Keywords

Introduction

Automation is entering the road transport system. This both as automated safety systems but also, being more challenging, as fully or partially automated vehicles. Vision Zero can be an important cornerstone when setting demands on automated vehicles. The safety requirements put on automated vehicles will probably be high, higher than the demands on human drivers. Models and approaches will have to be developed.

The ideas to develop and introduce partially or fully automated vehicles are not recent but not used on any larger scale at this moment. It is though likely that automating different functions, or moving vehicles driverless, will be common sooner or later. In this text, it is discussed how Vision Zero principles relate to automation of the road transport system.

Automation of vehicles can be seen as a stepwise migration of different driving tasks from the human driver to the vehicle. There is a migration of both normal driving tasks and driver actions in crash-related critical situations. There are several scales, but the Society of Automotive Engineers (SAE) seems to have developed the most widespread definitions of the levels between no automation and full (autonomous) automation (SAE 2018). A more simplified scale is a to go from “feet off” via “hands off” to finally “eyes off” representing the steps from automation of longitudinal control of speed to control of lateral positioning to finally let the technology take over all strategic, tactical, and operational driving tasks. In the highest level, full automation, the vehicle is “driverless” and could drive without human interactions. In between the steps, we have temporary situations, from milliseconds to infinite time, when the technology control some functions of the vehicle. This could be triggered as a safety function, like electronic stability control (ESC) or autonomous braking (AEB). They could also be more comfort oriented like adaptive cruise control (AICC). We can also see remote control of vehicles like geofencing of speed or “radio control R/C” with remote driving as some kind of automation, i.e., taking control of the driving task from the driver in the vehicle. A second development route is the one where low-speed vehicles operate along predefined route. These vehicles are seen already today. As they develop they will be able to incrementally manage more complicated situations.

The Vision Zero Concept

When first introduced around 1994, the Vision Zero contained a shift in focus in many traffic safety areas. One important and significant shift was in the new responsibility balance between the road users and system designers. System designers were defined as the bodies in society that design, operate, and use the road transport system. Vision Zero is stating that the system should be adapted to the failing human – a relatively dramatic shift from the common approach that road users should take the burden of a dangerous and non-error-tolerant road traffic system.

  1. 1.

    The designers of the system are always ultimately responsible for the design, operation, and use of the road transport system and thereby responsible for the level of safety within the entire system.

  2. 2.

    Road users are responsible for following the rules for the safe use of the road transport system set by the system designers.

  3. 3.

    If road users fail to obey these rules due to lack of knowledge, acceptance, or ability, or if injuries still occur, the system designers are required to take necessary further steps to counteract people being killed or seriously injured.

    Vision Zero’s shared responsibility concept

Vision Zero is further focusing the road traffic safety challenge to the most severe injuries, the impairing injuries and the fatalities. The development and introduction of Vision Zero resulted in a change in the Swedish Road Administration that up until Vision Zero mainly used accident reduction as the key target. Shifting focus and targets from accidents to the most severe cases changes what solutions are prioritized.

figure a
figure b

Illustrations about 2+1 roads and roundabouts (Swedish Transport Administration 2019)

The safety core of Vision Zero is very much to design for the failing, non-perfect human – the human making misjudgments, errors, and mistakes. This is in strong contrast with the idea of perfect humans in traffic. The National Highway Traffic Safety Administration (NHTSA) in the USA finds that 94% of accidents are because of human error. This illustrates that the road traffic system is not designed for humans with the capabilities and weaknesses they have. The 94% human error problem, as described by NHTSA, can lead to the conclusion that we must develop driver further. In Vision Zero, the main focus is to develop the road transport system to absorb human failures to avoid fatalities and serious injury. However, we must bear in mind that humans are relatively good at driving.

As previously stated, Vision Zero is not aiming for a crash-free road transport system. It is aiming at a system without crashes that risk to result in loss of life or loss of long-term injuries. This is leaving the system designers with the possibility to manage the energy in crashes to levels that are survivable and not resulting in long-term harm. Energy control becomes essential and would include not only limiting kinetic energy but also using barriers, dampers, and filters outside and inside vehicles or directly protecting the human body through helmets and other protective gear.

