Collision Between Vehicle Controlled by Developmental
Automated Driving System and Pedestrian
Tempe, Arizona
March 18, 2018
Accident Report
NTSB/HAR-19/03
PB2019-101402
National
Transportation
Safety Board
NTSB/HAR-19/03
PB2019-101402
Notation 59392
Adopted November 19, 2019
Highway Accident Report
Collision Between Vehicle Controlled by Developmental
Automated Driving System and Pedestrian
Tempe, Arizona
March 18, 2018
National
Transportation
Safety Board
490 L’Enfant Plaza, S.W.
Washington, D.C. 20594
NOTE: This report was reissued on June 26, 2020, with corrections to the report title on this page.
CORRECTED COPY
National Transportation Safety Board. 2019. Collision Between Vehicle Controlled by Developmental
Automated Driving System and Pedestrian, Tempe, Arizona, March 18, 2018. Highway Accident Report
NTSB/HAR-19/03. Washington, DC.
Abstract: On the evening of March 18, 2018, an automated test vehicle struck and fatally injured a
49-year-old pedestrian crossing N. Mill Avenue, outside a crosswalk, in Tempe, Arizona. The Advanced
Technologies Group of Uber Technologies, Inc., had installed a proprietary developmental automated
driving system in the test vehicle (a modified 2017 Volvo SC90 sport utility vehicle), which was active at
the time of the crash. The 44-year-old operator had been operating the vehicle for about 19 minutes before
the crash. The National Transportation Safety Board (NTSB) investigation focused on the inadequate safety
culture of the Uber Advanced Technologies Group and the need for safety risk management requirements
for testing automated vehicles on public roads. As a result of its investigation, the NTSB issued
recommendations to the National Highway Traffic Safety Administration, the state of Arizona, the
American Association of Motor Vehicle Administrators, and the Uber Technologies, Inc., Advanced
Technologies Group.
The NTSB is an independent federal agency dedicated to promoting aviation, railroad, highway, marine, and pipeline
safety. Established in 1967, the agency is mandated by Congress through the Independent Safety Board Act of 1974
to investigate transportation accidents, determine the probable causes of the accidents, issue safety recommendations,
study transportation safety issues, and evaluate the safety effectiveness of government agencies involved in
transportation. The NTSB makes public its actions and decisions through accident reports, safety studies, special
investigation reports, safety recommendations, and statistical reviews.
The NTSB does not assign fault or blame for an accident or incident; rather, as specified by NTSB regulation,
“accident/incident investigations are fact-finding proceedings with no formal issues and no adverse parties … and are
not conducted for the purpose of determining the rights or liabilities of any person” (Title 49 Code of Federal
Regulations section 831.4). Assignment of fault or legal liability is not relevant to the NTSB’s statutory mission to
improve transportation safety by investigating accidents and incidents and issuing safety recommendations. In
addition, statutory language prohibits the admission into evidence or use of any part of an NTSB report related to an
accident in a civil action for damages resulting from a matter mentioned in the report (Title 49 United States Code
section 1154(b)).
For more detailed background information on this report, visit the NTSB investigations website and search for NTSB
accident ID HWY18MH010. Recent publications are available in their entirety on the NTSB website. Other
information about available publications may be obtained from the website or by contacting:
National Transportation Safety Board
Records Management Division, CIO-40
490 L’Enfant Plaza, SW
Washington, DC 20594
(800) 877-6799 or (202) 314-6551
Copies of NTSB publications can be downloaded at no cost from the National Technical Information Service at the
National Technical Reports Library search page, using product number PB2019-101402. For additional assistance,
contact:
National Technical Information Service
5301 Shawnee Rd.
Alexandria, VA 22312
(800) 553-6847 or (703) 605-6000
NTIS website
NTSB Highway Accident Report
i
Contents
Figures and Tables ....................................................................................................................... iii
Acronyms and Abbreviations ..................................................................................................... iv
Executive Summary .......................................................................................................................v
Crash Summary ......................................................................................................................v
Probable Cause .......................................................................................................................v
Safety Issues ......................................................................................................................... vi
Findings ................................................................................................................................ vi
Recommendations .............................................................................................................. viii
1 Factual Information ..............................................................................................................1
1.1 Crash Events ...........................................................................................................................1
1.2 Location ..................................................................................................................................3
1.2.1 Roadway ......................................................................................................................3
1.2.2 Median .........................................................................................................................4
1.3 Injuries and Occupant Protection ............................................................................................5
1.4 Vehicle Factors .......................................................................................................................5
1.4.1 Sport Utility Vehicle ....................................................................................................5
1.4.2 Bicycle .........................................................................................................................7
1.5 Uber ATG Developmental Automated Driving System .........................................................8
1.5.1 Overview ......................................................................................................................8
1.5.2 Structural Components ................................................................................................8
1.5.3 Route Mapping, Path Guidance, and Verification .....................................................11
1.5.4 Operation ...................................................................................................................11
1.5.5 Motion Planning: Object Detection and Hazard Avoidance .....................................12
1.5.6 Data Recorded During Crash Trip .............................................................................14
1.5.7 Human-Machine Interface .........................................................................................18
1.5.8 ATG Fleet of Test Vehicles .......................................................................................19
1.6 Volvo Advanced Driver Assistance Systems .......................................................................20
1.6.1 Collision Avoidance ..................................................................................................20
1.6.2 Data and Simulation ..................................................................................................20
1.6.3 Interaction with Uber ATG Automated Driving System ...........................................22
1.7 Human Factors ......................................................................................................................22
1.7.1 Pedestrian ...................................................................................................................22
1.7.2 Vehicle Operator ........................................................................................................22
1.7.3 Postcrash Observation of Sight Distance ...................................................................24
1.7.4 Arizona Statutes on Pedestrian and Driver Responsibilities .....................................25
1.8 Company Operations ............................................................................................................26
1.8.1 Overview ....................................................................................................................26
1.8.2 Safety Culture and Policies ........................................................................................26
1.8.3 Operator Training ......................................................................................................28
NTSB Highway Accident Report
ii
1.8.4 Transition to Single Vehicle Operator .......................................................................29
1.9 Postcrash Changes ................................................................................................................29
1.9.1 Technical Performance ..............................................................................................30
1.9.2 Operational Safety .....................................................................................................31
1.9.3 Organizational Changes .............................................................................................32
1.10 Policies, Standards, and Regulations for Automated Vehicles .............................................33
1.10.1 Federal Standards and Guidance ...............................................................................33
1.10.2 Arizona Requirements ...............................................................................................34
2 Analysis ................................................................................................................................36
2.1 Introduction ...........................................................................................................................36
2.1.1 Exclusions ..................................................................................................................36
2.1.2 Pedestrian Actions .....................................................................................................36
2.1.3 Safety Issue Areas ......................................................................................................37
2.2 Uber ATG Safety Culture .....................................................................................................38
2.2.1 Uber ATG Safety Risk Management .........................................................................39
2.2.2 Operator Supervision of Vehicle Automation ...........................................................42
2.2.3 Uber ATG Safety Policies .........................................................................................46
2.3 Testing of Automated Vehicles ............................................................................................47
2.3.1 Terminology of Automation ......................................................................................48
2.3.2 Federal Approach .......................................................................................................49
2.3.3 Industry Efforts ..........................................................................................................51
2.3.4 State Approach: Legislating Automated Vehicle Testing .........................................52
3 Conclusions ..........................................................................................................................57
3.1 Findings ................................................................................................................................57
3.2 Probable Cause .....................................................................................................................59
4 Recommendations ...............................................................................................................60
Board Member Statement ...........................................................................................................62
Appendix: Investigation ..............................................................................................................64
References .....................................................................................................................................65
NTSB Highway Accident Report
iii
Figures and Tables
Figure 1. Aerial view of crash location showing path of pedestrian as she attempted to cross
N. Mill Avenue and movement and speed of SUV at three points before impact ......... 2
Figure 2. Configuration of median on N. Mill Avenue at time of crash and postcrash changes ... 4
Figure 3. SUV postcrash showing damage to front end and overhead view of bicycle’s
position at impact .......................................................................................................... 6
Figure 4. Approximate position of bicycle at impact .................................................................... 7
Figure 5. Location of sensor components on 2017 Volvo XC90 equipped with ATG’s ADS ...... 9
Figure 6. SUV interior showing locations of slot that could mount a cell phone, ADS
engagement/disengagement knob, ADS engagement button, and HMI ..................... 19
Figure 7. Precrash activities of vehicle operator, March 15–18, 2018 ....................................... 24
Table. Selected parameters recorded by vehicle’s ADS ......................................................... 15
NTSB Highway Accident Report
iv
Acronyms and Abbreviations
AAMVA
American Association of Motor Vehicle Administrators
ACC
adaptive cruise control
ADAS
advanced driver assistance system
ADOT
Arizona Department of Transportation
ADS
automated driving system
AEB
automatic emergency braking
ATG
Advanced Technologies Group (Uber)
CFR
Code of Federal Regulations
DMV
Department of Motor Vehicles
ERR
electrical reversible retractor
Euro NCAP
European New Car Assessment Programme
FCW
forward collision warning
FMVSSs
Federal Motor Vehicle Safety Standards
g
acceleration due to gravity
GPS
global positioning system
HMI
human-machine interface
lidar
light detection and ranging
m/s
2
meters per second squared
ms/s
3
meters per second cubed
µg/mL
micrograms per milliliter
ng/mL
nanograms per milliliter
NHTSA
National Highway Traffic Safety Administration
NTSB
National Transportation Safety Board
ODD
operational design domain
PDOT
Pennsylvania Department of Transportation
SAE
SAE International (formerly Society of Automotive Engineers)
SMS
safety management system
SR-202
State Route 202
SRS
supplemental restraint system
SUV
sport utility vehicle
THC
tetrahydrocannabinol
TPD
Tempe Police Department
NTSB Highway Accident Report
v
Executive Summary
Crash Summary
On March 18, 2018, at 9:58 p.m., an automated test vehicle, based on a modified 2017
Volvo XC90 sport utility vehicle (SUV), struck a female pedestrian walking across the northbound
lanes of N. Mill Avenue in Tempe, Arizona. The SUV was operated by the Advanced Technologies
Group of Uber Technologies, Inc., which had modified the vehicle with a proprietary
developmental automated driving system (ADS). A female operator occupied the driver’s seat of
the SUV, which was being controlled by the ADS. The road was dry and was illuminated by street
lighting.
1
The SUV was completing the second loop on an established test route that included part of
northbound N. Mill Avenue. The vehicle had been operating about 19 minutes in autonomous
mode—controlled by the ADS—when it approached the collision site in the right lane at a speed
of 45 mph, as recorded by the ADS. About that time, the pedestrian began walking across N. Mill
Avenue where there was no crosswalk, pushing a bicycle by her side.
The ADS detected the pedestrian 5.6 seconds before impact. Although the ADS continued
to track the pedestrian until the crash, it never accurately classified her as a pedestrian or predicted
her path. By the time the ADS determined that a collision was imminent, the situation exceeded
the response specifications of the ADS braking system. The system design precluded activation of
emergency braking for collision mitigation, relying instead on the operator’s intervention to avoid
a collision or mitigate an impact.
Video from the SUV’s inward-facing camera shows that the operator was glancing away
from the road for an extended period while the vehicle was approaching the pedestrian.
Specifically, she was looking toward the bottom of the SUV’s center console, where she had placed
her cell phone at the start of the trip. The operator redirected her gaze to the road ahead about
1 second before impact. ADS data show that the operator began steering left 0.02 seconds before
striking the pedestrian, at a speed of 39 mph. The pedestrian died in the crash. The vehicle operator
was not injured. Toxicological tests on the pedestrian’s blood were positive for drugs that can
impair perception and judgment.
Probable Cause
The National Transportation Safety Board determines that the probable cause of the crash
in Tempe, Arizona, was the failure of the vehicle operator to monitor the driving environment and
the operation of the automated driving system because she was visually distracted throughout the
trip by her personal cell phone. Contributing to the crash were the Uber Advanced Technologies
Group’s (1) inadequate safety risk assessment procedures, (2) ineffective oversight of vehicle
1
For more information, see the factual information and analysis sections of this report. Additional information
about the investigation of this crash (NTSB case number HYW18MH010) can be found by accessing the Docket
Management System at www.ntsb.gov. For more information on our safety recommendations, see the Safety
Recommendation Database at www.ntsb.gov.
NTSB Highway Accident Report
vi
operators, and (3) lack of adequate mechanisms for addressing operators’ automation
complacency—all a consequence of its inadequate safety culture. Further factors contributing to
the crash were (1) the impaired pedestrian’s crossing of N. Mill Avenue outside a crosswalk, and
(2) the Arizona Department of Transportation’s insufficient oversight of automated vehicle testing.
Safety Issues
The investigation identified the following safety issues:
• Uber Advanced Technologies Group’s inadequate safety culture. At the time of the
crash, the Uber Advanced Technologies Group had an inadequate safety culture,
exhibited by a lack of risk assessment mechanisms, of oversight of vehicle operators,
and of personnel with backgrounds in safety management. Since the crash, the
company has made changes in organizational, operational, and technical areas. The
report explores the deficiencies that led to the crash, the potential countermeasures, and
the extent to which the postcrash changes made by the Uber Advanced Technologies
Group affect the safe testing of ADSs.
• Need for safety risk management requirements for testing automated vehicles on public
roads. Although the National Highway Traffic Safety Administration has published
three iterations of an automated vehicles policy, that summary guidance does not
provide a means of evaluating an ADS. The absence of safety regulations and detailed
guidance has prompted some states to develop their own requirements for automated
vehicle testing. The report explores the roles of federal agencies, industry, and
individual states in supporting the development of automation and ensuring public
safety during ADS testing.
Findings
• None of the following were factors in the crash: (1) driver licensing, experience, or
knowledge of the automated driving system operation; (2) vehicle operator substance
impairment or fatigue; or (3) mechanical condition of the vehicle.
• The emergency response to the crash was timely and adequate.
• The pedestrian’s unsafe behavior in crossing the street in front of the approaching
vehicle at night and at a location without a crosswalk violated Arizona statutes and was
possibly due to diminished perception and judgment resulting from drug use.
• The Uber Advanced Technologies Group did not adequately manage the anticipated
safety risk of its automated driving system’s functional limitations, including the
system’s inability in this crash to correctly classify and predict the path of the
pedestrian crossing the road midblock.
NTSB Highway Accident Report
vii
• The aspect of the automated driving system’s design that precluded braking in
emergency situations only when a crash was unavoidable increased the safety risks
associated with testing automated driving systems on public roads.
• Because the Uber Advanced Technologies Group’s automated driving system was
developmental, with associated limitations and expectations of failure, the extent to
which those limitations pose a safety risk depends on safety redundancies and
mitigation strategies designed to reduce the safety risk associated with testing
automated driving systems on public roads.
• The Uber Advanced Technologies Group’s deactivation of the Volvo forward collision
warning and automatic emergency braking systems without replacing their full
capabilities removed a layer of safety redundancy and increased the risks associated
with testing automated driving systems on public roads.
• Postcrash changes by the Uber Advanced Technologies Group, such as making Volvo’s
forward collision warning and automatic emergency braking available during operation
of the automated driving system (ADS), added a layer of safety redundancy that
reduces the safety risks associated with testing ADSs on public roads.
• Had the vehicle operator been attentive, she would likely have had sufficient time to
detect and react to the crossing pedestrian to avoid the crash or mitigate the impact.
• The vehicle operator’s prolonged visual distraction, a typical effect of automation
complacency, led to her failure to detect the pedestrian in time to avoid the collision.
• The Uber Advanced Technologies Group did not adequately recognize the risk of
automation complacency and develop effective countermeasures to control the risk of
vehicle operator disengagement, which contributed to the crash.
• Although the installation of a human-machine interface in the Uber Advanced
Technologies Group test vehicles reduced the complexity of the
automation-monitoring task, the decision to remove the second vehicle operator
increased the task demands on the sole operator and also reduced the safety
redundancies that would have minimized the risks associated with testing automated
driving systems on public roads.
• Although the Uber Advanced Technologies Group had the means to retroactively
monitor the behavior of vehicle operators and their adherence to operational
procedures, it rarely did so; and the detrimental effect of the company’s ineffective
oversight was exacerbated by its decision to remove the second vehicle operator during
testing of the automated driving system.
• The Uber Advanced Technologies Group’s postcrash inclusion of a second vehicle
operator during testing of the automated driving system, along with real-time
monitoring of operator attentiveness, begins to address the oversight deficiencies that
contributed to the crash.
NTSB Highway Accident Report
viii
• The Uber Advanced Technologies Group’s inadequate safety culture created
conditions—including inadequate oversight of vehicle operators—that contributed to
the circumstances of the crash and specifically to the vehicle operator’s extended
distraction during the crash trip.
• The Uber Advanced Technologies Group’s plan for implementing a safety
management system, as well as postcrash changes in the company’s oversight of
vehicle operators, begins to address the deficiencies in safety risk management that
contributed to the crash.
• Mandatory submission of safety self-assessment reports—which are currently
voluntary—and their evaluation by the National Highway Traffic Safety
Administration would provide a uniform, minimal level of assessment that could aid
states with legislation pertaining to the testing of automated vehicles.
• Arizona’s lack of a safety-focused application-approval process for automated driving
system (ADS) testing at the time of the crash, and its inaction in developing such a
process since the crash, demonstrate the state’s shortcomings in improving the safety
of ADS testing and safeguarding the public.
• Considering the lack of federal safety standards and assessment protocols for
automated driving systems, as well as the National Highway Traffic Safety
Administration’s inadequate safety self-assessment process, states that have no, or only
minimal, requirements related to automated vehicle testing can improve the safety of
such testing by implementing a thorough application and review process before
granting testing permits.
