

Since expectations may be based on experience of manual driving, and driving styles vary from driver to driver, one could wonder if an automated vehicle should behave somewhat similarly to manual driving. Initial studies show that drivers do not want the automated system to copy their precise driving behaviour. De Gelder et al. (2016) showed a clear diversity of preference between drivers in real-life driving situations with ACC. Interestingly, driver comfort is not highest when the system copies the personal driving style. The authors claim that this may be the result of a lack of confidence of the driver in the ACC. This makes sense. When approaching a situation in manual driving, the driver knows what he will do. In case of vehicle automation, a driver only knows what the vehicle will do after it starts to respond and/or with proper information or feedback. For instance, when an automated vehicle is about to change lane, the driver needs to be reassured that it has sensed all required information and that it will only change lane when safe. In addition, to reduce uncertainty and stress, and thus psychological discomfort, automated vehicles should behave according to the general traffic rules and regulations. Summala (2007) refers to the importance of feeling in control for comfort in manual driving. With higher levels of automated vehicles, the driver is not in control, resulting in a feeling of discomfort if the driver does not trust the vehicle and, therefore, feels out of control. The way the vehicle behaves and the information it displays should provide the driver the feeling that the vehicle is in control and is behaving according to predictable rules and explainable behaviour.

8 Usability

According to the ISO 9241 definition, usability is the effectiveness, efficiency and satisfaction with which specified users achieve specified goals in particular environments. Effectiveness in this case is the accuracy and completeness with which specified users can achieve specified goals in particular environments. Efficiency relates to the resources expended in relation to the accuracy and completeness of goals achieved and satisfaction and acceptability of the work system to its users and other people affected by its use.

This clearly illustrates that usability of automated driving depends on its users and the system in a given context. The goal of automated driving is not so much different than the goal of manual driving, and that is to drive from A to B in a relatively safe manner with a relatively acceptable amount of resources. In the case of automated driving, the major gain for the driver relates to efficiency, that is the resources expended. If the system is as effective as the human driver, a person could spend less physical and cognitive resources to the driving task, making it more efficient. However, if the automated system is not so effective, or less effective than the human driver, this means that the system is less efficient and a driver should pay more attentional resources and workload may even increase if the driver is not exactly clear about the operational envelope of the system.

The HMI in all its aspects plays a major role in usability—human interaction with the automation is mediated by the HMI. Road-vehicle HMI has evolved over the years to a point where there is a high degree of commonality and standardisation in the controls and displays. Some of that commonality is by standards or manufacturer agreement, but much has simply become standardised by tradition—here the foot pedal positions, gearshift patterns for manual and automatic gearboxes (with some exceptions for reverse for manual gearboxes) and the position of the indicator stalk on the left side of the steering column can be cited as examples. Indeed, when manufacturers diverge from traditional layouts, safety problems can occur as a result. Thus in 2016, the U.S. National Highway Traffic Safety Administration required the recall by Fiat-Chrysler of over 1 million vehicles fitted with an electronic control for the automatic gearbox (NHTSA 2016). The control had an unconventional layout that caused drivers to believe that they had set the gearbox in the Park position, when in fact they had not. NHTSA stated: “Although the Monostable gearshift has the familiar appearance of a conventional console mechanical gearshift assembly, it has an unfamiliar movement that does not provide the tactile or visual feedback that drivers are accustomed to receiving from conventional shifters… The Monostable design appears to violate several basic design guidelines for vehicle controls, such as: (1) be consistent; (2) controls and displays should function the way people expect them to function; (3) minimise what the user has to remember; and (4) operations that occur most often or have the greatest impact on driving safety should be the easiest to perform”.