Vision Zero Models for Safe Traffic

Vision Zero is using a holistic approach to road traffic safety. The capabilities of the road users and the performance of vehicles and roads together with the energy levels (speed) in the system can be balanced to deliver an efficient and safe system. High and safe travel speeds are possible with good cars on good roads and when no vulnerable road users are at risk in the system. With today’s vehicle safety systems, speeds must be under 30 km/h when vulnerable road users and cars interact.

To illustrate how the components of the system interact, a Vision Zero model for safe traffic was developed. The Vision Zero model for safe driving can help in the planning process of a management system for traffic safety, especially in the design parameter setting and in the understanding of potential crashes.

figure c

Vision Zero model for safe traffic

An example of the use of elements and criteria is how the factor “Safe vehicle” contains the element vehicle safety as measured by Euro NCAP and the criterion 5 stars. Another example is in the factor “Safe road user” that is having “Wears seatbelt” as element and 100% fulfillment as criterion. Stigson et al. have used this model to evaluate the safety on Swedish roads (Stigson 2009). By setting the criteria, a “safe” speed limit can be defined. Volvo Cars and the Swedish Transport Administration made a joint effort in 2011 to define “safe speed limits” (Eugensson et al. 2011). The basis was the existing levels of crash safety and accident avoidance technologies. The exercise indicated that at road without a median guard rail and safe management of the side areas, the maximum speed could be 80 km/h. The assumption was that the best cars could brake away 20 km/h before the crash and that a crash with a change of velocity of 60 km/h could leave the passengers without life-threatening injuries. The implication is that at speed higher than 80 km/h, significant investment in the road infrastructure is essential. At lower speeds much of the safety can be vehicle based. For vulnerable road users, a similar discussion was held and showed that travel speed of 40 km/h could be considered safe if the vehicles could brake 10 km/h before a crash and assuming a crash with a vulnerable road user is “safe” at 30 km/h. The numbers presented illustrate well how the human biomechanical limits, the protection in and of cars, the potential pre-impact braking, and the speed limit together can be used to calculate risk.

The reasoning above can be illustrated as a chain of processes potentially leading up to a crash and a serious injury or fatality.

The Vision Zero Integrated Safety Chain Model

To understand how crashes and injuries occur, the Vision Zero integrated safety chain model was developed (Tingvall 2008). It is describing crashes as a process spanning from normal driving to a crash and post-crash care and rehabilitation.

figure d

The integrated safety chain model

In the normal driving phase, most of the driving is done. The parameters from the Vision Zero model for safe traffic apply. The speeds should be at levels that ensure that potential crashes don’t result in severe injuries of fatalities. If all drivers were perfect, the story would stop here. Everyone would be in the envelope of normal driving all the time. But when we design for failing humans, we must plan for events where road traffic users sometimes make errors, misjudgments, and mistakes. It is, however, important to remember that humans in a larger perspective are extremely good at driving and managing traffic. Most of us stay in the normal driving phase for hours and hours also in complicated traffic situations.

Even if normal driving is common and to a large degree regulated, human drivers often leave the normal driving and enters critical situations. Illegal speeding, driving too close, and not being able to stop in time are all examples of such situations.

For a multitude of reasons, drivers sometimes leave the normal driving or critical envelope and approach a critical situation (b). At this stage soft methods can be used to get the driving back into normal. This could be in the form of lane departure warnings, electronic stability control, or the warning element of emergency braking systems. In this early phase, the driver can still be part of the control and get the vehicle back into normal driving. One can expect that drivers are in these critical situations several times every year.

If the potential crash passes barrier level 2, one can no longer expect the driver to manage the situation. In phase c automated emergency braking is today such a system. In the future automated emergency steering can avoid potential crashes. In phase c reversible crash safety systems can also be activated. Reversible seatbelt pretensioners are one relevant example.

If the event is passing barrier 3, the crash can no longer be avoided. However it can still be mitigated by continuation of emergency braking in phase d. The consequences of the crash can in this phase be reduced by non-reversible crash safety systems.

In the crash more traditional safety systems such as seatbelts and airbags are active to protect the occupants. In a safe system, no energy can hit the human body at levels higher than the biomechanical tolerance levels for severe or fatal injuries. An ordinary driver can drive all the life without experiencing a crash going all the way to severe injuries.