Recommendations
To the National Highway Traffic Safety Administration:
Require entities who are testing or who intend to test a developmental automated
driving system on public roads to submit a safety self-assessment report to your
agency. (H-19-47)
Establish a process for the ongoing evaluation of the safety self-assessment reports as
required in Safety Recommendation H-19-47 and determine whether the plans include
appropriate safeguards for testing a developmental automated driving system on
public roads, including adequate monitoring of vehicle operator engagement, if
applicable. (H-19-48)
NTSB Highway Accident Report
ix
To the state of Arizona:
Require developers to submit an application for testing automated driving system
(ADS)-equipped vehicles that, at a minimum, details a plan to manage the risk
associated with crashes and operator inattentiveness and establishes countermeasures
to prevent crashes or mitigate crash severity within the ADS testing parameters.
(H-19-49)
Establish a task group of experts to evaluate applications for testing vehicles equipped
with automated driving systems, as described in Safety Recommendation H-19-49,
before granting a testing permit. (H-19-50)
To the American Association of Motor Vehicle Administrators:
Inform the states about the circumstances of the Tempe, Arizona, crash and encourage
them to (1) require developers to submit an application for testing automated driving
system (ADS)-equipped vehicles that, at a minimum, details a plan to manage the risk
associated with crashes and operator inattentiveness and establishes countermeasures
to prevent crashes or mitigate crash severity within the ADS testing parameters, and
(2) establish a task group of experts to evaluate the application before granting a
testing permit. (H-19-51)
To the Uber Technologies, Inc., Advanced Technologies Group:
Complete the implementation of a safety management system for automated driving
system testing that, at a minimum, includes safety policy, safety risk management,
safety assurance, and safety promotion. (H-19-52)
NTSB Highway Accident Report
1
1 Factual Information
1.1 Crash Events
On Sunday, March 18, 2018, at 9:58 p.m. mountain standard time, an automated test
vehicle, based on a modified 2017 Volvo XC90 sport utility vehicle (SUV), struck a pedestrian
walking midblock across the northbound lanes of N. Mill Avenue in Tempe, Arizona.
1
The SUV
was operated by the Advanced Technologies Group (ATG) of Uber Technologies, Inc., which had
modified the vehicle by installing a proprietary developmental automated driving system (ADS).
The ADS was active at the time of the crash.
The SUV, occupied by a 44-year-old female operator, was completing the second loop on
an established test route that included a section of northbound N. Mill Avenue. The SUV had been
operating for about 19 minutes in autonomous mode (controlled by the ADS) when it approached
the vicinity of the crash site, traveling in the right lane, at a speed of 45 mph. The 49-year-old
female pedestrian started to walk east across N. Mill Avenue, pushing a bicycle at her left side (see
figure 1). The location had no crosswalk.
According to ADS data, the system first detected the pedestrian 5.6 seconds before the
crash. It initially classified the pedestrian as a vehicle, and subsequently also as an unknown object
and a bicyclist. Although the ADS continued tracking the pedestrian until the crash, it did not
correctly predict her path or reduce the SUV’s speed in response to the detected pedestrian.
2
By
the time the system determined that a collision was imminent and the situation exceeded the
response specifications of the ADS braking system to avoid the collision—1.2 seconds before
impact—the design of the system relied on the vehicle operator to take control of the vehicle. In
such situations, the design of the ATG ADS precluded emergency braking for crash mitigation
alone.
3
Video from an ATG-installed inward-facing camera shows that the operator was glancing
away from the roadway for extended periods throughout the trip. Specifically, she was looking
down toward the bottom of the center console where she had placed her cell phone at the start of
the trip.
4
According to her phone records, the operator was streaming a television show using an
application on her phone. About 6 seconds before the crash, she redirected her gaze downward,
where it remained until about 1 second before the crash.
1
See the appendix for additional information about this National Transportation Safety Board (NTSB)
investigation.
2
The vehicle was gradually decelerating because it was approaching an intersection and the system had planned
a right turn. For details on the route and vehicle motion planning, see section 1.5.
3
For additional details on the ADS and the detection of the pedestrian, see section 1.5.
4
For additional information about the vehicle operator’s use of a cell phone during the trip, see sections 1.5.6.2
and 1.7.2.3.
NTSB Highway Accident Report
2
Figure 1. Aerial view of crash location showing path of pedestrian as she attempted to cross
N. Mill Avenue and movement and speed of SUV at three points before impact. Pedestrian’s
path shows her position from initial detection (5.6 seconds before impact) until impact; SUV’s
position is shown at corresponding times beginning 4.2 seconds before impact. (Source:
Adapted from Google Earth)
ADS data show that the operator began steering left 0.02 seconds before striking the
pedestrian, at a speed of 39 mph. The video from the ATG-installed forward-facing camera shows
that the pedestrian was struck by the SUV’s front end at a near-perpendicular angle. The impact
pushed the pedestrian under the SUV, which carried her with it. She came to rest 75 feet to the
north, in the right-turn lane. The bicycle came to rest 105 feet north of the point of impact. The
rest position of the SUV was 189 feet north of the point of impact, in the right-turn lane.
The city of Tempe emergency communication center received a 911 call about the crash at
10:00 p.m. The dispatcher immediately notified the Tempe Police Department (TPD). The Tempe
Fire Department received notification 1 minute later. The TPD responded with 11 units, the first
NTSB Highway Accident Report
3
of which arrived on scene at 10:04 p.m. The fire department responded with one engine and one
medical unit, both of which arrived on scene at 10:08 p.m. At the time of the crash, it was
nighttime, the road surface was dry, and the road was illuminated by street lighting.
5
1.2 Location
1.2.1 Roadway
The crash occurred in the northbound lanes of N. Mill Avenue, about 400 feet south of its
intersection with Curry Road and about 310 feet north of a State Route 202 (SR-202) overpass.
The impact occurred along a 311-foot-long tangent—a straightaway section of the roadway. North
of the crash site, the horizontal alignment consists of a 328-foot-long, 955-foot-radius curve to the
right in the northbound direction of travel. South of the crash location, the horizontal alignment
consists of a 3,000-foot-long, 3,280-foot-radius leftward curve. The crash occurred about 244 feet
into the straightaway section of N. Mill Avenue, 67 feet before the start of the north curve.
6
The
posted speed limit on this section of N. Mill Avenue is 45 mph.
Near the crash site, the northbound roadway contains two through lanes, each 13.6 feet
wide, and one 4-foot-wide bicycle lane along the right shoulder. The road widens for the formation
of two left-turn lanes, so that at the crash site, the road is 51 feet wide (refer to figure 1). The
vehicle lanes are separated by 4-inch-wide broken white lines, with a solid white line defining the
bicycle lane. Raised curbing runs along the side of the road.
Safety lighting in the area of the crash includes six light poles along northbound N. Mill
Avenue. The light poles are positioned within about 600 feet of the crash site, four on the right and
two on the left side of the road. The light closest to the crash site on the right side of the road is
47 feet south of the impact area. On the left side of the road, the nearest light is 57 feet south of
the crash site. According to the TPD, five of the lights were operational when officers arrived. The
light on the left side of the road, 158 feet north of the crash site, was not operating.
7
The average daily traffic northbound on N. Mill Avenue obtained shortly after the crash
was 16,800 vehicles. At the request of NTSB investigators, the city of Tempe obtained a daily
count of pedestrians (66) and bicyclists (12) in June 2018.
8
The 10-year crash history of the area
between the SR-202 overpass and Curry Road listed no pedestrian fatalities or injuries.
5
The temperature was 56°F, the wind was from the west-southwest at 12 mph with gusts to 21 mph, and there
was no precipitation. The records are from the weather station at Phoenix Sky Harbor International Airport, 3.8 miles
west of the crash site.
6
Figure 1 depicts the straightaway section of N. Mill Avenue and about 70 feet of the end segment of the south
curve. Considering the length and the large radius of the south curve, the curvature of the roadway might not be easily
perceptible when viewing only a limited segment of the curve.
7
For more details regarding the installation and performance of the safety lighting, see the public docket for this
investigation (HWY18MH010).
8
The pedestrian and bicyclist count was conducted during a 24-hour period on a Tuesday, along N. Mill Avenue
between the SR-202 overpass and about 175 feet south of Curry Road, covering a distance of about 500 feet. No
sidewalks are present along this segment of N. Mill Avenue. A musical event occurred at a nearby business during the
count, which suggests that the average daily count is smaller, possibly considerably smaller.
NTSB Highway Accident Report
4
1.2.2 Median
The northbound and southbound travel lanes on N. Mill Avenue are separated by a
landscaped median. Next to the crash site, the median is about 71 feet wide and includes an
X-shaped, red-brick configuration, which at the time of the crash had the appearance of a pathway
(figure 2). Also at the time of the crash, the median contained four signs prohibiting pedestrian
crossing. Each consisted of a no-pedestrian-crossing symbol with an accompanying USE
CROSSWALK plaque (see figure 2).
9
Two of the signs were on the median’s east edge and faced the
northbound roadway, about 30 feet north and 130 feet south of the crash site.
Figure 2. Configuration of median on N. Mill Avenue at time of crash (left image) and postcrash
changes (right images). Aerial view in left image shows X-shaped configuration, location of signs
prohibiting pedestrian crossing, and insets illustrating signs. Right image shows rocks placed
postcrash on median (top) and double-sided signs prohibiting pedestrian crossing (bottom).
(Sources: Left image adapted from Google Earth; top right image from Arizona Republic; bottom
right image from city of Tempe)
9
The no-pedestrian-crossing symbol was a regulatory sign measuring 18 by 18 inches. The use-crosswalk plaques
were also regulatory signs, each measuring 18 inches wide and 12 inches high.
NTSB Highway Accident Report
5
The nearest crosswalks to the crash site are 380 feet north, at the intersection with Curry
Road, and 2,700 feet south, at the intersection with Rio Salado Parkway. The north tip of the
median—where its width narrows to 6 feet—ends at the crosswalk at the intersection with Curry
Road. There is no established walkway from that crosswalk to the brick configuration on the
median. The south end of the median ends below the SR-202 overpass. NTSB investigators could
not determine how the pedestrian arrived at the median, or whether she reached it by crossing
N. Mill Avenue midblock, outside a crosswalk.
After the crash, the city of Tempe added four signs to the existing signposts prohibiting
pedestrian crossing, resulting in four double-sided prohibition signs that are visible from both the
median and the roadway. The city also removed the X-shaped decorative brick path and replaced
it with rocks, creating a terrain unsuitable for walking (refer to figure 2).
1.3 Injuries and Occupant Protection
The pedestrian died on scene from multiple blunt force injuries. The vehicle operator was
not injured. The driver’s seat of the SUV was equipped with a lap/shoulder belt, which was found
attached at its anchor points after the crash. The belt’s webbing showed cupping with abrasions
and load marks, indicating that it had been worn at the time of impact.
The front seats of the SUV were equipped with electrical reversible retractors (ERRs), seat
belt pretensioners that tighten seat belts, keeping occupants closer to their seats in anticipation of
a crash. Although the SUV’s air bags did not deploy during the crash, the ERR on the driver’s seat
was triggered after the impact with the pedestrian. For a further description of the ERR, see
section 1.6.2.
10
1.4 Vehicle Factors
1.4.1 Sport Utility Vehicle
1.4.1.1 General Description. As noted earlier, the SUV had been modified and equipped
with an ADS (see section 1.5). It was also factory-equipped with advanced driver assistance
systems (ADASs), including ones designed to avoid or mitigate collisions with pedestrians or
bicyclists (see section 1.6).
11
The vehicle involved in the crash was a factory-built 2017 Volvo XC90 Inscription model,
equipped with a 2.0-liter gas/electric hybrid 400-horsepower engine and an 8-speed automatic
transmission. The vehicle had light-emitting-diode headlights of the bending-beam type.
12
It had
five passenger seats, two in the front and three in the second row. The vehicle was factory-equipped
10
Section 1.6 discusses the SUV’s design and its collision mitigation systems that affect other roadway users,
specifically pedestrians and bicyclists.
11
At the time of the crash, the ADAS was not active because it was designed to deactivate during ADS testing.
The interaction between the ATG ADS and the Volvo ADAS is discussed in section 1.6.3.
12
Bending-beam headlights turn from side to side as the steering wheel turns, helping to illuminate curves.
NTSB Highway Accident Report
6
with a third row of seats, but ATG removed it to create space for computers and other ADS-related
equipment.
1.4.1.2 Damage. The SUV sustained damage to the front end. Contact damage on the front
bumper, grille, and hood was concentrated in an area slightly offset toward the passenger side (see
figure 3). Both bicycle tires left impressions on the SUV’s bumper cover. Scrape marks were
visible on the lower left corner of the SUV’s front spoiler, caused by the bicycle’s rear sprocket
assembly. The headlights were intact, and there was no other external damage. The vehicle’s
interior was unaffected by the crash.
Figure 3. SUV postcrash showing damage to front end (left image) and overhead view of bicycle’s
position at impact (right image).
1.4.1.3 Mechanical Inspection. NTSB investigators examined the function of the
vehicle’s factory-equipped components, including the braking, lighting, suspension, and electrical
systems. They also examined the wheels and tires. They found no damage or defects in any major
mechanical system that could have affected the SUV’s performance. No noncollision defects were
found on any of the vehicle’s tires or wheels.
1.4.1.4 Data Recorder Sources. The SUV was equipped with numerous systems and
modules capable of recording data. The various sources recorded information pertaining to vehicle
dynamics, occupant protection systems, and autonomous operation of the vehicle (such as
detection of other objects in the environment and video of the environment around and inside the
SUV). Relevant recorded information captured by the ATG-installed systems is discussed in
section 1.5.6. Relevant recorded information captured by the factory-equipped systems—the
standard Volvo data-recording components—is discussed in section 1.6.2.
NTSB Highway Accident Report
7
1.4.1.5 Maintenance and Safety Recalls. The vehicle records show regular mechanical
maintenance, the last taking place on January 23, 2018.
13
Based on video from an ATG-installed
inward-facing camera, before starting her shift on the day of the crash, the vehicle operator
conducted a regular pretrip inspection—examining the SUV’s exterior and interior and verifying
the status of the equipment supporting autonomous operation.
14
The SUV was not subject to any
federal or Arizona mechanical inspection requirements.
15
It was also not subject to any safety
recalls.
16
1.4.2 Bicycle
The bicycle was a 2017 700c Hyper SpinFit manufactured by Hyper Toy Company. As a
result of the crash, the bicycle’s front wheel was twisted, and the front fork was misaligned with
the handle bars (figure 4 shows the bicycle’s position at impact).
Figure 4. Approximate position of bicycle at impact.
13
Maintenance consisted of changing the oil and oil filter, rotating tires, and checking fluids, brakes, and
suspension. All four tires were replaced on March 15, 2018.
14
Among other items, vehicle operators were required by ATG to inspect the ADS disengagement button, the
sensors pod, and the functionality of the dash cameras and the tablet through which operators interacted with the
system. See the Operations factual report in the NTSB public docket for this investigation (HWY18MH010) for
additional details on the pretrip inspection.
15
Arizona has a requirement for emissions inspection (Arizona vehicle code 49-542) but not for mechanical
vehicle inspection. For a description of ATG operations, see section 1.8.
16
NTSB investigators searched the National Highway Traffic Safety Administration (NHTSA) safety recall
database on March 29, 2019, and found no recalls relating to the vehicle.
NTSB Highway Accident Report
8
The bicycle had a reflector on the stem and two reflectors on either side of both pedals.
The reflectors faced forward of and behind the bicycle, but not in the direction of the approaching
SUV. According to video from the ATG-installed forward-facing camera, the bicycle did not have
side-facing reflectors on the spokes of either wheel.
17
1.5 Uber ATG Developmental Automated Driving System
1.5.1 Overview
The ATG developmental ADS installed on the SUV was designed to operate in
autonomous mode only on premapped, designated routes. When the ADS was active, it performed
all driving tasks, including changing lanes, overtaking slow-moving or stopped vehicles, turning,
and stopping at traffic lights and stop signs. Although the system was designed to be fully
automated along a specific route, a human operator inside the vehicle was tasked with overseeing
the system’s operation, monitoring the driving environment, and if necessary, taking control of the
vehicle and intervening in an emergency.
18
At the time of the crash, the SUV was operating on a designated route for ADS testing, an
11.2-mile loop that included downtown Tempe. Unless stated otherwise, the ADS discussed in this
report refers only to the Krypton platform that was installed on the SUV at the time of the crash.
19
After the crash, ATG made numerous changes to the ADS (see sections 1.9 and 2.2).
1.5.2 Structural Components
The ADS that controlled the SUV at the time of the crash consisted of multiple systems for
monitoring and analyzing the vehicle’s performance and the surrounding environment. Each
system had hardware components and software analysis and data-recording elements. As shown
in figure 5, structural components included (1) a lidar (light detection and ranging) system, (2) a
radar system, (3) a camera system, and (4) telemetry, positioning, monitoring, and
telecommunication systems.
20
As part of development of the ADS, ATG equipped the SUV with a supplementary
fleet-monitoring dash-camera system that included a forward-facing camera and an inward-facing
camera for monitoring the vehicle operator. ATG also installed a human-machine interface
(HMI)—a tablet computer—that enabled interaction between the vehicle operator and the ADS
17
Title 16 Code of Federal Regulations (CFR) 1512.16 requires newly sold bicycles for roadway use to have
reflectors on the front, rear, and pedals, and to have side reflectors on a sidewall of the wheels or on the wheel spokes.
This bicycle was not new, and investigators were unable to determine when the pedestrian obtained it.