Thus with “traditional” cars and trucks, controls and HMI tend to be consistent, and as with the Fiat-Chrysler example, deviations from convention are frowned upon. For driver assistance systems and for automated driving functions, there is currently no convention and little pressure towards consistency. It can be argued that there is no such consistency in other transport modes, such as civil aviation and that the lack of consistency there has not been a hindrance to safe operation. However, in civil aviation, there are three major airframe manufacturers worldwide, and there is a common design philosophy within each manufacturer such as Boeing and Airbus (Sarter and Woods 1997). Additionally, aircrews receive intensive training on each specific aircraft type, although within a manufacturer types may be grouped for the purposes of a pilot’s “type rating” on account of their similarity (EASA 2017). By contrast, in road vehicles there is a substantial number of manufacturers with constantly changing vehicle models and types, produced to be operated by a very large range of mainly non-professional drivers, who normally receive no training in the operation of a specific vehicle. With the gradual introduction of automated driving features, different vehicles will have different automated driving capabilities, and each vehicle will also vary in its capability depending on road type, road layout and environmental conditions. To this can be added the challenge of a lack of any standardisation of HMI so far. Indeed the opposite is the case—each manufacturer is showing different concepts.

This proliferation of HMI designs can already be witnessed in current production models which offer level 2 systems. Thus, the Volvo V90 shows the status of the lane-keeping function of its “Pilot Assist” via a steering wheel symbol within the speedometer, while the Peugeot 3008 indicates for its Active Lane Keeping Assistance which road marking (left and/or right) it can detect (green) and also which one is at risk of being crossed (orange). When a road marking cannot be detected, it is displayed as grey (Fig. 7).

Fig. 7
figure 7

Dashboard display for Volvo V90 Lane Keeping System (left) and Peugeot 3008 Lane Keep Assist (right). The red lane line on the Peugeot screen indicates that the driver is steering too close to the left-side lane boundary in hands-on driving, which the vehicle will then try to correct. This is also indicated by a flashing amber warning (top right)

At the moment, these differences may not be very important, but it can also be noted that the switchgear to activate the various level 2 systems also varies considerably between manufacturers. This has the potential to cause driver confusion and error when driving an unfamiliar vehicle, for example a rental car or a vehicle provided through a car share scheme.

9 Implications for HMI design

The road to automated driving offers various challenges at various phases. Fortunately, there are solutions for most of the Human Factors issues, with an extensive role for the HMI in the widest sense of the word. This article tries to raise the importance of HMI in moving to a safe and comfortable joint cognitive system, in which the vehicle and the driver cooperate for the best performance. In the current SAE documents, including the more recent expanded version (SAE 2016) HMI is not specifically mentioned, apart from a cursory mention of a malfunction indication message in that expanded version. So while the human is mentioned, the human’s information needs are not addressed.

To design for a safe and comfortable HMI, it is important to realise that the various topics that we described per chapter are related and what may offer a solution to one issue may not be beneficial for another issue. Therefore, in Fig. 8, we provide a simplified model of the most important concepts described in this paper. Often, a technical solution is used to overcome human factors issues of inattention or trust in the assumption that if the system gets more reliable, most human factors issues will be solved. However, up to level 5 with full automation without any attentional requirement of the driver, the model as presented below will still hold. The figure shows that if the technical system’s reliability increases, this is beneficial for comfort and trust, with both aspects increasing. However, response times will also increase, as well as automation surprise, both with potential negative safety impacts. Note that with an increase in system reliability, the frequency of automation surprise will decrease, but the impact when it occurs will be more severe. Situational awareness and vigilance (attention) will decrease as well as trust calibration. The mere fact that situational awareness and attention decrease is not necessarily unsafe. If the situational awareness and amount of attention is tuned to the actual system reliability, or the HMI can improve situational awareness and attention in a timely manner, the system is properly designed. Here, it noteworthy that Endsley (2015) specifically advocates the improvement of user interfaces rather than the application of decision tools or remedial skills training as the appropriate countermeasure to problems in operator situation awareness. However, it can also be predicted that, the more reliable a system gets, the higher the chance of overtrust (although one is confronted with the consequences less frequently but more intensively, as is the case with automation surprise).