In the integrated safety chain, one element is the frequency of cases going from normal driving and to a potential crash. One must be aware that very few crashes actually end up in severe and potentially life-threatening cases. An ordinary driver in a modern car can experience some ESC interventions and perhaps a few emergency brake warnings per year. Emergency braking or pre-impact deployment of safety systems is even rarer.

The integrated safety chain model is also an illustration of energy and can be read in reverse to establish safe travel speeds. Starting with the human tolerance, adding the crash safety system’s performance and finally adding the crash mitigation and avoidance system’s capabilities can result in a safe normal driving speed. A consequence of this is that cars with poor crash safety and few crash mitigation and avoidance safety systems have a lower “safe speed” compared to the best cars. This is what the above mentioned Volvo Cars study illustrated.

The Vision Zero work has developed two important models, the model for safe traffic and the integrated safety chain. Both models show how the human tolerance to crash impact, together with safety systems, can indicate safe travel speeds. The models also illustrate how different safety layers can support one another to generate safe traffic and that modifications would be directed to not only the vehicle but also the infrastructure.

In 1965 and 1966, Sweden had 1313 fatalities each year, the highest in Swedish history. This corresponded to around 17 fatalities per 100,000 inhabitants. Today Sweden has around 2 fatalities per 100,000 inhabitants. It is interesting to note that Sweden historically had about the same fatality rate as the world has today. According to the WHO’s Global Status Report on road safety 2018, the global rate of road traffic death per 100,000 population was calculated to be 18.2 in 2016. The large reductions are a consequence of systematic work altering the components and interactions of the road transport system.

What About Automated Cars?

A question to consider is the relation between automated cars and Vision Zero. Do the Vision Zero models applicable for a fully or partially automated road transport system? There are reasons to believe so. Just as Vision Zero is defining possible speeds/energy levels based on the safety-related design properties of the road and the vehicles, an automated system must consider crash mitigation and avoidance safety properties, crash safety capabilities, and possible safe travel speeds. This approach is essential at least as long as the automated cars are used in traffic also containing manually driven vehicles and they have not proven to be crash- or incident-free.

In this paragraph the integrated safety chain will be used for a discussion about safety strategies for automated cars.

The normal driving of a fully automated car will be very different from the normal driving for humans. Automation and computers lack many of the human’s weak spots. They don’t get tired, they don’t get drunk, they can have constant focus, etc. But potentially automated vehicles have in some aspects lower capabilities. The human eye and ear have dynamic ranges and capabilities that is a challenge to match. One can assume that the challenges for humans also are challenges for automated cars but also that automated vehicles will have unique challenges not yet well known. One can assume that humans have a unique possibility to act “approximately right” in complicated new and unexpected situations.

Sensors are very important elements since they are the basis for situational awareness. The situational awareness, mapping ego activities, the road properties, and the positions, speed, and intention of other road users are the bases for safety as the vehicle must operate in a dynamic surrounding. Humans have a very good capability when it comes to making decisions based on sparse information in a complicated situation.

Humans often bend or brake road traffic regulations. From an individual perspective, it can seem rational and beneficial. The perhaps most common is to travel faster than the regulated speed limit. But road users often break other rules and regulations as well. From a societal perspective, this is a problem and a reason for the significant road traffic problems we see. One must assume the fully automated vehicle will be law abiding, and therefore there is no variation in relation to rules and accepted practices in driving and therefore no need for bringing the car back to normal driving, i.e., the driving is always in the safe normal driving envelope. This makes the design of a safe system easier. However, for a long time we will have to design for both human driver partially automated and fully automated vehicles.

Automated vehicles will, just as human drivers, make errors and mistakes and misunderstand situations. As an effect of this, automated vehicles will at least initially need the same safety package as ordinary vehicles. If the fully automated vehicles should travel at speeds similar to vehicles driven by humans, the safety package must be the same. When designing a fully automated vehicle, there are good reasons to consider and design the safety systems as separate from the systems managing normal driving. This would add a much valued element of redundancy. A good side effect of automated cars having sophisticated crash mitigation and avoidance systems and crash safety system would probably also be further improvements to the safety pack of ordinary vehicles.

Is Performing as Good/Bad as Humans Good Enough?