18
For additional details regarding operator responsibilities and training, see section 1.8.4.
19
The software installed on the crash vehicle was version 2018.071.3pl.
The rest of the ATG fleet of 2017 Volvo
XC90 vehicles at the time of the crash used the same system.
20
For additional information about the ADS components and its functionality, see the Vehicle Automation factual
report in the docket for this investigation (HWY18MH010).
NTSB Highway Accident Report
9
(see section 1.5.7 for details).
21
A regularly scheduled recalibration of the ADS components,
primarily the sensors, was conducted on March 13, 2018.
Figure 5. Location of sensor components on 2017 Volvo XC90 equipped with ATG’s ADS. (Not
all locations of sensor components are shown)
1.5.2.1 Lidar System. The lidar system consisted of a single lidar unit mounted on the
forward half of the SUV’s roof, as shown above (figure 5).
22
The lidar, which was manufactured
by Velodyne, had a range of over 100 meters (328 feet) and could detect objects in a 360-degree
radius. Initial processing of lidar data was done by the Velodyne processing unit. The ADS then
used the data to build a representation of the surrounding environment, which was continually
updated as the system detected new objects.
The ADS’s primary use of lidar data was for object detection and classification of detected
objects. Data from the lidar system were also used to create a map of the designated route and to
verify the vehicle’s position along that route.
1.5.2.2 Radar System. The radar system consisted of eight radars with dual ranging
capabilities—alternating between narrow, long-range scanning and wider, medium-range
scanning—positioned around the vehicle to provide a 360-degree view of the surrounding
21
An HMI is any type of interface—such as a display, a keypad, or a button—that allows a user to interact with
a machine.
22
Lidar uses laser light to detect and measure distance to objects by directing light and receiving it back upon its
reflection from an object. Time of flight between the pulsing of the laser light and the reception of its return upon
reflection from an object is used to compute distance.
NTSB Highway Accident Report
10
environment.
23
Two radars were placed on the front of the vehicle for forward scanning, two radars
were placed on each side for lateral scanning, and two radars were placed on the rear for rearward
scanning.
The long-range radar scan had an observational range of up to 180 meters (591 feet), with
a 20-degree field of view. The medium-range radar scan had an observational range of up to
65 meters (213 feet), with a 90-degree field of view. The radar system initially processed the data,
which the ADS then used to build and update its representation of the environment. The ADS used
data from the radar system primarily for detection and classification of objects.
1.5.2.3 Camera System. The camera system consisted of eleven cameras that gave a
360-degree view of the surrounding environment. The system included (1) two cameras with
narrow fields of view for long-range forward stereo imaging, (2) one single-lens camera with a
wide field of view for medium-range forward imaging, (3) two single-lens cameras with wide
fields of view for medium-range imaging of lateral areas, (4) two single-lens cameras with wide
fields of view for imaging the area behind the vehicle, and (5) four surround-view cameras
positioned for close-range imaging.
The range at which an object could be detected depended on its size and visibility. The
ADS processed the optical data from all cameras. The primary use of the imaging data from the
forward camera was in the detection of obstacles and the classification of detected objects. The
forward camera was also used to recognize traffic signs and the status of traffic lights.
24
In addition
to monitoring and real-time analysis of perceived objects, the cameras continually recorded the
driving environment. ATG regularly reviewed segments of recorded video from the eleven
cameras as part of ADS development.
1.5.2.4 Other Systems. A global positioning system (GPS) was used to determine the
SUV’s position at ADS engagement (described in section 1.5.4.1).
25
The SUV was also equipped
with a long-term evolution antenna for securing mobile data traffic and authenticating cloud
communication.
26
Twelve ultrasonic sensors with a range of 5 meters (16 feet) were integrated
around the vehicle. They were used primarily to detect other vehicles during lane changes and to
identify pedestrians, curbs, and other obstacles when the vehicle was parking or collecting
passengers. The vehicle was also equipped with an inertial measurement unit, an electronic device
that measures acceleration and angular velocity. The device contained accelerometers and
gyroscopes and was used to refine the position of the SUV along its route.
23
Radars use super-high-frequency radio waves to detect and measure distance to objects. Time of flight between
the broadcast of the waves and the reception of their return on reflection from an object is used to compute distance.
Super high frequency is defined by the International Telecommunications Union as the band of frequencies ranging
from 3 to 30 gigahertz, where 1 gigahertz represents 1 billion cycles per second.
24
The camera system also supported near-range sensing of people and objects within 5 meters (16 feet) of the
SUV during lane changes and parking, and when collecting passengers.
25
The GPS was not used to verify the vehicle’s position along the premapped routes. Vehicle path verification,
as described in section 1.5.3, was done primarily by the lidar system.
26
Long-term evolution, or LTE, is a wireless communication standard for the 4G telecommunication network.
NTSB Highway Accident Report
11
1.5.3 Route Mapping, Path Guidance, and Verification
ATG developed high-definition maps for the designated routes where the ADS operated
autonomously. The routes could be considered the ADS geographical operational design domain
(ODD)—the roadways on which an automated system is designed to operate.
27
Routes were
mapped by manually driving an ADS-equipped vehicle along a route while the lidar, camera, and
other sensor systems recorded all aspects of the environment. The resulting high-definition map
included road markings, curbs, traffic signals, signage, roadway grade and curvature, and pertinent
nontraffic static objects, such as buildings. The sensors also recorded vehicle dynamics—velocity,
angle, and yaw rate.
The ADS can be initiated only when a vehicle is on a designated premapped route. This
system-based restriction precludes operators from engaging the ADS outside the premapped route.
Operators are nevertheless responsible for adhering to other ODD conditions, such as operation
during inclement weather (see below for operational restrictions).
As the vehicle travels along its route, the sensors continually scan the environment and
monitor vehicle dynamics, which are then analyzed to verify the vehicle’s position. The
environmental features and roadway characteristics detected by the system, along with the
monitored vehicle dynamics, are matched to the features and characteristics along the premapped
route at those specific locations. The process of continuous and redundant verification of vehicle
position is designed to eliminate the possibility of a vehicle venturing outside its designated path.
It also allows the system to adapt to slight deviations in the environment and adjust the ADS
motion plan accordingly.
1.5.4 Operation
1.5.4.1. Engagement and Restrictions. ADS engagement is a two-step process that can
be completed only when an ATG test vehicle is on a designated route. An operator engages the
ADS by (1) pulling up a red knob on the center console to the right of the shift lever, and
(2) pushing a silver button behind the red knob (see section 1.5.7 for illustration). ADS testing in
the Tempe area was restricted by ATG to (1) a maximum vehicle speed of 45 mph; (2) urban and
rural roads, excluding highways; (3) most weather conditions, except heavy rain and snow; and
(4) most roadway conditions, including dry and wet but excluding accumulated snow. ATG did
not restrict ADS testing on the basis of lighting conditions (daytime, nighttime, or twilight).
1.5.4.2. Disengagement and Operator Takeover. The ADS can be disengaged by a
vehicle operator or by the system itself. An operator can immediately disengage the ADS by taking
control of the vehicle—by braking, steering, or accelerating—or by pushing down the red
disengagement knob on the center console.
28
27
The concept of ODD was introduced in the first Federal Automated Vehicles Policy published by the US
Department of Transportation in September 2016 (accessed December 6, 2019). Based on that policy, a defined ODD
should include the speed range, roadways, geographic area, and environmental conditions under which an automated
vehicle is designed to operate.
28
Unlatching a lap/shoulder belt would also result in immediate ADS disengagement.
NTSB Highway Accident Report
12
Depending on the circumstances, ADS disengagement initiated by the system can be
anticipated or sudden. An anticipated disengagement, such as when the vehicle is exiting a
premapped area (geographical ODD), is preceded by an early auditory alert—before
disengagement begins—to the operator to take control of the vehicle.
29
If the operator fails to take
control, at the time of disengagement the system sends the operator another auditory alert and
simultaneously starts a gradual vehicle slowdown. Sudden disengagement can follow an
operational error in a sensory system or a system fault, such as a problem with data recording. At
the time of sudden disengagement, the system sends an auditory alert to the operator.
1.4.5.3 Operator Protocols. At the time of the crash, ATG tested with one vehicle
operator inside a vehicle. The company’s operating procedures required vehicle operators, after
initiating the ADS, to (1) monitor the driving environment and the operation of the ADS; (2) take
control of the vehicle and intervene in emergency situations to avoid collisions; (3) hover with
their hands above the steering wheel and their foot above the brake pedal to ensure fast takeover
of vehicle control; and (4) detect and report any unusual events in the environment or in ADS
functioning by interacting with the HMI—as described in section 1.5.7.
30
1.5.5 Motion Planning: Object Detection and Hazard Avoidance
A premapped designated route serves as the ADS initial motion plan. As the ADS
navigates and controls the vehicle along the route, the system continually monitors the
environment for objects, moving or stationary, on or outside the roadway. The detected objects
are incorporated into the virtual environment, and the system dynamically updates the vehicle’s
motion plan to avoid potential conflicts. Changes to the motion plan are usually gradual enough
to allow smooth changes in vehicle speed or heading. However, sudden hazardous situations, or
their late detection by the system, can require abrupt changes to the motion plan. This section
describes the processes by which the ADS operating at the time of the crash detected, classified,
and determined the path of potential obstacles, and the design governing ADS actions in
emergency situations.
1.5.5.1 Object Detection and Classification. Objects were detected primarily by the
lidar, radar, and camera systems. When an object was detected, it was tracked, its heading and
velocity were calculated, and it was classified by the ADS. Detected objects could be classified
as vehicles, pedestrians, or bicyclists. A detected object could also be classified as “other,”
indicating unknown object. The perception process of the ADS classified detected objects by
relying on the fusion of the three sensor systems. The ADS used a prioritization schema that
promoted tracking by certain sensory systems over others and that was also dependent on the
recency of an observation.
31
1.5.5.2 Path Prediction. Once the ADS perception process classified a detected object,
the ADS generated multiple possible trajectories—path predictions—based on the typical goal
29
A system-based restriction precluded autonomous operation outside the designated premapped area. If a final
destination was outside that area, the ADS would initiate an anticipated disengagement protocol before exiting the
area.
30
For details about vehicle operator training, see section 1.8.3.
31
A more recent detection of an object received a higher tracking prioritization in the ADS classification schema.
NTSB Highway Accident Report
13
of the detected object and its tracking history. For example, an object detected in a travel lane
and classified as a vehicle would generally be assigned a goal of traveling in the direction of traffic
in that lane. The system then incorporated the previously detected locations of that object—its
tracking history—before generating a possible trajectory. The path predictions were continually
updated to incorporate each object’s latest detected location.
If the perception process changed the classification of a detected object, it no longer
considered the tracking history of that object when generating a new trajectory. For newly
reclassified objects, the predicted path depended on its goal. For example, a detected object that
was in a travel lane and that was newly classified as a bicycle could be assigned the goal of moving
in the direction of traffic in that lane, independent of the object’s lack of tracking history.
Certain object classifications (“other”) were not assigned goals.
32
Their currently detected
location was viewed as static, and unless the location was directly on the path of the test vehicle,
the object was not considered a possible obstacle. Pedestrians outside the vicinity of a crosswalk
were also not assigned an explicit goal. However, a midblock crossing trajectory might be
predicted for them based on the observed velocities, when they were continually detected and
classified as pedestrians.
If the predicted path of a detected object intersected that of the test vehicle, the ADS would
modify its motion plan or initiate hazard avoidance (described below). Since the crash, ATG has
changed the way the system fuses sensor information and predicts possible trajectories so that it
retains tracking history even if detected objects are reclassified (see section 1.9).
1.5.5.3 Hazard Avoidance and Emergency Braking. As the ADS detected, classified,
and tracked objects, it modulated the vehicle dynamics—steering and throttle—to maintain
smooth movement, without abrupt changes in motion. In certain situations, such as the sudden
hard braking of a vehicle ahead or an initially obscured pedestrian darting in front of the test
vehicle, gradual changes in vehicle trajectory might be insufficient to avoid a collision.
As a developmental system, the ATG ADS was designed with a specific engagement
protocol for emergency situations. An emergency was defined as a situation requiring braking at
a deceleration greater than 7 meters per second squared (m/s
2
) (0.71 g) or rate of deceleration
(jerk) greater than ±5 meters per second cubed (m/s
3
) to prevent a collision.
33
When the system
detected an emergency situation, it initiated action suppression. That was a 1-second period
during which the ADS would suppress braking while (1) the system verified the nature of the
detected hazard and calculated an alternative path, or (2) the vehicle operator took control of the
vehicle.
No alert was given to the operator when action suppression was initiated. ATG stated
that it implemented action suppression because of concerns about false alarms—the ADS
32
Since “other” objects were viewed as unknown, their general direction of travel—their potential goals—would
also have been unknown.
33
Acceleration due to gravity is denoted as g. Although the ADS limited maximum automated braking to 0.71 g,
the vehicle’s maximum braking capacity, with optimal roadway surface friction, was 1 g. The TPD determined, on
the basis of the vehicle’s capabilities and the road surface friction, that the SUV was capable of decelerating at an
average of 0.92 g in the crash area.
NTSB Highway Accident Report
14
identifying a hazardous situation when none existed—that would cause the vehicle to engage in
unnecessary extreme maneuvers. The primary countermeasure in an emergency situation was
the vehicle operator, who was expected to recognize the hazard, to take control of the vehicle, and
to intervene appropriately.
34
If a vehicle operator did not take control of the vehicle in an emergency and the situation
remained hazardous after action suppression, the ADS response depended on whether a collision
could be avoided with a maximum braking of 7 m/s
2
and a maximum deceleration rate of 5 m/s
3
.
If a collision could be avoided with the maximum allowed braking and jerk limit, the system
executed its plan and engaged braking to the maximum allowed. If a collision could not be
avoided with the application of maximum allowed braking, the system was designed to send an
auditory alert to the vehicle operator while simultaneously initiating gradual vehicle slowdown.
In such circumstances, the ADS was not designed to apply maximum braking only to lessen the
severity of a collision.
Since the crash, ATG has changed the way the ADS responds in an emergency situation.
The system will now activate maximum allowed braking for crash mitigation as well (see
section 1.9).
1.5.6 Data Recorded During Crash Trip
ATG provided NTSB investigators with a comprehensive dataset covering trip
preparation in the ATG terminal and the approximately 39-minute operation of the crash vehicle
on public roads, as recorded by both the ADS and the supplementary fleet-monitoring system.
This section focuses on events leading to the crash but also includes events earlier in the trip.
Sources are the quantitative data recorded by the ADS and the video recorded by the cameras,
including the supplementary monitoring system. Data pertaining to the operator’s interaction
with the HMI—the tablet computer—are discussed in section 1.5.7.
1.5.6.1 ADS Data. The ADS data included the time the system detected the pedestrian,
how the system classified and assigned predicted paths to the pedestrian, various vehicle
dynamics, and the ADS’s planned and executed actions. At the request of NTSB investigators,
ATG provided a playback of sensor and vehicle dynamics information showing the events
leading up to the crash. Investigators examined the output from the sensor systems to create a
timeline of the events (see the table). The ADS did not report any sensor or system failures
during the crash trip.
34
The vehicle operator was expected to intervene only if circumstances were truly collision-imminent, rather than
related to system error or object misclassification.
NTSB Highway Accident Report
15
Table. Selected parameters recorded by vehicle’s ADS.
Time to
Impact
(seconds)
Speed
(mph)
Classification and Path
Prediction
a
Vehicle and System Actions
b
-9.9
35.1
--
Vehicle begins to accelerate from 35 mph
in response to increased speed limit.
-5.8
44.1
--
Vehicle reaches 44 mph.
-5.6
44.3
Classification: Vehicle—by
radar
Path prediction: None; not on
path of SUV
Radar makes first detection of pedestrian
(classified as vehicle) and estimates
speed.
-5.2
44.6
Classification: Other—by lidar
Path prediction: Static; not on
path of SUV
Lidar detects unknown object. Object is
considered new, tracking history is
unavailable, and velocity cannot be
determined. ADS predicts object’s path as
static.
-4.2
44.8
Classification: Vehicle—by lidar
Path prediction: Static; not on
path of SUV
Lidar classifies detected object as vehicle;
this is a changed classification of object
and without a tracking history. ADS
predicts object’s path as static.
-3.9
c
44.8
Classification: Vehicle—by lidar
Path prediction: Left through
lane (next to SUV); not on path
of SUV
Lidar retains classification vehicle. Based
on tracking history and assigned goal, ADS
predicts object’s path as traveling in left
through lane.
-3.8 to -2.7
44.7
Classification: alternates
between vehicle and other—by
lidar
Path prediction: alternates
between static and left through
lane; neither considered on path
of SUV
Object’s classification alternates several
times between vehicle and other. At each
change, tracking history is unavailable;
ADS predicts object’s path as static. When
detected object’s classification remains
same, ADS predicts path as traveling in left
through lane.
-2.6
44.6
Classification: Bicycle—by lidar
Path prediction: Static; not on
path of SUV
Lidar classifies detected object as bicycle;
this is a changed classification of object
and object is without a tracking history.
ADS predicts bicycle’s path as static.
-2.5
44.6
Classification: Bicycle—by lidar
Path prediction: Left through
lane (next to SUV); not on path
of SUV
Lidar retains bicycle classification; based
on tracking history and assigned goal, ADS
predicts bicycle’s path as traveling in left
through lane.
NTSB Highway Accident Report
16
Time to
Impact
(seconds)
Speed
(mph)
Classification and Path
Prediction
a
Vehicle and System Actions
b
-1.5
43.8
d
Classification: Other—by lidar
Path prediction: Static; partially
on path of SUV
- Lidar detects unknown object; because
this is an unknown object, it lacks tracking
history and is not assigned a goal. ADS
predicts object’s path as static.