Fig. 8
figure 8

Human Factors in automated driving model, showing the interdependencies of human factors concepts when changing system reliability

9.1 Provide required understanding of the AV capabilities and status (minimise mode errors)

The vehicle cannot tell the driver about every activity that it is performing or provide detailed information on sensor performance. A balance needs to be struck between at one extreme an over-sparse HMI display that provides minimal understanding and at the other extreme information overload from multiple constantly changing status displays.

It is possible to infer what are some absolute information needs:

  • Is my vehicle carrying out longitudinal control?

  • Is my vehicle, in addition to the longitudinal task, carrying out lateral control? When lateral and longitudinal control are offered at level 2 (low level of reliability), information should be actively provided that the hands need to be on the steering wheel and this should be monitored almost continuously.

  • Is longitudinal or lateral control being switched off, either by me or by the system? This should be actively communicated by means of at least auditory and visual feedback.

  • Can my vehicle perform desired manoeuvres—change lane, overtake, handle a roundabout?

  • Can my vehicle change the indicated route?

  • Am I or am I not allowed to divert attention to an infotainment activity or even to fall asleep?

  • Will the vehicle warn me in due time when I need to take over control?

Here there is a sharp divide between being coupled to vehicle control (in particular being responsible for steering) and not being coupled and so being only in the monitoring loop of information processing. That would seem to warrant a change on the overall “look” or theme of the displays, as has been effected in some prototype vehicles. Thus the “look” should change from an indication of some responsibility for control, to responsibility for monitoring alone, to no current responsibility for control or supervision.

In addition, drivers expect that when hands-off operation is possible, it is also safe. Even though information may be offered that the lane keeping system does not detect the road markings/lane edges at the required level, this is not information the driver will be able to act upon without additional warnings. HMI solutions would be to:

  • Only allow the system to be enabled on roads in which there is a high possibility of the system functioning well. This can be done by means of geofencing or by means of using more advanced sensors to detect if the required conditions are met. If they are not met, the system cannot be switched on.

  • Switch the system off when the required conditions are not met continuously for more than couple of seconds and provide a clear (not just visual but also auditory) warning that the system will switch off. Note that this can only be done safely with systems in which drivers have their hands on the wheel.

  • Use an icon for lane keeping with hands on wheel and only allow hands off for a couple of seconds.

  • Use uncomfortable consequences if the driver does not keep his hands on the wheel when required (slowing down, intrusive warnings, swerving in the lane, not being able to use the system for the rest of the drive)

  • For higher levels of automation, the system can allow the driver to be temporarily out of the loop. To build up trust, a more advanced display can be shown about where the vehicle is going (navigational information, turn information) and about what it detects around the vehicle. However, this display should not offer just passive information about when the driver should take over. This should actively be communicated by the system.

The most self-explaining design for a user would be only to be able to switch the system on when it can also work properly and attention can be temporarily diverted elsewhere.

9.2 Engender correct calibration of trust

An HMI to support appropriate calibration of trust should have:

  1. 1.

    Observability—the HMI should help the human to understand what the vehicle senses and perceives when a system cannot cope with a situation, e.g. that it is not receiving required information on presence of road markings.

  2. 2.

    Predictability—the HMI should allow the human to predict, when confronted with a situation, whether or not the system can cope

  3. 3.

    Directability—the HMI should have the ability to influence the user and be influenced by the user to come to the best joint performance

  4. 4.

    Timeliness—the information should be provided early enough so that the human can take proper action.

9.3 Stimulate appropriate level of attention and intervention

The HMI should ensure that the level of attention that a driver is paying to the driving task is suitable for the level of automation. Hands-off driving is not compatible with requiring attention since we know that hands-off often leads to attention-off. We, therefore, recommend the following guidelines:

  • Level 2 systems should require drivers to keep their hands on the wheel almost continuously.