The question above is probably one of the most challenging when discussing the introduction of fully automated vehicles. Here it will be discussed with an ethical approach, a legal approach, and an efficiency approach.

First of all we must define the objective of what potential outcome of incidents and unexpected events should be for a fully automated car. We could aim for the same safety ambition as Vision Zero, no fatalities or serious injuries. Or we might choose to move to “no crashes at all” or even further to avoid also incidents as to aim for security or rather the feeling of security. Cases that go beyond the target in Vision Zero would have major impact on the way a fully automated vehicle can operate. Using the chain of events approach where we limit the travel speed to what is possible to avoid fatalities and serious injuries and instead replace such a target with avoiding crashes means that we must reduce travel speed substantially. And if we would limit, say, braking to less than 0.2 g (normal and conformable braking), the travel speed would have to be further reduced. To some degree improved sensing and situational awareness could influence acceptable travel speeds but only marginally as long as errors do occur.

The road transport system kills about 1.25 million people every year. That is an alarming number, and as previously pointed out, the international society has taken action against road fatalities (United Nations General Assembly 2020). The situation has had a relatively low priority since our attitude to a large degree has been to blame the victim. An individual has done something “wrong” and is hence to blame. The fact that there is a guilty part has blinded many. The Vision Zero introduces the shared responsibility model. Road traffic users must do their best, but the system designers hold a high degree of responsibility for the design and usage of the system. It is more ethical to blame the ones having a real possibility to change the system (Hauer 2016).

Further it seems that we, both society and individuals, have a higher interest in protecting passengers than drivers. Being an innocent victim is significantly different from being an active agent, a driver. The effect of this is that safety in trains and planes is significantly higher than in cars. In aviation and for trains, there is virtually no balancing between safety and efficiency. Safety comes first. In the road transport system, such balancing is still common practice even if Vision Zero slowly is changing practice in many organizations.

For fully automated cars, it seems relevant to put the safety ambitions as high as the levels for aviation of train riding, a twentieth of the risk of today’s car riding.

The Vienna Convention Article 13

The road transport system of today is running as it does, much because of driver not fully adhering to the rules. But taking the rules literary will probably be a prerequisite for partially or fully automated vehicle functions. The Vienna Convention of road traffic from 1968 is setting the framework for road regulation in most countries. One significant article in the convention is Article 13.

The key aspect is that the driver (or in the case of automated cars the control mechanism) always should adapt the speed so to be able to stop for any foreseeable obstruction. Even if the Vienna Convention isn’t a regulation in itself, this article should be implemented in all national regulations in the contracting countries.

Human drivers are often not fulfilling the demand to be able to stop within the range of forward vision. This is clearly seen in the dark, rainy, or foggy traffic situations. We also often pass buses where it is well known that especially children can rush into traffic. Humans frequently take risks and bend rules in ways fully automated vehicles probably cannot accept. The risk taking of humans can to some degree make the system more efficient but at a high cost in insecurity, crashes, and severe or fatal injuries.

Combining the demands from the Vienna Convention, about being able to brake, with Vision Zero’s chain of event model can reveal the new situation. The fully automated vehicle must always plan and act as to remain within the normal driving envelope. The energy level can never be higher than the allowed speed limit, but it is further restricted by the demand to be able to stop short of any foreseeable obstruction. The strict demand in the Vienna Convention about adaptation of the speed is often poorly understood or neglected by human drivers. Computer-driven vehicles should have less issues with this. The sensors and their limitations in combination with the systems situational awareness will restrict possible travel speeds. One must keep in mind that the Vienna Convention demands a crash-free system, not an injury-free traffic. The fully automated vehicle will therefore move slower than the rest of the traffic, and it may be sometimes a better idea to close off manually driven cars from some environments. The alternative is to change the rules and the behavior of the manually driven cars as well, to accommodate the principles of the Vienna Convention with regard to speed. Another alternative is to give the automated vehicles special infrastructure solutions to move within.

External or shared sensors could potentially expand the sensor horizon for automated vehicles. It can, however, be questioned whether external sensors can be reliable enough to base safety critical decisions on.