- Although detected object is partially in
SUV’s lane of travel, ADS generates
motion plan around object (maneuver to
right of object); motion plan remains
valid—avoiding object—for next two data
points.
-1.2
43.2
Classification: Bicycle—by lidar
Path prediction: Travel lane of
SUV; fully on path of SUV
- Lidar detects bicycle; although this is a
changed classification and without a
tracking history, it is assigned a goal. ADS
predicts bicycle to be on SUV’s path.
- ADS motion plan (generated 0.3 seconds
earlier) for steering around bicycle no
longer possible; situation becomes
hazardous (emergency situation).
- Action suppression begins.
-0.2
40.5
Classification: Bicycle—by lidar
Path prediction: Travel lane of
SUV; fully on path of SUV
- Action suppression ends 1 second after it
begins.
- Situation remains hazardous; ADS
initiates plan for gradual vehicle slowdown.
- Auditory alert indicates that ADS is
engaging and controlled slowdown is
initiating.
e
-0.02
39.0
--
Vehicle operator takes control of steering
wheel, disengaging ADS.
Impact
0.7
37
--
Vehicle operator brakes.
a
Table reports only changes in object classification and path prediction. Last reported values persist until a new
one is reported.
b
Process of predicting path of detected object is complex and relies on examination of numerous factors, beyond
details given in this column, as described in section 1.5.5.
c
Vehicle was about 243 feet from impact location at this time.
d
Vehicle started decelerating due to approaching intersection, where preplanned route included right turn at Curry
Road. Deceleration plan was generated 3.6 seconds before impact.
e
Slight communication delay made it unclear whether implementation of slowdown plan started before operator
took control.
The ADS first detected the pedestrian 5.6 seconds before impact, when she was about
10 feet east of the median curb—approximately in the middle of where the northbound road’s two
left-turn lanes begin to form (refer to figure 1). The system never classified her as a pedestrian—
or correctly predicted her path—because she was crossing N. Mill Avenue at a location without a
crosswalk, and the system design did not include consideration for jaywalking pedestrians. The
NTSB Highway Accident Report
17
ADS changed the pedestrian’s classification several times, alternating between vehicle, bicycle,
and other. Because the system never classified the pedestrian as such, and the system’s design
excluded tracking history for nonpersisting objects—those with changed classifications—it was
unable to correctly predict the pedestrian’s path.
Only when the ADS determined that the pedestrian’s detected location was in the path of
the SUV, 1.2 seconds before impact, did the system recognize an emergency situation—an
imminent collision. Because preventing the collision would have required braking beyond the ADS
braking design specifications, the system initiated action suppression of its motion plan. One
second later, the vehicle was still on a collision path with the pedestrian and the operator had not
taken control of the vehicle. Preventing the collision still required braking beyond the ADS design
specifications. In accordance with its design, the system did not engage emergency braking, but
instead sounded an auditory alert to the vehicle operator as it initiated a plan to gradually slow the
vehicle.
1.5.6.2 Camera Recordings. In addition to the ADS camera system that detected obstacles
and monitored the environment, the SUV was equipped with Janus V3, a fleet-monitoring device
consisting of three cameras: one facing forward, one facing rearward, and one facing inward.
NTSB investigators examined video from both the ADS and the Janus cameras.
35
Janus Forward-Facing Camera. The first time the pedestrian is visible on the recording is
about 2 seconds before the collision. Her shoes are the first objects to become visible, followed by
the wheel rims of the bicycle she is pushing. About 1 second before the collision, the pedestrian is
seen looking over her right shoulder toward the SUV. She appears to be wearing white shoes, blue
jeans, and a dark coat. Her bicycle is red and does not have side reflectors on either wheel. At the
time of impact, the bicycle and the pedestrian are perpendicular to the SUV. While a small
headlight mounted on the front of the bicycle appears to be on, it is barely visible because the
headlight beam is directed perpendicular to the roadway.
Because of the nighttime conditions, as well as the resolution and the quality of the camera
lens, the recording from the Janus forward-facing camera is unlikely to depict exactly what the
vehicle operator might have seen at the time of the crash. Furthermore, according to NTSB
investigators who examined the crash site in the days after the crash and during the same hours as
the crash, the nighttime visibility in the area was considerably greater than depicted on the video
recording.
ADS Forward Camera. As in the video from the Janus forward-facing camera, the
pedestrian becomes visible about 2 seconds before impact. The details in the rest of the recording
match those recorded by the Janus forward-facing camera.
Janus Inward-Facing Camera. While the SUV was parked in the ATG garage, about
15 minutes before the drive started, the vehicle operator is seen removing a cell phone from a
backpack and placing it in the bottom of the center console, below the HMI tablet and out of the
35
See the Onboard Image and Data Recorder report in the NTSB public docket for this investigation for a
complete description of the camera recordings (HWY18MH010).
NTSB Highway Accident Report
18
camera’s view (see next section for illustration).
36
Before entering the public road, the operator
appears several times to be gazing toward and interacting with an object in the bottom of the center
console.
The NTSB analyzed the operator’s glances during the almost 39 minutes that the SUV was
traveling on a public road before the crash. During the 31.5 minutes when the SUV was moving—
after entering the public road—the operator spent 34 percent of her time gazing down toward the
bottom of the center console.
37
The maximum continuous duration of the operator’s downward
gaze was 26.5 seconds. That occurred on the same section of N. Mill Avenue where the crash
occurred but about 23.5 minutes earlier, while the operator was completing the first loop of the
route.
During nearly 3 minutes before the crash, the vehicle operator looked toward the bottom
of the center console 23 different times. Seven glances lasted at least 3 seconds, with the longest
lasting 6.9 seconds. The operator began glancing down toward the bottom of the center console
6 seconds before impact, where she retained her gaze for the next 5 seconds. She returned her gaze
to the road about 1 second before impact. According to the ADS data listed in the previous section,
the operator initiated a steering maneuver 0.02 seconds before impact.
1.5.7 Human-Machine Interface
ATG mounted a tablet on the center stack, covering Volvo’s infotainment screen, to serve
as an HMI between the vehicle operator and the ADS (figure 6). While the vehicle was in motion,
the tablet displayed the route and the vehicle’s movement. The tablet’s interactive function was
limited to events related to ADS operation. The operator could “tag” (make note of) three types of
events: (1) an outside event of interest, such as a stopped school bus; (2) an unusual ADS action,
such as incorrectly reacting to a situation that should have been within its capacity; or (3) an issue
with equipment inside the vehicle.
When the vehicle was in motion, the system restricted HMI tagging to events that required
only one or two screen touches. Operators were instructed to tag an event as soon as possible after
its occurrence, safe driving conditions permitting. In case of operator-initiated ADS
disengagement, two icons, indicating the criticality of the event, would appear on the tablet for
10 seconds.
38
Operators were instructed to press one of the two icons if possible and pull over or
complete the route before reporting the disengagement event to their supervisor.
36
While examining the vehicle, NTSB investigators noticed a slot behind the disengagement button, just below
the HMI tablet. They determined that the slot could serve as a stable mount for a cell phone and afford a good view
from the driver’s seat. However, due to the position of the inward-facing camera, the recording does not show that the
vehicle operator’s cell phone was mounted in the slot.
37
The SUV was stopped in traffic for 7.5 minutes of the total travel time.
38
The two icons were labeled “Critical” and “Autonomy.” The “Critical” icon would be selected if the operator
took over as a result of a potentially hazardous situation. The “Autonomy” icon would be selected if the operator took
over during a nonhazardous situation, usually as a result of unusual ADS behavior.
NTSB Highway Accident Report
19
Figure 6. SUV interior showing locations of slot that could mount a cell phone (yellow region in
center console), ADS engagement/disengagement knob (red), ADS engagement button (blue),
and HMI (with inset illustrating image on tablet).
HMI data show that 19 minutes 25 seconds before the crash, the system alerted the operator
that the ADS was disengaging. That prompted the operator, 3 seconds later, to take manual control
of the vehicle. ADS disengagement would have followed the process described in section 1.5.4.2.
39
The operator tagged the disengagement on the tablet. Ten seconds later, 19 minutes 12 seconds
before the crash, the operator reengaged the ADS. For the rest of the crash trip, the operator did
not interact with the tablet, and the HMI did not present any information that required the
operator’s input on the tablet.
1.5.8 ATG Fleet of Test Vehicles
The route where the SUV was operating at the time of the crash was one of five in the
Tempe area on which ATG tested the ADS. At the time of the crash, the company’s fleet of test
vehicles had traveled that route about 50,000 times. Tempe was one of five locations where ATG
conducted ADS testing. The others were Toronto, Canada; Scottsdale, Arizona; San Francisco,
California; and Pittsburgh, Pennsylvania.
ATG records show that between September 2016 and March 2018 (excluding the Tempe
crash), 37 crashes and incidents involved ATG test vehicles operating in autonomous mode. Most
(33) involved another vehicle striking the test vehicle: 25 were rear-end crashes, and in 8 crashes,
the ATG test vehicle was sideswiped by another vehicle. In two incidents, the ATG test vehicle
was the striking vehicle. In one, the ATG test vehicle struck a bent bollard in the bicycle lane that
partly encroached on the vehicle’s travel lane. In the other, the operator took control to avoid an
39
ATG provided HMI data in both quantitative and video format. The video showed everything that was displayed
on the tablet and every action by the operator.
NTSB Highway Accident Report
20
oncoming vehicle that had entered the test vehicle’s lane of travel; the operator steered away and
struck a parked car. In the remaining two incidents, the ATG test vehicle was vandalized by a
passing pedestrian while the vehicle was stopped.
1.6 Volvo Advanced Driver Assistance Systems
1.6.1 Collision Avoidance
The SUV was factory-equipped by Volvo with several ADASs, including those for the
prevention and mitigation of rear-end crashes. A system that warns a driver of an imminent forward
collision is called a forward collision warning (FCW) system; one that automatically initiates
braking to prevent or mitigate a forward collision is called an automatic emergency braking (AEB)
system. Because ATG disengaged the Volvo ADASs during ATG ADS operation, the Volvo
ADASs were not active at the time of the crash (the interaction is further explored in section 1.6.3).
Investigators nevertheless examined the capabilities of the forward collision mitigation ADAS
relative to the crash.
One of the systems, marketed under the name City Safety, is a rear-end-crash warning and
mitigation system. It has the capacity to prevent forward collisions with moving or stationary
vehicles with a velocity differential of up to 31 mph and to mitigate crashes with a higher velocity
differential.
40
The system alerts a driver when approaching a slow-moving or stopped vehicle. If
the driver does not respond by braking or steering away, the system automatically brakes to prevent
or mitigate a rear-end crash.
The version of City Safety installed on the crash-involved SUV could also detect
pedestrians, bicyclists, or large animals.
41
If the system detected an impending collision, it would
alert the driver or automatically brake. The pedestrian- and bicyclist-detection component could
avoid or mitigate collisions with pedestrians or bicyclists when the vehicle was traveling up to
43 mph.
42
1.6.2 Data and Simulation
1.6.2.1 Control Modules. Investigators examined data from the modules of the SUV’s
standard control, recording, and storage systems. The control modules recorded only data
40
The SUV was factory-equipped with several other ADASs, including roadway departure warning, adaptive
cruise control, and lane-keeping.
41
In 2018, the NTSB published a special investigation report on pedestrian safety that explored vehicle-based
countermeasures (such as improved headlights), passive protections built into vehicle designs (such as lower or softer
bumpers), collision avoidance systems (such as automatic braking), and roadway designs (such as crossing islands)
that can improve pedestrian safety (NTSB 2018). The report analyzed 15 fatal pedestrian crashes from 2016 and made
11 safety recommendations. More recently, the NTSB published a research report on bicyclist safety that examined
the nature and scope of bicycle crashes, identified underused countermeasures, and discussed emerging issues (NTSB
2019b).
42
City Safety could reduce vehicle speed by up to 30 mph to prevent or mitigate a collision with a bicyclist and
by up to 28 mph to prevent or mitigate a collision with a pedestrian.
NTSB Highway Accident Report
21
immediately before and after the impact. Depending on the module, the recorded data spanned
8 to 15 seconds.
Most data from the Volvo control modules were duplicated in the data recorded by the
ATG ADS. NTSB investigators examined the overlapping data and verified the consistency of
vehicle dynamics data between the two sources. Investigators also examined data from the Volvo
supplemental restraint system (SRS), which controlled and stored information about air bag
deployment and nondeployment events triggered by sudden velocity changes.
43
Another SRS
feature detected potential roadway departures by monitoring vehicle dynamics.
44
Data from the SRS module showed that air bags were not deployed in the crash. The SRS
road runoff function, however, detected a potential roadway departure, which triggered the SUV’s
ERR to tense the driver’s seat belt. The ERR activated 1.7 seconds after impact. The timing of the
detection of a possible road runoff indicates that it was not due to the initial impact, but rather to
the SUV’s secondary contact with the pedestrian.
The vehicle was also factory-equipped with an Active Safety Domain master module that
controlled and recorded activation of the ADAS. Since the ADASs were deactivated during the
crash trip, the master module did not record any data on the operation of the vehicle’s various
ADASs.
45
1.6.2.2 Volvo Simulation. Volvo ran simulation tests to demonstrate how its ADAS would
have responded to circumstances like those of the Tempe crash. The simulation model assumed
ideal sensor operation. Volvo developed 20 variations of the pedestrian’s precrash movement—
basing variations in her walking speed and crossing angle on videos from the forward-facing
cameras—to account for a range of precrash scenarios. The variations in the pedestrian’s
movement affected the time when City Safety would have detected and identified the pedestrian
as being on a collision path with the SUV. While the known trajectory of the pedestrian’s
movements—based on ADS sensor information—was within the crossing angle parameter of the
simulation, each variation in the simulation assumed that the pedestrian moved along a linear path
and at a constant walking speed.
Based on the known position and speed of the SUV, for each of the 20 variations of
pedestrian movement, the simulation modeled when the forward collision mitigation ADAS would
have detected and classified the pedestrian as being on a collision path with the SUV. In the
simulation, the pedestrian was detected as being on a collision path when fully within the radar
sensor range and the camera’s field of view—which occurred at a distance of 50 meters (164 feet).
The simulation next estimated the time when the FCW and the AEB would have activated.
The simulation showed that the FCW would have alerted the driver 2.5 seconds before impact, and
that the AEB would have activated 1.4 seconds before impact. Assuming no response from the
43
The threshold for triggering a sudden deceleration event was a 7-mph deceleration in 1 second.
44
Using an algorithm for detecting rough road, the road runoff function was triggered when a vehicle’s roll rate
and lateral, longitudinal, and vertical acceleration oscillated three times beyond a threshold value within a short time.
45
For additional details pertaining to data recorded by the Volvo systems, see the Vehicle Factors factual report
in the NTSB public docket for this investigation (HWY18MH010).
NTSB Highway Accident Report
22
driver, and considering only AEB activation, the SUV was predicted to avoid a collision with the
pedestrian in 17 out of 20 variations of pedestrian movement. In the avoidance cases, the reduced
speed of the SUV increased the time to collision and allowed the pedestrian to move past the point
of intersection with the SUV. In the other three variations, AEB activation reduced the impact
speed to less than 10 mph.
1.6.3 Interaction with Uber ATG Automated Driving System
When the SUV was operated in manual mode (controlled by a vehicle operator), all the
Volvo ADAS components were active. When the SUV was operated in autonomous mode
(controlled by the ATG ADS), all the Volvo ADAS components were automatically deactivated.
Volvo’s passive safety technologies, such as the seat belt pretensioners and air bag deployment
systems, remained active, however.
46
Volvo enabled ATG to design its test vehicle so that the Volvo ADAS would deactivate
when the ATG ADS was engaged. According to both Volvo and ATG, simultaneous operation of
the Volvo ADAS and the ATG ADS was viewed as incompatible because (1) there was a high
likelihood of signal misinterpretation by the Volvo and ATG systems’ radars because they
operated on the same frequencies, and (2) the SUV’s brake module had not been designed to assign
priority if it were to receive braking commands from both the Volvo AEB and the ATG ADS.
1.7 Human Factors
1.7.1 Pedestrian
The pedestrian was a 49-year-old female who, according to the Tempe Fire Medical Rescue
Department, did not have a home address. NTSB investigators were unable to obtain additional
information about the pedestrian’s history or her activities in the days and hours before the crash.
At the request of NTSB investigators, the Federal Aviation Administration Forensic
Sciences Laboratory performed toxicological tests on a sample of the pedestrian’s blood. The
results were negative for alcohol, but the tests identified 2.126 micrograms per milliliter (µg/mL)
of methamphetamine, 0.25 µg/mL of amphetamine (the primary metabolite of methamphetamine),
and 3.1 nanograms per milliliter (ng/mL) of tetrahydrocannabinol (THC) carboxylic acid, an
inactive metabolite of THC.
47
1.7.2 Vehicle Operator
1.7.2.1 Licensing, Training, and Driving History. The vehicle operator was a 44-year-old
female who had been working as an automated vehicle operator for ATG since June 2017. She
46
According to ATG, all the systems required by the Federal Motor Vehicle Safety Standards (FMVSSs)
remained operational during ADS operation.
47
Methamphetamine is a central nervous system stimulant. The laboratory also detected 7.6 nanograms per gram
of THC in the pedestrian’s lung tissue. THC is the main psychoactive compound in marijuana. A complete list of
substances tested for can be found on the Federal Aviation Administration website (accessed December 6, 2019).
NTSB Highway Accident Report
23
held an Arizona class D driver’s license that had no restrictions, most recently reissued in July
2016.