  • The system should allow activation only on roads that are suitable for that category of automation and at level 2, when hands are off the wheel, the system should warn intrusively, it should monitor if the eyes are on the road and should come with consequence if hands are not on wheel (e.g. deteriorated lane keeping performance, switching off after intrusive warnings, slowing down the vehicle or not being able to switch the system off for a longer period of time).

  • Functions that offer a lane change should always check if there is no traffic in the adjacent lane and if there is no fast approaching traffic in this lane. Offering a lane change without this check is highly dangerous.

  • Particularly for automation of levels 3 and 4, where driver attention is temporarily not required, a different dashboard design can be provided, although no information is not recommendable. Although formally the driver does not need any information at that moment, it is rather unlikely that the human will be comfortable with that.

  • When the vehicle is to provide a driver with a timely request to take back control, the system should have advanced possibilities to detect what the driver is doing (driver attention and secondary task monitoring) and predict how long it will take before the driver is able to take back control. With this information the system can anticipate and take additional measures such as braking to allow more time and prevent unsafe situations.

  • Ideally, the vehicle should control what the driver is doing, so for instance being able to shut down a tablet if attention needs to be to the outer world. Additional displays such as head-up displays to direct attention to the location of a potential hazard may help.

For level 4 automation in public transport, the human should not have any other role than passenger and, therefore, it is not wise to provide any information about the technical capabilities of the vehicle other than for demonstration purposes. When boarding a bus, we do not ask the driver for his driver’s license; we just trust that he or she will be able to drive safely.

9.4 Minimise automation surprises

To minimise automation surprise, the following design principles need to be taken into account:

  • Allow activation only in situations in which the functions work well. This is what people expect. In case of the lane change function, drivers will not understand if the system changes lanes automatically without proper checks, leaving the responsibility of blind spot detection to the driver. Even if the driver indicates willingness to change lane, the system should check whether it is safe to do so. When a function can be switched on, it should work well, with geofencing offering a proper solution.

  • If the system is not working reliably (e.g. from limitations or errors in sensors), this should be actively communicated by not allowing hands off the wheel, by degrading lateral performance so that the driver will notice, slowing the vehicle down and intrusive warnings. For higher levels of automation (levels 3 and 4), the driver should always receive a timely warning to take back control to avoid automation surprise. The system should be self-aware about possible limitations and act accordingly by asking the driver to take back control or slow down. In addition, the system should inform the driver that it cannot cope, why it cannot cope and provide a countdown to the required takeover. An electronic horizon (preview of the upcoming road) and geofencing is again an essential element here.

Automation surprise will be reduced if the systems act according to rules that are simple to explain and are predictable for a driver. Predictability for higher levels of automation would be assisted by a display showing what is about to happen, for example a lane change or other manoeuvre. Since the look-ahead feature is already common in navigation systems, the displays used can be imitated.

9.5 Provide comfort to the human user, i.e. reduce uncertainty and stress

There is a fine balance to be drawn between information overload and consequent stress and information that is too sparse with consequent uncertainty. Because the performance of the sensor suite is so critical (as it is in human driving), an HMI that shows what the vehicle is “seeing” (roadway, lane markings, surrounding traffic) would seem to be highly desirable in case of higher levels of automation. With lower levels of automation (level 2), attention of the driver should be on the road, so displays should only be offering minimal information and preferably by means of a head-up display.

For a driver to feel physically and psychologically comfortable in an automated vehicle, there needs to be smooth and predictable driving behaviour with a minimum of changes in lateral and longitudinal speed. Offering additional visual information in the form of an artificial enhancement of a visual scene or by means of a head-up display showing the vehicle’s future trajectory, the mental model of the driver can be improved. To avoid motion sickness with automated vehicles (the driver doing other tasks than looking outside), vehicle motions around 0.16 Hz should be avoided, occupants should be able to anticipate the vehicle’s motion trajectory and incongruent visual-vestibular self-motion cues should be avoided. Displays showing content not related to the outside world should be located near the line of sight out of the front window and display size should be limited to allow sufficient peripheral visual information. These recommendations are all described in Diels et al. (2016).