But, even if the energy levels are at the right, fully automated vehicles will be driving in environments with other vehicles and road users. Therefore it is probable that the fully automated vehicles also will crash and therefore need good systems to brake, steer, and protect in the crashes. Fully automated vehicles may be designed in ways where the passengers have seating postures different from the ones of today’s vehicles. Safety demands and performance in these new seating positions must be considered. It is not likely that crash safety can be diminished for a long time to come. Further investment in crash avoidance and crash safety is an investment in higher speeds and better mobility.

Probably society will not accept fatalities and severe injuries in the fully automated transport system. As the safety demands increase, the most severe injury that is acceptable will be at lower levels than we see today. In the few and rare crashes that automated vehicles experience, the injury levels must be extremely low.

Very rare incidents and extremely few injuries are also a prerequisite for the acceptance for machine-driven vehicles from the general public. The new vehicles must act and feel like reliable and trustful traffic elements.

The demands regarding the impact of the road transport system will also gradually increase over time in such a way that even children should be able to walk or bicycle without risking any injury as a result of a conflict with fully automated vehicles. This will even more restrict automated vehicle to move in such a way that parents and the society feel secure. This means an even less obtrusive traffic.

Discussion

The development towards full or partial automation of driving functions will no doubt continue. Some of the safety technologies developed and introduced during recent years have been proven to be very effective. There are technologies available or under development that could significantly reduce illegal speeding and impaired driving, related to alcohol, fatigue, and distraction. Further, autonomous emergency braking and lane keeping aid systems have become common practice in modern cars. While these technologies do not have a 100% effect on the situations they address, they still seem to bring down the risk of fatalities to very low levels (Rizzi et al.). If they, hypothetically, would be 99% effective on fatalities, we would still have fatalities left but on a global basis go from, say, 1 million deaths per year to 10,000 deaths per year. That would be a giant step, but still not near today’s safety level of rail or aviation (including only fatalities to those using train or regular aviation and excluding, for instance, car occupant fatalities in train to car level crossing crashes).

With these technologies within reach and more to come, full automation is probably not needed to solve today’s safety challenges. However, regulation may be needed to ensure that all vehicles are equipped with these new technologies and that the systems are active when the vehicles are driven.

For railway, the acceptable risk for a jurisdiction is set to 109 fatalities per operating hours (Tingvall and Lie 2021). If we translate this level to the road transport system, the maximum number of fatalities for the European Union would be less than 185 fatalities per year which is 140 times less than the actual number (in 2018). For the USA, the corresponding figure would be 300 times lower than today’s fatality number.

The risk of a fatality in a country like Sweden is already quite low on an individual basis. Calculated on cars (passenger cars, trucks, etc.), we have 200 fatalities linked to these annually, with 5 million cars exposed. This would equate on average to 1 fatality per 25,000 years for a car exposed. For serious injuries the corresponding figure would be 1 case per 2500 years. This tells us that the risk per individual car is low, but on a country level, it still becomes a large health problem.

For cars with a complete set of safety systems, much like a Volvo car of year model 2020 studied in the report by Rizzi et al., we could expect at least a 50% reduction compared to the estimates above. That would equate to 1 fatality per 50,000 years per vehicle and year and 1 per 5000 years for a serious injury. But a serious injury or a fatality would only be a tip of an iceberg, and the number of crashes with/without an injury would be many times more. While crashes without a serious injury or fatality would not be seen as a traffic safety problem, it is likely that they would constitute an unacceptable event for a fully automated car. This could be seen as the main issue surrounding the expectations for a fully automated car in comparison with a car driven by a human.

Many crashes (Rizzi et al. 2019) would be avoided or mitigated if the driver was brought to drive in accordance to general traffic rules. Driving sober, not exceeding the speed limits, and with a distance to the car in front of at least 2–3 s would no doubt have a large effect on the number of killed and serious injury. The figures given above would be significantly reduced when basic rules are followed. If every driver in Sweden did not speed, the number of fatalities would drop by at least 25%. And if no one was driving under the influence, another 25% would not be killed. If we would also add fatigue and distraction as examples, it is likely that we would end up with very few cases of fatalities. A fully automated car would not act as if the driver was intoxicated or fatigued nor drive too fast. But the technologies to detect and limit the driver to act and drive within the legal frameworks exist already. It can be seen as surprising that drivers today are given possibilities to break so many rules when there are technologies available to almost eliminate many offenses.