48
According to ATG records, the operator had completed a 3-week training program as well
as subsequent recurrent training classes (for a description of the training—which included driving
skills and ADS operation—see section 1.8.4). She was familiar with the section of N. Mill Avenue
where the crash occurred and had traveled on it while operating ATG test vehicles in autonomous
mode. She had completed the designated route 73 times in autonomous mode since completing her
training. Records show that she had not been reprimanded at any time during her employment. She
received a reward for her overall performance in fourth quarter 2017.
49
Arizona motor vehicle records show that in the 10 years before the crash, the vehicle
operator had four traffic violations, the last of which was in April 2016, for speeding.
50
She had no
reportable crashes on her record.
1.7.2.2 Health and Toxicology. No toxicological tests of the vehicle operator were
performed. A drug recognition expert from the TPD examined her on scene immediately after the
crash and found no probable cause to obtain a blood sample for testing or to conduct other tests
for alcohol and other drugs.
51
Although ATG had a policy requiring vehicle operators to submit to
drug testing after a crash, the policy was not followed (for more information on ATG policies, see
section 1.8.2). In an interview with NTSB investigators, the operator reported having no health
issues that would have affected her driving performance.
1.7.2.3 Activities Before Crash. NTSB investigators used information from interviews
with the vehicle operator, cell phone records, and ATG employee records to reconstruct the vehicle
operator’s activities before the crash. She did not work between March 14 and March 16. The
records show that she had more than a 12-hour opportunity for sleep on the night of March 15–
March 16.
52
On March 17, after more than a 12-hour sleep opportunity, the vehicle operator arrived
at the ATG facility. She started her shift at 8:00 p.m. She completed the shift and arrived home at
3:15 a.m. on March 18.
About noon on the day of the crash, after a 7-hour sleep opportunity, the vehicle operator
traveled to Tucson, Arizona, to visit her family. She returned to Tempe in the evening and began
48
A class D Arizona driver’s license allows the holder to operate any vehicle that does not require a motorcycle
or commercial license.
49
According to ATG, the vehicle operator’s performance reward was based on three criteria: professionalism,
collaboration, and initiative/ownership.
50
The vehicle operator was cited for “Violation of maximum speed limit outside urbanized area” in April 2016.
Other violations include (1) “Reasonable and prudent speed violation” in July 2015, (2) “Operation of vehicle without
current registration” in March 2008, and (3) “Driving while license suspended/revoked/canceled” in March 2008.
51
(a) A drug recognition expert is a law enforcement officer trained in recognizing impairment in drivers due to
drug use. (b) Arizona does not have a mandatory requirement for alcohol and other drug testing for drivers involved
in fatal crashes.
52
Although the vehicle operator was scheduled to work on March 16, she called in sick because of a headache.
NTSB Highway Accident Report
24
her shift at 7:30 p.m.
53
At the time of the crash, the operator had been on duty driving—manually
in the ATG terminal and in autonomous mode on public roads—about 45 minutes.
54
Figure 7
shows the vehicle operator’s activities in the 3 days before the crash and on the crash day.
Figure 7. Precrash activities of vehicle operator, March 15–18, 2018.
The vehicle operator told NTSB investigators that she had placed a personal phone in her
purse before driving, and that her company phone was on the passenger seat at the time of the
crash. She also said that moments before the crash, she was attending to and interacting with the
HMI.
55
The vehicle operator’s personal cell phone held several video-streaming applications.
NTSB investigators examined the records that the TPD obtained from the content providers. The
records showed that the account belonging to the vehicle operator was continually streaming a
television show between 9:16 p.m. and 9:59 p.m. on March 18. That period covered the entire
crash trip, which included 39 minutes on a public road.
1.7.3 Postcrash Observation of Sight Distance
On March 22, 2018, the TPD conducted observations at the crash site to determine the
distance at which the vehicle operator would have been able to see the pedestrian. The observations
started at 10:00 p.m. and were conducted under the same lighting conditions as existed at the time
of the crash. NTSB investigators were present during the observations. One officer—of a similar
height as the crash-involved pedestrian and wearing a similar dark outfit—was positioned at
different locations along the pedestrian’s likely path across N. Mill Avenue. The officer held a
bicycle at her left side. At the same time, another officer drove the crash-involved SUV at 5 mph
toward the crash area. Although the observation did not reproduce the relative positions of the
53
Tempe is about 109 miles from Tucson. The operator reported arriving in Tucson about 1:30 p.m. and leaving
for Tempe by 5:00 p.m.
54
As noted earlier, before operating a test vehicle, vehicle operators inspect the vehicle and the ADS.
55
Section 1.5.7 describes the data extracted from the HMI. The data showed no tags presented on the tablet near
the time of the crash and that the operator did not interact with the HMI during that period.
NTSB Highway Accident Report
25
SUV and the pedestrian in the crash, the TPD examined the maximum distance at which the officer
driving the SUV could detect a pedestrian near the northbound travel lane. When the SUV was
637 feet from the impact site, the officer reported being able to see the exemplar pedestrian, who
was positioned just off the median curb, at the edge of the left-turn lane.
NTSB investigators who were at the crash location when the TPD made its visibility
observations found that the streetlights would have sufficiently illuminated the path of the
pedestrian, allowing the vehicle operator to detect her movements. The investigators conducted a
sight-distance analysis to determine whether any physical obstructions could have prevented the
vehicle operator from seeing the pedestrian while she was attempting to cross N. Mill Avenue.
According to ADS data, 5.6 seconds before impact, the pedestrian was about 10 feet east of the
median curb and 350 feet north of the SUV. Considering the known positions of the pedestrian
and the vehicle operator—based on ADS data—and the height of the SUV’s driver seat, no
obstructions would have been present, and the vehicle operator would have had a clear line of sight
of the pedestrian 5.6 seconds before impact. The line-of-sight evaluation further showed that the
vehicle operator would have continually had a clear line of sight of the pedestrian until impact.
1.7.4 Arizona Statutes on Pedestrian and Driver Responsibilities
Arizona statutes 28-793 and 28-794 govern pedestrian movement and driver responsibility
on the state’s roads.
56
The statute pertaining to pedestrian movement states,
Between adjacent intersections at which traffic control signals are in operation,
pedestrians shall not cross at any place except in a marked crosswalk.
And also,
A pedestrian crossing a roadway at any point other than within a marked crosswalk
or within an unmarked crosswalk at an intersection shall yield the right-of-way to
all vehicles on the roadway.
The Arizona statute regarding driver responsibilities states, among other provisions, that
drivers shall “Exercise due care to avoid colliding with any pedestrian on any roadway.” The
statute regarding image displays and drivers states,
57
While a person is driving a motor vehicle . . . the person shall not view a broadcast
television image or a visual image from an image display device . . . .
56
The Arizona statutes governing pedestrian roadway crossing and driver responsibility are accessible on the
state legislature’s website (accessed December 6, 2019).
57
Arizona statute 28-963 sets prohibitions and exceptions pertaining to the use of image display devices (accessed
December 6, 2019).
NTSB Highway Accident Report
26
1.8 Company Operations
1.8.1 Overview
Uber was founded in 2009 as a ride-sharing company that matched drivers with people
seeking transportation. At the time of the crash, Uber consisted of six divisions, including ATG.
58
ATG was established in 2015, with headquarters in Pittsburgh and a core function of developing
an automated vehicle platform. At the time of the crash, ATG employed over 1,000 personnel in
five locations.
59
The purpose of the operations center in Tempe was to test the ADS and provide
data for improving the system. The Tempe operations center garaged 40 ATG test vehicles—of
the same Volvo model as the crash-involved SUV—and employed 254 vehicle operators and
16 supervisors, plus administrative staff.
The 2017 XC90 Volvo vehicles in the ATG fleet of automated test vehicles each had a
gross vehicle weight rating of below 10,001 pounds. Under 49 CFR 390.5, such vehicles do not
meet the definition of a commercial motor vehicle, so the people operating them did not require a
commercial driver’s license.
60
Under Arizona state law, transportation services provided by Uber
or ATG were not classified as a taxi, livery, or limousine operation, but rather as a “transportation
network company.”
61
Arizona state law defines a transportation network company as an entity that
uses a digital network or software application to connect passengers to company drivers but may
not necessarily own or operate the vehicles used for transportation. Therefore, the Arizona statutes
did not require ATG vehicle operators to have a commercial driver’s license.
At the time of the crash, ATG did not allow passengers to be picked up or transported while
test vehicles were operating in autonomous mode. However, the company had offered free rides
during earlier testing. In November 2017, ATG stopped transporting passengers in its test vehicles
to focus on ADS development and testing.
1.8.2 Safety Culture and Policies
At the time of the crash, ATG did not have a corporate safety division or a dedicated safety
manager responsible solely for assessing the risk of testing the ADS on public roads.
62
The head
of operations was tasked with the duties of a safety manager. ATG also did not have a formal
safety plan or a standardized operations procedure—a document outlining the roles and
58
For additional information regarding Uber’s history and company structure, see the Operations factual report
in the public docket for this investigation (HWY18MH010).
59
ATG had offices and staff in Tempe; Pittsburgh; Detroit, Michigan; San Francisco; and Toronto. For further
details regarding ATG operations in these five locations, see the Operations factual report in the public docket for this
investigation (HWY18MH010).
60
For more detailed information on how a commercial motor vehicle is defined, see 49 CFR 390.5 (accessed
December 6, 2019).
61
Taxi, livery vehicle, and limousine, as defined in Arizona Revised Statutes section 28-101, pertain to
combinations of seating capacity, routes, fixed rates, and other variables. See the Arizona Department of
Transportation (ADOT) website for additional information (accessed December 6, 2019).
62
The typical duties of a safety manager include conducting safety briefings, assessing operational risks and loss
prevention, and maintaining the safety culture.
NTSB Highway Accident Report
27
responsibilities of departments and personnel tasked with risk assessment. ATG had a list of core
values, which were statements of intent that described the company’s philosophy.
63
ATG’s safety-related policies for vehicle operators included (1) no cell phone use and no
texting; (2) mandatory seat belt use; (3) drug testing—preemployment, random, reasonable
suspicion, and postaccident; (4) maximum driving time of 10 hours; and (5) professional conduct
and maintenance of driver qualifications.
64
ATG policies also pertained to hiring standards and
training requirements (described in section 1.8.4).
The company did not have a dedicated fatigue risk management policy. ATG provided
NTSB investigators with a memo sent to the supervisors of vehicle operators in February 2018.
The memo was intended as a reminder to supervisors that vehicle operators who felt fatigued
should, if necessary, go home to get adequate rest, without disciplinary consequences. The content
of the memo was the extent of ATG fatigue-related communications with vehicle operators.
65
Although ATG had a drug-testing policy in place at the time of the crash, it was
sporadically implemented. The vehicle operator in the crash had not submitted to any
preemployment, random, or reasonable-suspicion drug testing. Further, despite its policies, ATG
did not require the operator to submit to a drug test after the crash. Although the operator’s
supervisor arrived on scene immediately after the crash and had an opportunity to ask her to submit
to a drug test, the supervisor—or other ATG management staff—never did.
ATG had a rewards program based on overall job performance. ATG also had a tiered
(three-level) disciplinary program for infractions.
66
The most grievous level—critical—included
infractions that put people at risk, such as taking drugs or using a phone while operating a vehicle.
Critical infractions resulted in termination. The vehicle operator involved in the Tempe crash had
not been subject to any disciplinary actions during her ATG employment before the crash. She
was suspended after the crash and was laid off after ATG ceased Tempe operations in May 2018.
ATG encouraged vehicle operators to self-report violations of ATG policies and to report
infractions by their peers. ATG stated that terminal managers randomly examined videos from the
inward-facing cameras as a spot-check on vehicle operators’ adherence to company policies.
However, ATG could not document the frequency of spot-checks (only records noting an
63
An organization’s safety culture refers to a collection of individual and group values, perceptions, attitudes,
and competencies that reflect the organization’s approach to safety management. Section 2.2 of the analysis discusses
the importance of a safety culture in the context of this investigation.
64
(a) The cell phone policy was reviewed with vehicle operators during their first week of training. It was also
described in a policy booklet provided to operators. However, employees did not sign or receive a copy of a policy
pertaining specifically to cell phone use. (b) The drug-testing policy was modeled on the US Department of
Transportation’s drug-testing requirements (49 CFR Part 382). (c) Vehicle operators were mandated to take 20- to
40-minute breaks after a maximum of 4.5 hours of sustained driving, and were recommended to take 20-minute breaks
after every 2.5 hours of sustained driving.
65
Typical fatigue policies, such as those based on the North American Fatigue Management Program, contain
mechanisms for adhering to federal and state regulations—including hours on duty, provisions for driving at night,
inverted sleep schedules, company wellness programs, and training to minimize the risks of fatigue.
66
Like the cell phone policy, the infraction policy was not a standalone policy, which meant that the employees
did not sign or receive a copy of a policy pertaining specifically to infractions.
NTSB Highway Accident Report
28
infraction were kept) and stated that the spot-checks were infrequent and usually occurred only
after a possible infraction was reported. According to documents provided to NTSB investigators,
between April 2017 and February 2018, after examining videos from the inward-facing cameras,
ATG identified 18 vehicle operators who had violated the company’s cell phone policy. Nine were
given remedial training, and nine were terminated.
Investigators did not find any evidence that ATG had examined video recordings of the
crash-involved vehicle operator before the Tempe crash. She was never reported by a peer and did
not receive any disciplinary actions during her employment. When interviewed, her supervisor did
not report reviewing any videos of the operator. Since the crash, ATG has made changes in its
oversight of vehicle operators and in operator training (see section 1.9).
1.8.3 Operator Training
According to ATG, only candidates who met the following qualifications were considered
for the vehicle operator training program: (1) at least 21 years old; (2) a minimum of 1 to 3 years
of driving experience, depending on age; (3) no more than three minor driving violations in the
previous 3 years; (4) no major traffic violations in the previous 3 years; and (5) no serious traffic
violations in the previous 7 years.
67
The training program lasted at least 3 weeks and included instruction in the classroom, on
a closed course, and on the road. The first week of training typically took place in Pittsburgh. It
included 3 days of classroom training focused on ATG policies, procedures, and company values,
and 2 days of familiarization with the dynamics of the test vehicle and manual vehicle operations.
68
The second week of training, also in Pittsburgh, consisted primarily of closed-course and
on-the-road training. The focus was on vehicle-handling skills and decision-making in critical
situations, such as encounters with noncompliant or aggressive drivers or with jaywalking
pedestrians. While operating a vehicle on the closed course, trainees participated in scenarios
where they faced obstacles, including motorized dummies used to simulate pedestrians. The
scenarios were designed to train the operators to scan for pedestrians who were on crosswalks or
who were jaywalking, as well as to anticipate hazardous situations. In interviews with NTSB
investigators, the vehicle operator involved in the crash and other operators stated that they
routinely encountered jaywalking pedestrians while operating test vehicles in autonomous mode.
In the second week, candidates also learned how to operate the ADS and about the system’s
limitations and the operational protocols (required tasks) for operating a test vehicle in autonomous
mode. According to ATG, the operational protocols—specifically, operator sitting with hands
hovering over the steering wheel and foot hovering above the brake pedal—were designed to
promote vigilance and allow operators to quickly take control if necessary. During this time,
67
Minor violations involve infractions such as failure to obey traffic lights and speeding; major violations involve
infractions such as driving with a suspended license or without insurance; severe violations involve infractions such
as driving under the influence or reckless driving.
68
The vehicle operator involved in the crash completed the first week of training in Tempe. Although most vehicle
operators traveled to Pittsburgh for the first week, because of timing constraints, some operators completed their first
week of training at their home stations.
NTSB Highway Accident Report
29
operators were trained in the HMI tagging procedures. At the end of the second training segment,
trainees had to pass both a written and a driving test before continuing.
Trainees who successfully completed the second week of training transitioned to another
week of training at their home base. Those who completed the final stage in Tempe learned about
the routes where they would operate test vehicles. Trainees were paired with a mentor, who further
coached them on ADS operations and accompanied them as they gained experience with ADS
operation on public roads and with transporting passengers. After the week of training in the final
segment, the mentor would grant final approval or make a determination of a need for additional
training.
1.8.4 Transition to Single Vehicle Operator
When the operator in the Tempe crash began training, ATG protocols required two people
in a test vehicle during ADS operation. One occupied the driver’s seat and monitored the
environment in preparation for a possible takeover, while the second operator—an “event
tagger”—occupied the front passenger seat. The tagger used a laptop to monitor the vehicle’s path
and to annotate any situations of interest (such as unexpected ADS actions or unusual events in
the environment).
During September–October 2017, ATG consolidated the responsibilities of two vehicle
operators into that of a single operator. The consolidation occurred after ATG equipped the test
vehicles with an HMI tablet that afforded operators a simpler interaction with the ADS. ATG stated
that the transition to a single operator was an operational decision that allowed the company to
increase the number of test vehicles, and that the HMI tablet had simplified the tagging task so that
a single operator could carry out both driving-monitoring and tagging tasks. The vehicle operator
in the Tempe crash began her training as an event tagger. Her training switched to that of
primary/single operator on October 25, 2017.
1.9 Postcrash Changes
On March 19, 2018, immediately after the crash, ATG stopped testing ADS-equipped
vehicles on public roads in all its operational centers. ATG stated that this was a precautionary
measure while the company evaluated its testing procedures and overall operational and
organizational structure, including its safety culture. On March 26—8 days after the crash—
Arizona’s governor instructed ADOT to suspend ATG’s privileges to test ADS-equipped vehicles
in autonomous mode in the state.