In addition, when vehicles are so advanced that they can detect what the driver is doing and how (s)he is positioned in the vehicle, the vehicle movements can be adjusted to this. This means that when the vehicle detects the driver is reading, the vehicle may change to a more defensive way of driving without any lane changes and to lower speeds in curves.

9.6 Be usable

Many current level 2 systems have over-complex menu systems and multi-function switches. There is a big virtue in simplicity and in commonality of controls between different vehicle makes and models. The number of automation modes that it is possible for the user to select should be minimised. Some basic usability solutions can be found in the following recommendations:

  • Use a standardised symbol for automated driving.

  • Use a standardised symbol for lane keeping with hands on (include that in the symbol).

  • The system should be easy to learn and remember, which implies that it should also be easy to switch between vehicle makes and models, implying a high level of commonality in display format.

  • Switching the functions on should be by means of a double action, either simultaneously (such as pressing on two buttons or paddle) or in sequence to avoid any accidental activation and consequent automation surprise. However, such a two-step approach should never be used as a means to confirm that the user has compensated for the deficiencies of an automated system.

  • The system should always be able to indicate if the system is potentially available (you can switch it on if you want to).

  • The system should be able to anticipate and let the driver know in due time when it will not be available anymore.

  • The system functions should be linked to the map to increase functionality, help understand limitations and provide the driver with the proper preview.

  • System and driver should always work together to solve potential danger. When the system detects a hazardous situation and, therefore, braking is needed, the system should not allow switching off by a braking action from the driver. However, in this case, the system actually gets two signals that braking is needed, so the two braking actions should be used together to avoid a collision. A driver should not always be allowed to overrule a system. If the system knows that a driver’s action will lead to danger, the actual driver input may need to be ignored or limited.

  • Information should always be presented in due time, especially a take-over request.

  • When the system is automatically switched off there should always be an active auditory warning to alert the driver of a change in status.

10 Conclusions

With vehicles getting more and more automated functions, it is important that a driver still understands what the vehicle can and cannot do and that the vehicle still understands what the driver can and cannot do. Ideally, the vehicle and human can be seen as a joint cognitive system, with both elements collaborating to deliver safe and comfortable driving. The main communication means between vehicle and human in that collaboration is the human–machine interface (HMI). Even though in many cases, HMI is used for describing visual interfaces, we propose that the HMI cannot be seen narrowly. Besides visual displays it also includes auditory displays and all the vehicle controls, including the traditional feel transmitted by pedals and steering, but also the vehicle’s dynamics within a specific context and additional haptic elements—resistance, pulses, vibrations, physical guidance—used to guide and assist the human.

The HMI in the broad sense of the word can, therefore, be seen as the window between human and machine. It gives the vehicle insight into the commands and attention of the human, and gives the human insight into automation modes, system state and system intention. Finally, it is responsible for handover requests in either direction. The HMI thus has a central and critical role in the operation of the joint system. This paper has pointed out some of the human factors requirements for good design of the HMI. It has not made specific recommendations on detailed design aspects, but has nevertheless points out some of the anomalies in the current designs that are already on the market. It can be argued that we are on a steep learning curve here, with rapidly evolving system capabilities, but that is hardly an excuse for ignoring the principles of good design and the role of that good design in ensuring the safety of the vehicle under automated operation.

The use of standardised symbols for automated functions calls for addressing the issue of alternative designs for the same needs. That may be beneficial in terms of good designs eventually supplanting poorer ones, but it may also cause confusion and human error as drivers switch from one vehicle to another. This calls for an independent programme or committee that should identify the best solutions to the various challenges, and then promulgate those solutions in the form of collective agreements and standards. That task is urgent, as the longer there is a lack of commonality and a failure to achieve “conventionality”, the more proliferation of alternative approaches there will be. Standardisation will provide an important means to assisting drivers to understand their automated cars.