Given the above logics, it is hard to argue that the safety gains as they are expressed in Vision Zero would be substantial with fully automated cars. On the contrary, it might be a larger challenge to replace the human during normal driving than to only use technology when the driver is acting unsafe and/or a hazardous situation occurs. There are significant benefits in using the capabilities of human drivers and complement these with partially or fully automated functions, without making the entire driving process fully automated.

What seems to be more challenging with the fully automated car is the expectation that it would not only avoid any serious harm to a human but also not crash. It would probably even be expected to act in a nonaggressive way, meaning no harsh braking, etc. This would in turn reduce speed and increase distance to other vehicles and humans. The consequence of the fully automated car would therefore be more of a mobility issue or comfort rather than a safety issue. Furthermore, significant modifications to the road infrastructure would have to be made to improve effectiveness that otherwise would have to be solved by low travel speed. For low-speed fully automated vehicles, this could be more straightforward, especially if they only travel along predefined routes. This seems to be an issue not discussed to the extent that is needed (Sternlund 2020).

In summary, it does not seem adequate to claim that fully automated driving is the way to improve traffic safety to the level of Vision Zero. The combination of the driver and the technology of a vehicle could under certain conditions be as safe as, or even safer than, the fully automated car. But these conditions would no doubt put the same type of restrictions on the driver as we put on the automated car. Speed, fitness to drive, and distance to other road users should be the same for the car driven by a human as it would be on the fully automated car. The main difference between the automation and the manually driven car would be what we aim for – a road transport system free of death and serious injuries or a road transport system free of crashes, incidents, or fear of technology. In the end, it would be the effectiveness of the road transport system that would be the real challenge.

As human drivers will continue to play active roles in driving their vehicles while managing an increasing array of new or newly configured technologies at their disposal, they can expect to encounter more situations when they must consider, or have embraced and trusted a priori, a mix between human and automated control. These questions become tangibly real for drivers of cars equipped with advanced systems. Millions of drivers over the next 10 years will not only have to ask what their vehicle is able to handle, but be prepared and comfortable answering them with literal life-or-death certainty. Democratizing safety technology so that it benefits the greatest number of people as soon as possible is a new way of looking at our journey to full automotive autonomy. We believe that such a development can be enabled by a scalable safety approach that puts each new safety innovation wherever it can work effectively (Veoneer 2020).

It should also be stressed that the safety modeling of Vision Zero is based on modifying the road infrastructure if the conditions does not fulfill the safety requirements given the safety level of the vehicles exposed. For fully automated cars, the modifications to the infrastructure should be brought up as well. Otherwise, the entire safety challenge would have to be solved by the vehicles, and this does not seem to be rational as the travel speed of the safe fully automated car would have to be very low. In summary, it would be a mistake to believe that no modifications would have to be done to the infrastructure or to the functionality of the road transport system if we fully automate the vehicles. However we can foresee focussed action in the infrastructure if they are limited and clearly defined. An open dialogue around demands and performance would help both vehicle and infrastructure designers. We still need to bring humans, infrastructure, functions, and vehicles into the design of the future safe and secure mobility.

Partially or fully automated vehicles will be common in the future. The full potential benefits can only be gained if we understand the potential and limitations of automation. There is also an urgent need to look at automation in the systems perspective that Vision Zero has developed.

Fully automated vehicles are probably not prerequisites to achieve Vision Zero, but Vision Zero or even higher safety levels are a prerequisite for fully automated vehicles.

Conclusions

  • Safety, trust, and security are critical elements when introducing partially or fully automated vehicles.

  • When machines are driving, the safety demands will increase at least tenfold compared to the expectations on human drivers. They must experience fewer and less severe crashes than what we see today.

  • The fully automated vehicles will have to obey traffic regulation. As a result of this, the energy allowed will be restricted by their sensor horizon, sensor reliability, situational awareness, and their stopping distance.

  • Even if machines can drive safely in an ego perspective, they will have to plan for crashes by having the same safety systems as human driven cars.

  • The key element of Vision Zero, the road transport system must be adapted to the failing human, is valid also for machine-driven vehicles. The system must be adapted for the failing machines.