On December 20, 2018, after completing internal and external evaluations, ATG resumed
ADS testing on public roads. As of the date of this report, ATG testing is self-limited to a 1-mile
loop in Pittsburgh near ATG headquarters. The speed limit on the loop is 25 mph, the maximum
speed at which ATG now tests ADS-equipped vehicles. At the time of the crash, ATG tested at a
maximum speed of 45 mph.
NTSB Highway Accident Report
30
As a part of the process of examining its safety culture and identifying safety deficiencies,
ATG conducted an internal assessment and a voluntary external review.
69
Both reviews made
recommendations in technical performance, operational safety (including implementation of safety
procedures and oversight of vehicle operators), and organizational structure. During meetings with
ATG representatives, NTSB investigators communicated safety issues uncovered during their
investigation. When ATG resumed testing on public roads in December 2018, it had implemented
changes in (1) technical performance, (2) operational safety, and (3) organizational structure.
1.9.1 Technical Performance
1.9.1.1 Volvo Advanced Driver Assistance System. Since December 20, 2018, when
ATG restarted testing, the Volvo forward collision mitigation ADAS remains active during ATG
ADS operation. The Volvo FCW and AEB with pedestrian-detection capabilities are engaged
during both manual driving and autonomous operation. ATG engineers worked with Volvo to
solve the problem of radar signal interference between the two systems. ATG changed the
operational frequency of the ATG-installed radars that support ADS so that they do not interfere
with the Volvo ADAS, yet maintain functional effectiveness. ATG also worked with Volvo to
assign prioritization to one system when both systems issue emergency braking commands. The
decision for assigning priority to a system depends on the circumstances.
1.9.1.2 Handling of Emergency Situations. In addition, ATG changed the way the ADS
manages emergency situations (as described in section 1.5.5.3) by no longer implementing action
suppression. The updated system does not suppress braking after it detects an emergency situation,
regardless of whether maximum braking would prevent a crash.
70
Now, the ATG ADS engages
emergency braking even if only to mitigate a crash. ATG also increased the jerk limit (rate of
deceleration) to ±20 m/s
3
. ATG stated that under the current maximum testing speed of 25 mph,
no unintended consequences (increased number of false alarms) have occurred since action
suppression was eliminated.
71
1.9.1.3 Path Prediction. ATG also changed the way the ADS calculates possible
trajectories (predicts the path) of detected objects (as described in section 1.5.5.2). If the ADS
detects a pedestrian outside a crosswalk, it can now assign the person a potential goal of crossing
the road midblock. That is, jaywalking is considered a possible pedestrian goal. In addition, the
system incorporates previous locations of a tracked object when generating possible trajectories,
even when the object’s classification changes. It generates trajectories based on both the object’s
classification (its possible goals) and all its previous locations.
1.9.1.4 Uber ATG Simulation. NTSB investigators discussed with ATG how the postcrash
technical changes might have affected the Tempe crash. ATG simulated the circumstances of the
69
For a more detailed description of the internal and external reviews, see the Operations factual report in the
public docket for this investigation (HWY18MH010), as well as the accompanying attachments.
70
The elimination of action suppression was a gradual process. ATG reported that it reduced the action
suppression period to less than 1 second—while testing for the effect of such a change—before removing the process
entirely.
71
ATG reported no increase in hard braking resulting from a falsely detected emergency situation or imminent
collision.
NTSB Highway Accident Report
31
March 18 crash, including all environmental features and known pedestrian positions and using a
September 2018 version of the ADS software. The simulation results showed that the new software
would have properly detected and classified the pedestrian as such at a distance of about 88 meters
(290 feet), 4.5 seconds before impact. At that distance, according to ATG, based on the new
software, the ATG ADS would also have correctly predicted the pedestrian’s path as crossing the
street midblock on a collision path with the SUV. As a result, the system would have initiated
braking more than 4 seconds before the original impact and prevented the crash.
1.9.2 Operational Safety
1.9.2.1 Testing Protocol and Operator Training. When ATG restarted ADS testing on
public roads in December 2018, its testing procedure specified that a test vehicle should carry two
operators, positioned in the driver’s seat and the front passenger seat. It also changed their position
description to “mission specialist.” In autonomous mode, the primary responsibility of the
specialist in the driver’s seat is to monitor the driving environment and take driving control in
emergency situations. The primary responsibility of the specialist in the passenger seat is to tag
relevant information on the HMI and act as a redundant monitor of the environment and ADS
operation.
ATG established a new minimum 3-week-long training module for mission specialists that
includes 30 hours of instruction and evaluation before a specialist operates a test vehicle (in either
manual or autonomous mode). Among other topics, the training covers (1) situational awareness,
emergency maneuvering, fatigue management, distracted driving, and ATG policies such as cell
phone use; (2) the functionality and limitations of the Volvo ADAS and the ATG ADS;
(3) enhanced driving skills, such as defensive techniques, emergency maneuvers, and reversing
and parking; and (4) communication between the mission specialists during autonomous operation.
At the end of training, mission specialists must pass a written test and a driving test before
being allowed to operate test vehicles, in either manual or autonomous mode, on public roads.
ATG implemented remedial and annual recertification training for the mission specialists. Newly
hired specialists go through the new training program. Those who transitioned from previous
vehicle operator positions were required to complete at least 30 hours of additional training,
focused on driving skills and communication.
1.9.2.2 Vehicle Operator Oversight. ATG has equipped its test vehicles with a Nauto
fleet management system, consisting of a forward-facing camera and an inward-facing camera that
monitors the attentiveness of a mission specialist in the driver’s seat. When the system detects that
a driver’s seat mission specialist has looked away from the road for several seconds, it sounds a
chime. At the same time, the system sends a report to the mission specialist’s supervisor, who
examines the video and determines whether action is needed. ATG told investigators that the
company uses the attentiveness-monitoring system as a coaching tool.
NTSB Highway Accident Report
32
1.9.2.3 Other Operational Changes. ATG has developed a fatigue management policy
based on the North American Fatigue Management Program.
72
Mission specialists receive training
in fatigue management. ATG has further limited operation in the driver’s seat to 4 hours per shift,
with a mandatory break after 2 hours.
ATG has enhanced its drug-testing policy for mission specialists (vehicle operators) so that
it mirrors the federal standards applicable to commercial drivers (49 CFR Part 382). ATG provided
NTSB investigators with documentation showing that regular preemployment and random drug
tests are being administered. Policies that were formerly published in one booklet have been
separated into standalone documents, including the cell phone and disciplinary policies. Mission
specialists acknowledge them individually. ATG has also introduced “concern reporting,”
according to which any ATG employee can report an issue and request a suspension of testing
because of safety concerns.
On November 2, 2018, ATG published a safety self-assessment report describing the
company’s safety plan for ADS-equipped vehicles and submitted it to NHTSA.
73
The company
acted in voluntary compliance with NHTSA’s automated vehicles policy (see section 1.10 for
further discussion).
1.9.3 Organizational Changes
1.9.3.1 Restructuring and Personnel Changes. As a result of the internal and external
assessments noted above, ATG has restructured its teams and created new teams and departments.
A separate safety department was established, headed by a new employee with an extensive
background in safety management. The operational safety and training teams were moved from
the operations department to the safety department. An employee with extensive experience in
aviation safety management was hired to head the operations safety team. The operational safety
and training teams were made independent of the development and testing teams, a restructuring
designed to promote checks and balances in ADS development.
1.9.3.2 Safety Management System. ATG has begun establishing a safety management
system (SMS). The effort is led by the new head of the operational safety team, who had
implemented SMS for a previous employer.
74
In a meeting with NTSB investigators in May 2019,
ATG described its plans for SMS implementation. The company stated that it expects full
implementation to take 4 to 5 years.
72
As noted earlier, fatigue policies based on the North American Fatigue Management Program contain
mechanisms for adhering to federal and state regulations (hours on duty, driving at night, inverted sleep schedules,
wellness programs, training to minimize fatigue risks).
73
Uber ATG’s 2018 safety self-assessment report can be viewed on the NHTSA website (accessed December 6,
2019).
74
The aviation industry defines SMS as “a formal, top down, organization-wide approach to managing risk and
assuring the effectiveness of safety risk controls. It includes systematic procedures, practices, and policies for the
management of risk” (see the Federal Aviation Administration website, accessed December 6, 2019).
NTSB Highway Accident Report
33
1.10 Policies, Standards, and Regulations for Automated Vehicles
1.10.1 Federal Standards and Guidance
At the federal level, NHTSA is responsible for setting motor vehicle safety standards, while
the states regulate the operation of motor vehicles on public roads. The FMVSSs set minimum
performance standards for all new motor vehicles and motor vehicle equipment.
75
NHTSA has the
authority to enforce the standards and act when safety defects are discovered.
As of the date of this report, NHTSA had not developed any required safety standards for
systems such as FCW, AEB, and ADS and had not proposed any testing procedures for evaluating
a minimum level of ADS performance. In September 2016, NHTSA released an initial policy
document on automated vehicles, the Federal Automated Vehicles Policy (NHTSA 2016).
76
The
document gave basic guidance for testing and deploying ADS-equipped vehicles. It also proposed
a model state policy focused on removing obstacles to autonomous vehicle use created by
requirements for having an operator inside a vehicle.
The first policy document outlined a plan for a process that, after its refinement and
adoption, would ask ADS developers to submit a safety self-assessment report to the agency.
NHTSA stated that submission of the report was expected to be voluntary, but that in the future, it
might be mandated. NHTSA incorporated the SAE International (SAE) taxonomy for vehicle
automation systems (SAE International J3016) in this policy document.
77
The taxonomy, updated
with slight modifications in 2018, has six levels of driving automation, from Level 0 (no
automation) to Level 5 (full automation).
In September 2017, NHTSA issued its second automated vehicles policy, Automated
Driving Systems 2.0 (NHTSA 2017).
78
The policy described 12 safety elements and provided
summary guidance to manufacturers and others for use in preparing a safety self-assessment
report.
79
It encouraged developers to create a process for accomplishing the goals of each element.
However, it gave little specific information about how developers should accomplish those goals.
It also did not provide developers or others with a means of assessing their safety processes—of
75
The FMVSSs specify the design, construction, performance, and durability requirements for motor vehicles
and regulated automobile safety-related components, systems, and design features. The requirements are specified in
such a manner “that the public is protected against unreasonable risk of accidents occurring as a result of the design,
construction or performance of motor vehicles and is also protected against unreasonable risk of death or injury to
persons in the event accidents do occur . . .” (Public Law 89-563, 80 Stat. 718, National Traffic and Motor Vehicle
Safety Act of 1966).
76
See Federal Automated Vehicles Policy (accessed December 6, 2019).
77
Surface Vehicle Recommended Practice J3016 was developed by the SAE On-Road Automated Driving
Committee, and the first version was published on January 16, 2014. The revised standard released on
September 30, 2016, gave a taxonomy for six levels of driving automation. The current version, from June 2018,
retains the six levels of automation with slightly modified descriptions (accessed December 6, 2019).
78
See Automated Driving Systems 2.0 (accessed December 6, 2019).
79
The safety elements fall into the areas of (1) system safety, (2) ODD, (3) object and event detection and
response, (4) fallback (minimal risk condition), (5) validation methods, (6) HMI, (7) vehicle cybersecurity,
(8) crashworthiness, (9) postcrash ADS behavior, (10) data recording, (11) consumer education and training, and
(12) federal, state, and local laws.
NTSB Highway Accident Report
34
determining whether the safety processes designed to accomplish the goals of the 12 elements were
appropriate. The policy did not require developers to adhere to the guidance when developing
automated vehicles or to submit a safety self-assessment report. The policy stated that assessment
reports, if submitted, were not subject to NHTSA approval.
80
In October 2018, NHTSA released its third automated vehicle policy (NHTSA 2018). The
document slightly expanded the agency’s guidance to include other US Department of
Transportation modal agencies. The third version retained the focus on vehicles with higher levels
of automation—SAE Levels 3, 4, and 5.
81
Both the second and third policies outlined best practices and recommendations for state
and local governments concerning ADSs, focusing on technology-neutral systems and legislation
that might negatively affect automated systems. The third version also included suggestions to
state government to consider implementing requirements for the drivers of test automated vehicles,
but it did not give specific examples.
1.10.2 Arizona Requirements
Arizona has limited requirements for the testing of automated vehicles. When ATG began
testing in Arizona, the operation of automated vehicles in the state was regulated by Executive
Order 2015-09 (effective August 25, 2015). The executive order permitted testing and operation
of an automated vehicle regardless of whether a person was inside the vehicle. The only
requirement pertaining to ADS operation was that someone—located either inside or outside the
vehicle—should direct the vehicle’s movement if necessary. The executive order did not instruct
ADOT to require applications for the testing of automated vehicles.
On March 1, 2018, the Arizona governor authorized Executive Order 2018-04, which
established parameters under which ADS-equipped vehicles could operate in the state; the main
parameter was whether a person was inside a vehicle.
82
Developers testing or operating an
ADS-equipped vehicle with a person inside are required by the executive order to
follow all federal laws, Arizona State Statutes, Title 28 of the Arizona Revised
Statutes, all regulations and policies set forth by the Arizona Department of
Transportation . . .
The order does not contain any other safety-focused requirements for automated vehicles occupied
by at least one person.
Developers testing driverless ADS-equipped vehicles—testing without a person inside a
vehicle—are required to submit a written statement to ADOT acknowledging that their vehicles
(1) are in compliance with the FMVSSs or have received an exemption from NHTSA, (2) can
80
According to NHTSA, the voluntary safety self-assessment “is intended to show the public that entities are
considering the safety aspects of ADSs; communicating and collaborating with [the Department of Transportation];
encouraging the self-establishment of industry norms for ADSs; and building public trust, acceptance, and confidence
through transparent testing and development.”
81
See Automated Vehicles 3.0 (accessed December 6, 2019).
82
See Arizona Executive Order 2018-04 (accessed December 6, 2019).
NTSB Highway Accident Report
35
achieve minimal risk conditions, and (3) meet all registration, licensing, and insurance
requirements.
83
The statement acknowledging compliance with Executive Order 2018-04 is due to
the department within 60 days of the start of testing; however, the department does not have a
process for verifying the accuracy of the stated information. The executive order also directs
developers and state agencies to instruct law enforcement and other first responders on how to
interact with automated vehicles in emergencies or during traffic enforcement. Because Executive
Order 2018-04 does not require a statement acknowledging compliance from entities conducting
ADS testing with an operator inside a vehicle, ATG did not submit such a statement to ADOT.
On October 11, 2018, the Arizona governor authorized Executive Order 2018-09, which
called for establishing an Institute of Automated Mobility to be led by representatives from the
state’s commerce, transportation, and academic entities.
84
The order stated that the role of the
institute would include conducting research and developing infrastructure for the advancement of
automated vehicle technology. The order stated further that the institute would work with the state
to develop policy recommendations pertaining to the operation of automated vehicles.
On March 26, 2018, after the fatal crash in Tempe, the governor of Arizona directed ADOT
to suspend ATG’s ability to conduct ADS testing in the state.
83
A minimal risk condition is 1 of the 12 safety elements NHTSA introduced in Automated Driving Systems 2.0.
Arizona Executive Order 2018-04 approximates NHTSA’s description, defining it as “A low-risk operating mode in
which a fully autonomous vehicle operating without a human person achieves a reasonably safe state, such as bringing
the vehicle to a complete stop, upon experiencing a failure of the vehicle’s automated driving system that renders the
vehicle unable to perform the entire dynamic driving task.”
84
See Arizona Executive Order 2018-09 (accessed December 6, 2019).
NTSB Highway Accident Report
36
2 Analysis
2.1 Introduction
A vehicle operated in developmental autonomous mode was traveling north on N. Mill
Avenue in Tempe, Arizona, in the evening when it struck a pedestrian who was pushing a bicycle
while walking east midblock across the road. The pedestrian died, and the vehicle operator was
uninjured.
2.1.1 Exclusions
As a result of its investigation, the NTSB established that the following did not cause or
contribute to the crash:
• Driver licensing, driving experience, or knowledge of ADS operation: The vehicle
operator had a valid driver’s license and considerable driving experience. She had
received training and was knowledgeable in the operation and functionality of the ADS.
• Vehicle operator substance impairment or fatigue: Although no postcrash toxicology
tests were conducted, a TPD drug recognition expert who examined the operator on
scene immediately after the crash found no probable cause to test for alcohol and other
drugs. Based on interviews, cell phone records, and witness accounts, the NTSB found
no evidence of operator fatigue.
• Vehicle mechanical condition: NTSB investigators examined the vehicle and found no
preexisting mechanical conditions that might have contributed to the crash.
• Emergency response: First responders provided appropriate and efficient emergency
medical response.
The NTSB therefore concludes that none of the following were factors in the crash:
(1) driver licensing, experience, or knowledge of the ADS operation; (2) vehicle operator
substance impairment or fatigue; or (3) mechanical condition of the vehicle. The NTSB further
concludes that the emergency response to the crash was timely and adequate.
2.1.2 Pedestrian Actions
The 49-year-old pedestrian was pushing a bicycle at her left side while walking east across
N. Mill Avenue at a location without a crosswalk. Based on ADS data, the SUV would have been
about 350 feet from the pedestrian when the system first detected her—5.6 seconds before impact.
At that time, the pedestrian was about 10 feet east of the median curb, in the part of the road where
the left-turn lanes began forming. At 350 feet, based on the NTSB sight distance analysis, the SUV
and its headlights would have been visible to the pedestrian.
Toxicology tests showed that the pedestrian had drugs in her system, including
methamphetamine and an inactive marijuana metabolite. The level of methamphetamine—
2.126 µg/mL—strongly indicates impairment and chronic misuse. Methamphetamine particularly
can severely affect perception and judgment (Cooper and Logan 2004). In its special investigation
NTSB Highway Accident Report
37
of pedestrian safety, the NTSB (2018) reported that in 6 of the 15 pedestrian crashes it analyzed,
the pedestrian’s decision-making had been impaired by alcohol or other drugs.
85
Although pedestrians—impaired or not—regularly cross streets outside a crosswalk, the
pedestrian who died in this crash attempted to cross in front of an approaching vehicle, which
would have had to decelerate to avoid the collision.
The analysis could not determine whether the
pedestrian’s actions were due to errors of perception—she did not see the SUV or misjudged its
approaching speed—or to errors of judgment—she assumed that the vehicle would brake to allow
her to cross. Evidence of potential sources of distraction to the pedestrian, such as cell phone use,
is lacking; also, the approaching vehicle would have been noticeable. Therefore, the pedestrian’s
decision to cross the street, and her failure to take evasive action before the collision, could be
attributed to the impairing levels of methamphetamine found in her body. The NTSB concludes
that the pedestrian’s unsafe behavior in crossing the street in front of the approaching vehicle at
night and at a location without a crosswalk violated Arizona statutes and was possibly due to
diminished perception and judgment resulting from drug use.
2.1.3 Safety Issue Areas
The following analysis examines the hazard detection and collision avoidance
functionalities of ATG’s ADS; the vehicle operator’s actions before the crash and the reasons for
not detecting the pedestrian in time to avoid the collision; and whether ATG’s testing procedures
and overall safety risk management procedures, as well as safety policies, were adequate. In
addition, the analysis examines the issue of testing automated vehicles on public roads and the
roles of stakeholders. The focus of the analysis is on two main safety issues:
• ATG’s inadequate safety culture. Considered are deficiencies in safety risk
management procedures and safety policies, including oversight of vehicle operators:
− ATG’s safety risk management (section 2.2.1).
− Operators’ supervision of vehicle automation (section 2.2.2).
− ATG’s safety policies, including safety methods, processes, and organizational
structure (section 2.2.3).
• Need for safety risk management requirements for testing automated vehicles on
public roads. Considered are the roles of the federal government, industry, and the
states in ensuring public safety during ADS testing (section 2.3).
85
Another important factor in the pedestrian crashes was time of day. Six crashes occurred at night and three
during the twilight transition between day and night.
NTSB Highway Accident Report
38
2.2 Uber ATG Safety Culture
A safety culture is the collection of individual and group values, perceptions, attitudes, and
competencies that reflect an organization’s approach to safety management.
86
A good safety
culture is reinforced by a foundation of risk management practices and oversight mechanisms,
along with procedures for ongoing assessment to ensure adherence and dynamic adjustment to the
safety practices. When oversight mechanisms and risk-managing procedures and practices are
established across an organization to provide a systemic approach for achieving an acceptable level
of safety risk, the organization can be considered to have the framework of a formal SMS.
The four primary components of an SMS—as advocated by the Federal Aviation
Administration and adopted industrywide, including by the ground transportation industry—are
(1) safety policy, which defines methods, processes, and organizational structure; (2) safety risk
management, which determines the need for new risk control mechanisms or modification of
existing ones; (3) safety assurance, which continually examines the efficacy of the current risk
control mechanisms and identifies new sources of risk; and (4) safety promotion, which
incorporates training and communication to create a positive safety culture across an
organization.
87
As this analysis shows, at the time of the crash, ATG lacked several foundational aspects
of safety culture. The deficiencies were also exhibited in the four primary components of an SMS:
• Safety policies—the framework and mechanisms that create a good safety culture—
were frequently lacking or were inconsistently applied. As discussed in section 2.2.3,
ATG did not have a corporate safety plan, and some of its existing policies, such as
drug testing, were sporadically implemented.
• Safety risk management, particularly in ADS development as it pertains to testing on
public roads, lacked comprehensiveness. As discussed in section 2.2.1, ATG’s ADS
had insufficient safety redundancies, which increased the overall risk of testing the
system on public roads.
• Safety assurance, which is intended to continually assess potential risk, was
sporadically implemented, and also lacked appropriate mechanisms for effective
implementation. As discussed in section 2.2.2.2, ATG did not provide appropriate
oversight of vehicle operators, even though the company had tools for such oversight.
• Safety promotion, intended to foster safety culture across the company, was not always
effectively communicated. As discussed in section 2.2.3, company policies were not
individually acknowledged by employees, and supervisors sporadically implemented
some policies.
86
Although there is no single definition of safety culture, a version of the one proposed by the United Kingdom’s
Advisory Committee on the Safety of Nuclear Installations in 1993 is often cited: “The safety culture of an
organisation is the product of individual and group values, attitudes, competencies, and patterns of behaviour that
determine the commitment to, and the style and proficiency of, an organisation’s health and safety management”
(ACSNI 1993).
87
See Federal Aviation Administration website (accessed December 6, 2019).
NTSB Highway Accident Report
39
2.2.1 Uber ATG Safety Risk Management
The ADS that controlled the test vehicle at the time of the crash was a developmental
system. As of the time of this report, there are no production-level automated vehicles on public
roads that do not require the operator to monitor the driving environment or rely on a driver to take
over the driving task if necessary.
ADS development, with the reliance on still-evolving technology and machine learning, is
an iterative process that is expected to contain errors and failures and to expose limitations. This
is also an expectation of a development process for any product or technology. A crucial distinction
in ADS development is that the technology is tested on public roads, among other settings. As
such, developers must anticipate potential system failures and their effects on safety and
implement strategies and countermeasures to minimize the safety risks. Robust mechanisms for
managing safety risk would include multiple layers of safety redundancy designed to control
potential risks that may exist in the environment where such systems are tested.
2.2.1.1 Precrash ADS Functionality. As a developmental system, the ATG ADS had
limitations in several areas, including its ability to detect pedestrians and predict their trajectories
and its handling of emergency situations, as described below.
Pedestrian Detection. At the time of the Tempe crash, the ATG ADS did not have the
functionality to anticipate pedestrians crossing midblock outside a marked crosswalk; although it
could detect and identify pedestrians, it would not assign them an inherent goal of jaywalking.
Rather, to predict a pedestrian’s trajectory, the system relied on consistent tracking and
classification of the pedestrian as such. In the crash, the ADS sensory and imaging systems—lidar,
radar, and camera—detected an object 5.6 seconds before impact, when the pedestrian was in the
middle of where the northbound road’s two left-turn lanes began forming. However, the system
never correctly classified the pedestrian. The ADS changed the pedestrian’s classification several
times, alternating between vehicle, bicycle, and other. Furthermore, with each change in object
classification, the ADS perceived the pedestrian as a new object without considering its location
history. Because (1) the system was unable to correctly identify the pedestrian as such, (2) the
ADS design did not rely on tracking history for nonpersisting objects—those with changed
classifications—to predict a path, and (3) the system lacked the functionality to assign a goal of
jaywalking, the system was unable to correctly predict the pedestrian’s path.
At the time of the crash, the ATG fleet of test vehicles had traveled the route on which the
crash occurred about 50,000 times. When interviewed, ATG vehicle operators reported
occasionally encountering pedestrians crossing a road midblock, and ATG’s training of vehicle
operators included preparation for hazardous situations such as jaywalking pedestrians.
Pedestrians crossing a road midblock should be an anticipated safety risk when testing in urban
environments. Because object identification is a challenging task for any ADS, the system was
never able to correctly classify the pedestrian as such. However, such limitations should be
anticipated and managed by additional layers of safety redundancy. The NTSB concludes that the
Uber ATG did not adequately manage the anticipated safety risk of its ADS’s functional
limitations, including the system’s inability in this crash to correctly classify and predict the path
of the pedestrian crossing the road midblock.
NTSB Highway Accident Report
40
Collision Avoidance and Mitigation. The ADS detected an emergency situation—
determined that a collision with the pedestrian was imminent—1.2 seconds before impact. At the
time of the crash, ATG had designed the ADS to suppress braking for 1 second after it detected a
hazardous situation and if hard braking—greater than 0.71 g—was required to prevent a collision.
Action suppression allowed the ADS to abort severe vehicle maneuvers if a hazardous situation
resolved itself or was deemed false. It also allowed the vehicle operator to take control if the
situation was truly hazardous.
In this crash, emergency braking was suppressed because the situation exceeded the ADS
response design specifications for avoiding the collision (it required deceleration greater than
0.71 g to avoid the crash). One second later, when suppression ended, the operator had not taken
control of the vehicle and the situation remained hazardous. In such situations, when a crash could
not be prevented with the application of maximum braking (0.71 g), the ADS was designed not to
apply maximum allowed braking only to mitigate the crash. Momentarily suppressing a planned
motion may be reasonable from a technical perspective because errors, such as false alarms or
failing to detect an object, are expected in a developmental system. However, such suppression,
particularly when coupled with a decision not to use emergency braking to mitigate a crash, can
be viewed as actions that limited the layers of safety redundancy and reduced safety. The NTSB
concludes that the aspect of the ADS’s design that precluded braking in emergency situations only
when a crash was unavoidable increased the safety risks associated with testing ADSs on public
roads. The NTSB further concludes that because the Uber ATG’s ADS was developmental, with
associated limitations and expectations of failure, the extent to which those limitations pose a
safety risk depends on safety redundancies and mitigation strategies designed to reduce the safety
risk associated with testing ADSs on public roads.
Multiple layers of safety redundancy are needed to reduce the risks of testing automated
vehicles on public roads. One possible system-level redundancy available to ATG was the Volvo
forward collision mitigation systems. However, to avoid possible radar signal interference, ATG
decided to disable the crash vehicle’s factory-equipped FCW and AEB during ADS testing. The
Volvo FCW and AEB could detect pedestrians and bicyclists and respond to their encroachment
into the path of a vehicle. Simulation tests by Volvo suggest that a standard Volvo XC90—
equipped with FCW and AEB—might have prevented or at least mitigated the Tempe crash.
88
The
capabilities of the Volvo AEB to detect and respond to a crossing pedestrian are also supported by
testing conducted by the European New Car Assessment Programme (Euro NCAP).
89
In addition,
Thatcham Research in the United Kingdom conducted a closed-course test that replicated the
conditions of the Tempe crash, including the correct vehicle year/model and speed and using a
motorized pedestrian crash dummy crossing a street while pushing a bicycle. The results showed
88
The 2017 Volvo XC90 and later models are equipped with FCW and AEB as standard equipment.
89
Since Euro NCAP had not yet implemented the pedestrian AEB testing protocol at the time of the last testing
of the XC90—the 2015 model year—we examined the testing that Euro NCAP conducted on a 2017 Volvo S90
equipped with the same generation of ADAS technology as the 2017 XC90. The testing on the S90 showed that the
pedestrian AEB was able to avoid a collision with a crossing adult pedestrian when traveling up to 60 kilometers per
hour (37 mph).
NTSB Highway Accident Report
41
that a standard 2017 Volvo XC90, equipped with AEB, was able to avoid striking the crash dummy
or to significantly reduce the vehicle’s speed at impact.
90
Although ATG’s decision to disable the Volvo FCW and AEB was a response to technical
complexities, that action removed one layer of safety redundancy. Furthermore, the way the ADS
was designed to brake in emergency situations—braking applied at less than full braking force (up
to 0.71 g) and only if it would prevent a crash, not to mitigate an impact—did not match the full
capabilities of the Volvo AEB. In some performance aspects, the collision avoidance abilities of
the ADS were below those of the system it replaced. The implications of removing a single layer
of safety redundancy, for a production-level or a developmental ADS, depend on the existence and
capability of other layers of safety redundancy to detect and respond to a potentially hazardous
situation. The NTSB concludes that the Uber ATG’s deactivation of the Volvo FCW and AEB
systems without replacing their full capabilities removed a layer of safety redundancy and
increased the risks associated with testing ADSs on public roads.
2.2.1.2 Uber ATG Postcrash Changes. After the crash, ATG conducted internal and
external reviews of its safety procedures and of the organization as a whole. As a result of the
internal reviews and the continued development of the ADS, ATG also made numerous changes
in technical areas. Many of the changes would have affected safety-relevant issues at the time of
the Tempe crash.
When ATG restarted ADS testing in December 2018, it modified its ADS so that Volvo’s
forward collision mitigation ADASs, specifically FCW and AEB with the pedestrian-detection
component, would remain active during ATG ADS operation. ATG changed the frequency at
which the radars supporting the ADS operated so that they would not interfere with the Volvo
FCW and AEB. ATG also changed the ADS design:
• It incorporated the possibility of jaywalking pedestrians. The system can assign
a potential goal to a pedestrian of crossing a road outside a crosswalk.
• It modified the way the ADS classifies and tracks detected objects. Previous
locations of a tracked object are now incorporated into the decision process
when generating possible paths, even when the object’s classification changes.
• It gradually eliminated the use of action suppression in emergency situations.
The system does not suppress system response after the detection of an
emergency situation even when its resolution—prevention of a crash—exceeds
the system’s design specifications.
• It allowed the system to engage braking in emergency situations even if only to
mitigate a crash.
Some of the postcrash changes, as demonstrated in the simulations conducted by Volvo
and ATG and the tests of Volvo’s AEB by Euro NCAP and Thatcham Research, could have
directly affected the outcome of the Tempe crash. The NTSB concludes that postcrash changes by
the Uber ATG, such as making Volvo’s FCW and AEB available during operation of the ADS,
90
Additional information about the testing by Thatcham Research is found in the “Volvo XC90 Testing by
Thatcham Research” item in the public docket associated with this investigation (HWY18MH010).
NTSB Highway Accident Report
42
added a layer of safety redundancy that reduces the safety risks associated with testing ADSs on
public roads.
2.2.2 Operator Supervision of Vehicle Automation
At the time of the crash, ATG’s vehicle operators were responsible for several tasks,
including the following:
• Monitoring the driving environment and the operation of the ADS.
• Hovering with their hands above the steering wheel and their foot above the brake pedal
for fast takeover of vehicle control.
• Detecting unusual events in the driving environment or in ADS performance and noting
them through interaction with the HMI.
• Taking control of the vehicle and intervening in emergency situations to avoid a
collision. (As noted earlier, the ADS was designed to suppress braking in potential
emergency situations to reduce false positives and allow the vehicle operator to take
control.)
In the Tempe crash, when the ADS determined that a collision with the pedestrian was
imminent, the design of the system and ATG’s mitigation strategy relied on the vehicle operator
to take control of the vehicle. That strategy was based on the assumption that an attentive operator
would recognize a hazard and take control of the vehicle in sufficient time to minimize the risk. In
the Tempe crash, the vehicle operator was not actively engaged in the driving task, and neither the
ADS nor the vehicle operator intervened to avoid or mitigate the crash.
2.2.2.1 Operator’s Actions. Video from the inward-facing camera shows that the vehicle
operator spent nearly a third of the trip looking down toward the bottom of the SUV’s center
console, where she had placed her personal cell phone at the beginning of the trip. About 6 seconds
before impact, the operator again glanced toward the bottom of the center console, where her gaze
remained for the next 5 seconds. About 1 second before the impact, the operator returned her gaze
to the road, but only in time to try to steer away, 0.02 seconds before striking the pedestrian.
Examination of the operator’s cell phone and records from a video-streaming application on her
phone show that the operator was streaming a video for the entire trip, including the moments
before the crash.
In a postcrash interview, the operator told investigators that moments before the crash, she
was interacting with the HMI tablet, located in the center stack. However, HMI data show that
immediately preceding the crash, the HMI did not present any alerts and that no tags were entered,
indicating that the operator was not interacting with the HMI before the crash.
ADS data show that when the autonomous system first detected the pedestrian—
5.6 seconds before the impact—she was about 10 feet east of the median curb, approximately in
the middle of the road’s two left-turn lanes and about 350 feet north of the SUV. Sight distance
evaluation shows that no obstructions were present that would have prevented the vehicle operator
from seeing the pedestrian, from when the ADS first detected her until the impact. Although the
crash occurred at night, streetlights were present in the area. Despite the low level of lighting
NTSB Highway Accident Report
43
portrayed in the video from the forward-facing fleet-monitoring camera, NTSB investigators who
observed the crash location at night found that the streetlights would have sufficiently illuminated
the road where the pedestrian was crossing.
Because the crash-involved vehicle operator was engaged in visual distraction in the
moments leading up to the crash, the NTSB examined how an attentive driver might have
responded in that situation. When the ADS initially detected the pedestrian—5.6 seconds before
impact—the SUV was traversing the end of a curve before emerging from under the SR-202
overpass. Considering that drivers do not typically scan outside a roadway’s travel lane while
negotiating a curve, even an attentive driver in the Tempe crash scenario might not have detected
the pedestrian when the ADS detected her (Shinar 1977; Kandil, Rotter, and Lappe 2010; Itkonen,
Pekkanen, and Lappi 2015). When the SUV exited the curve—3.9 seconds before impact and about
243 feet south of the crash site—the pedestrian had just entered the left through lane. At that
relative distance, the pedestrian would have been within the field of view of an attentive driver’s
typical scanning pattern for a straight roadway. Based on braking tests of the SUV at the crash
location, an attentive driver would have been able stop the SUV before the impact location if
applying maximum braking within 1.9 seconds of entering the straight section, or within
3.5 seconds of the ADS detecting the pedestrian.
91
Considering the roadway geometry, the sight distance, and the lighting in the crash area,
the vehicle operator, had she been attentive, would have had 2 to 4 seconds to detect and initiate a
response to the crossing pedestrian to prevent the crash. However, the vehicle operator was
visually distracted, and by the time she raised her gaze from her cell phone to the road, she had
only about 1 second to detect and respond to the pedestrian. By that time, she could not avoid the
collision. The NTSB concludes that had the vehicle operator been attentive, she would likely have
had sufficient time to detect and react to the crossing pedestrian to avoid the crash or mitigate the
impact.
Earlier in the trip, while passing through the section of N. Mill Avenue where the crash
occurred, the operator gazed continuously for 26.5 seconds down toward the bottom of the center
console, where she had placed her cell phone. Although this is a clear example of deliberate
engagement in visual distraction, it also represents the operator’s failure to perform her primary
task, which was to monitor the driving environment and the performance of the ADS.
Research pertaining to automation monitoring and operator interaction with automated
systems is comprehensive. Across domains, automation complacency is identified as a critical
consequence of automation—a decrement in performance that results from less-than-adequate
91
(a) The TPD determined, on the basis of the vehicle’s capabilities and the road surface friction, that the SUV
was capable of decelerating at an average of 0.92 g in the crash area. (b) Based on the initial vehicle speed of 44 mph
and the maximum braking of 0.92 g (according to TPD roadway friction testing), the SUV would have taken
2.1 seconds to come to a complete stop.
NTSB Highway Accident Report
44
monitoring of an automated system by a human operator (Parasuraman and Manzey 2010; Moray
and Inagaki 2000).
92
Evidence of automation complacency has been found in settings as varied as simulated
multisystem industrial monitoring (Parasuraman, Molloy, and Singh 1993), air traffic control
(Metzger and Parasuraman 2001), aviation crashes (Funk and others 1999), and the grounding of
a passenger ship (NTSB 1997). While research has shown that the extent of automation
complacency depends on task complexity—complacency is lower in simple tasks—it also depends
on the rate of automation failure. Detection of automation failure is poorer for systems that have a
low failure rate (Davies and Parasuraman 1982). In other words, the better the automation system,
the more likely the operator is to become complacent and not detect its failure.
In recent years, the NTSB has examined automation complacency in the operation of
vehicles with Level 2 automation capabilities—vehicles that can maintain control and respond to
slowing traffic but require constant driver monitoring due to their limited capabilities. The NTSB
determined that the probable cause of crashes that occurred in Williston, Florida, in May 2016 and
in Culver City, California, in January 2018 included driver inattention and overreliance on vehicle
automation (NTSB 2017, 2019a).
93
When it comes to the human capacity to monitor an automation system for its failures,
research findings are consistent—humans are very poor at this task. The NTSB concludes that the
vehicle operator’s prolonged visual distraction, a typical effect of automation complacency, led to
her failure to detect the pedestrian in time to avoid the collision. The NTSB further concludes that
the Uber ATG did not adequately recognize the risk of automation complacency and develop
effective countermeasures to control the risk of vehicle operator disengagement, which contributed
to the crash.
2.2.2.2 Uber ATG Oversight of Vehicle Operators. ATG’s oversight of vehicle operators
was inadequate. Although the company had installed inward-facing cameras in its test vehicles,
supervisors said that they rarely reviewed the camera videos. Regular review could have
(1) uncovered critical violations of ATG policy, such as the use of a cell phone; (2) monitored
adherence to operational procedures, such as hovering hands over the steering wheel; and
(3) served as a coaching tool by monitoring expected challenges, such as maintaining operator
attentiveness in the face of likely automation complacency.
92
A National Aeronautics and Space Administration report (Prinzel 2002) defines complacency as “self-
satisfaction that can result in non-vigilance based on an unjustified assumption of satisfactory system state.” Based on
general automation literature and research by Parasuraman and Manzey (2010), automation complacency can also be
viewed as an insufficient attention to the operation of an automated system and its output, typically as a consequence
of a low failure rate of such a system.
93
As a result of the Williston investigation, the NTSB issued two safety recommendations to six manufacturers
of vehicles with Level 2 automation systems, including Safety Recommendation H-17-42: “Develop applications to
more effectively sense the driver’s level of engagement and alert the driver when engagement is lacking while
automated vehicle control systems are in use.” The overall status of this recommendation is “Open–Acceptable
Response.” Most manufacturers responded with their plans and current efforts to reduce system misuse and maintain
driver engagement, including considerations for improving driver monitoring.
NTSB Highway Accident Report
45
About 5 months before the crash, ATG began testing with only one operator in a vehicle.
The responsibilities of two vehicle operators—one monitoring the driving environment and the
other noting information about the system and the driving environment—were consolidated after
ATG equipped its test vehicles with an HMI that made it easier for operators to interact with the
ADS. However, by removing the second operator, ATG also removed a layer of safety redundancy.
The second operator can be viewed as a mechanism for detecting a potentially hazardous situation
and acting to prevent a crash, as well as a reminder of the vehicle operator’s responsibilities. The
consolidation of responsibilities also increased the task demands on the now-sole operator. Even
though the HMI had simplified the notation task, a single vehicle operator was required to do more
than before. Specifically, an operator now had to look away from the road to manipulate the HMI,
even if infrequently.
Technical complexities influenced the design of the ADS, resulting in the removal or
diminished use of layers of safety redundancy. In that light, ATG’s decision to remove a second
vehicle operator from its test vehicles—and rely on only one operator as a monitoring
mechanism—was even more significant. The unintended adverse consequences of removing the
second operator were exacerbated by ATG’s inadequate oversight of vehicle operators. The NTSB
concludes that although the installation of an HMI in the Uber ATG test vehicles reduced the
complexity of the automation-monitoring task, the decision to remove the second vehicle operator
increased the task demands on the sole operator and also reduced the safety redundancies that
would have minimized the risks associated with testing ADSs on public roads. The NTSB further
concludes that although the Uber ATG had the means to retroactively monitor the behavior of
vehicle operators and their adherence to operational procedures, it rarely did so; and the
detrimental effect of the company’s ineffective oversight was exacerbated by its decision to
remove the second vehicle operator during testing of the ADS.
2.2.2.3 Uber ATG Postcrash Changes. Among other areas, the ATG-commissioned
external review specifically recommended that the company make periodic, unannounced checks
on vehicle operators. When ATG restarted ADS testing in December 2018, it went back to having
two operators in the test vehicles, positioned in the driver seat and the passenger seat. Before the
change, ATG reformed and expanded operator training to include advanced modules on driver
distraction, exercises in emergency maneuvering, training in communication between the two
operators, and further instruction on the functionality and limitations of the ADS. As a result, the
vehicle operator in the driver seat is responsible only for monitoring the driving environment and
for taking control of the vehicle and intervening in an emergency.
ATG also made a crucial change in the oversight of vehicle operators during ADS testing.
Specifically, ATG installed a new inward-facing camera system that allows real-time monitoring
of operator attentiveness. When the system detects that an operator in the driver seat has gazed
away from the road for several seconds, it immediately sends an alert to the operator in the vehicle
and a report to the supervisor who reviews the recordings. The NTSB concludes that the Uber
ATG’s postcrash inclusion of a second vehicle operator during testing of the ADS, along with
real-time monitoring of operator attentiveness, begins to address the oversight deficiencies that
contributed to the crash.
NTSB Highway Accident Report
46
2.2.3 Uber ATG Safety Policies
2.2.3.1 Precrash Safety Plan and Safety Culture Framework. At the time of the crash,
ATG did not have a corporate safety plan—a standardized operations procedure that outlines the
roles and assigns safety-related responsibilities to departments and personnel to effectively assess
risk. ATG did not have a safety division or a dedicated safety manager responsible for risk
assessment and mitigation. Although lacking experience in safety management, the ATG head of
operations was tasked with the additional responsibility of being the safety manager. Without a
safety framework—a safety plan and specialized departments and personnel—an organization
cannot implement a safety program that (1) embodies the fundamental principles of safety culture
and (2) contains comprehensive guidance for the development of safety countermeasures. The
consequences of a lack of such a safety framework are seen in the events that led to the Tempe
crash.
A good safety culture is supported by policies and rules that ensure oversight of and
adherence to the policies, and by personnel with experience in safety management and risk
mitigation. At the time of the crash, many of these elements were inadequate or missing at ATG—
specifically, oversight and risk assessment mechanisms and personnel with backgrounds in safety
management. The consequences were exhibited in the inadequate oversight of vehicle operators
and the failure to implement company policies, such as drug testing.
Although ATG had a policy prohibiting the use of cell phones and a disciplinary policy
detailing the consequences of policy infractions, the policies were not individually acknowledged
by vehicle operators. The policies were not standalone, as is the typical industry practice, but were
part of a larger policy booklet.
94
ATG also did not have a dedicated fatigue management program,
a fundamental component of a good safety culture, particularly in the transportation industry.
ATG’s drug-testing policy at the time of the crash provides an example of its poor commitment to
safety culture. Although ATG’s drug-testing policy required preemployment, random, probable
cause, and postcrash drug testing, it was sporadically implemented. The vehicle operator in the
Tempe crash had not submitted to any drug tests before or during her employment at ATG,
including after this crash. Although impairment of the operator was not a factor in the crash, ATG’s
lack of enforcement of its own drug-testing policy indicates an inadequate safety culture. The
NTSB concludes that the Uber ATG’s inadequate safety culture created conditions—including
inadequate oversight of vehicle operators—that contributed to the circumstances of the crash and
specifically to the vehicle operator’s extended distraction during the crash trip.
2.2.3.2 Postcrash Changes. The ATG-commissioned external review after the crash
yielded recommendations for building a safety culture. Among the recommendations were that
ATG do the following:
• Develop an SMS program and seek the services of individuals and organizations who
had SMS expertise.
• Appoint senior managers for operational safety and for the training of vehicle operators.
94
Industry practices have multiple sources, including 49 CFR 382.601 and the Occupational Safety and Health
Administration’s Training Requirements in OSHA Standards (accessed December 6, 2019).
NTSB Highway Accident Report
47
• Designate the head of systems safety and the leaders of training and operational safety
to lead SMS development.
Largely as a result of the recommendations from the external review, ATG made numerous
changes to the company’s organization and operations. ATG created an independent safety
department and moved its training and operational safety teams into the safety department. ATG
hired personnel with more than 20 years of experience in safety management—including
developing and implementing an SMS—to lead the department. In a meeting with NTSB
investigators, ATG described a comprehensive plan for putting an SMS in place, with full
implementation expected by 2024.
95
ATG also changed its policies, including the way employees are instructed in them and
how adherence is achieved. For example, cell phone use and disciplinary policies are now
standalone, individually signed by vehicle operators, and reinforced in recurrent training. Further,
ATG implemented technological solutions to ensure adherence to the cell phone policy by means
of the new inward-facing camera system, which provides feedback to the vehicle operators and the
associated supervisor when attention is diverted from the driving environment. While the main
requirements of the company’s drug policy remain unchanged, documentation from ATG shows
full adherence. ATG also implemented a fatigue management program, modeled after the North
American Fatigue Management Program, and now limits operation in the driver’s seat to 4 hours
per shift.
Although the technical and operator oversight changes that ATG made have potential to
improve crash avoidance and mitigation factors, the company’s organizational changes could be
considered as potentially having the most long-term benefit. The changes ATG implemented
postcrash represent a systemic approach to establishing the company’s safety culture. All the
postcrash changes, including those involving ADS design, vehicle operator oversight, corporate
policies, and SMS development, indicate a shift in ATG’s approach to safety culture. The NTSB
concludes that the Uber ATG’s plan for implementing an SMS, as well as postcrash changes in
the company’s oversight of vehicle operators, begins to address the deficiencies in safety risk
management that contributed to the crash. Therefore, the NTSB recommends that the Uber ATG
complete the implementation of an SMS for ADS testing that, at a minimum, includes safety
policy, safety risk management, safety assurance, and safety promotion.
2.3 Testing of Automated Vehicles
The investigation of the Tempe crash revealed deficiencies in the way ATG tested its ADS
on public roads in Arizona, including ineffective oversight of vehicle operators and inconsistent
management of safety risk. Although ATG has made, and continues to make, safety improvements
in the way it tests ADS-equipped vehicles, ATG is just one of many developers who are conducting
such testing. Furthermore, a manufacturer is not the only entity with a role in ensuring the safe
testing of automated vehicles on public roads. To establish a robust framework for safely testing
ADSs across manufacturers, it is necessary to involve (1) federal agencies—which can establish
95
The meeting took place on May 9, 2019.
NTSB Highway Accident Report
48
and mandate ADS performance standards, (2) industry—which manufactures and develops ADSs,
and (3) the states—which traditionally regulate drivers and vehicle operation on public roads.
To provide a thorough and constructive discussion about the testing of automated vehicles,
it is necessary to parse the terminology that is used in public discourse. Specifically, it is necessary
to distinguish the system that controlled the ATG test vehicle involved in this crash from various
driver-assist and collision avoidance systems that exist on many vehicles on the roads today.
2.3.1 Terminology of Automation
One of the main sources of confusion in discussions about automated vehicles is the
language used in the industry and by researchers and regulators compared to that used by the
general public. Industry, regulators, and academics frequently use the six-level SAE automation
taxonomy as a reference point when discussing vehicle capabilities and operator responsibilities.
However, the SAE automation levels may not be easily relatable to the general public. At the same
time, the terms used by vehicle manufacturers to market their driver-assist systems—such as
ProPilot (Nissan), Pilot Assist (Volvo), and Autopilot (Tesla)—can add to public confusion about
the degree of automation in the production-level vehicles now available (Teoh 2019; McDonald
and others 2016).
96
Although the general public frequently uses self-driving vehicle as a term to
describe currently available vehicles, it is an incorrect portrayal of the capabilities of
production-level vehicles on the roads in the United States today—no such production-level
vehicles currently exist.
97
2.3.1.1 Advanced Driver Assistance System. The defining characteristic of an ADAS
is that it assists a driver in the performance of the driving task. Assistance can consist of
(1) maintaining vehicle stability—through a system such as electronic stability control;
(2) controlling vehicle speed and following distance—through a system such as adaptive cruise
control (ACC); (3) maintaining lane position—through a system such as lane-keeping or
lane-centering; or (4) preventing or mitigating collisions—through systems such as FCW, AEB,
and roadway departure warning. While a vehicle can be equipped with multiple ADASs—
including combining lateral and longitudinal control—a human driver is always responsible for
operating the vehicle and detecting and responding to hazards.
98
In the SAE automation taxonomy,
vehicles with Levels 0, 1, or 2 of automation capability are described as equipped with an ADAS.
2.3.1.2 Automated Driving System. The defining characteristic of an ADS is that the
system takes full control—even if temporary or constrained—of all aspects of the driving task.
While a geographical area, environmental conditions, or a human occupant’s availability may limit
96
These exemplar systems are considered ADASs. A description of overall ADAS functionality and limitations
is given in section 2.3.1.1.
97
ATG also describes its test vehicles as self-driving, but they are not production level. Adding to the complexity
with terminology is that some test vehicles equipped with ADSs may be considered self-driving in certain limited
circumstances, such as in good weather, with a mapped roadway, and with well-defined lane markings.
98
Combining lateral and longitudinal control through lane keeping/lane centering and ACC systems creates
Level 2 automation capabilities—partial automation. In such systems, a human driver is still responsible for
monitoring the environment and the operation of the system.
NTSB Highway Accident Report
49
the domain where an ADS is operational, the system is entirely responsible for controlling the
vehicle and avoiding hazards in that domain.
99
An ADS can be viewed as a holistic system consisting of many ADASs that are integrated
and automated in the ADS, which, because of its advanced sensor and computing capabilities,
affords removing a critical layer of safety redundancy—the requirement for constant human
monitoring of the driving environment. Within the context of the SAE automation taxonomy,
vehicles with Levels 3 to 5 of automation are described as having an ADS. Also, NHTSA’s
automated vehicle policy refers to ADS when describing highly automated vehicles—vehicles
with Levels 3 to 5 of automation. Considering that the ATG ADS is a developmental system and
was being tested on a designated, premapped route, we could say that the intent of the ATG ADS
is Level 4 automation.
2.3.2 Federal Approach
2.3.2.1 Safety Standards and Automated Vehicle Guidance. ATG’s developmental
ADS can be viewed as a discrete component that adds automation capabilities to a vehicle. The
2017 Volvo XC90 is a production vehicle that meets all applicable FMVSSs. The installation of
the ADS on Volvo vehicles in the ATG fleet—including sensors, cameras, and computing
equipment—did not invalidate any FMVSSs those Volvo vehicles already met. While the Volvo
XC90 is equipped with FCW and AEB, they are not required equipment on a vehicle. As such,
ATG’s deactivation of the factory-equipped Volvo FCW and AEB did not invalidate any FMVSS.
Although NHTSA does not have any ADS-related safety standards or even suggested
assessment protocols, as of the date of this report, no manufacturers sell or operate ADS-equipped
production-level vehicles—those that do not require human monitoring. At the same time, several
dozen manufacturers and developers are testing automated vehicles across the country. Further,
multiple manufacturers are promising near-term arrival of production-level vehicles with SAE
Level 3 automation capabilities.
100
NHTSA has published three iterations of automated vehicle guidance to address those
systems. In the second iteration of its automated vehicle policy, NHTSA provided guidance and
encouraged ADS manufacturers and developers to submit voluntary safety self-assessment reports
describing the safety approach they are taking in the development of their ADSs. The guidance
listed 12 safety-related areas but contained little specific information on how to achieve those
safety goals—for example, training vehicle operators, ensuring oversight, or evaluating whether
an ADS has reached a level of safe functionality. Moreover, submitting a safety self-assessment
report is voluntary, and NHTSA does not publish an evaluation of the reports to determine the
extent to which developers follow the automated vehicle guidance.
99
Depending on the level of automation, a human occupant may be required to be available to take the control of
the vehicle after being prompted by the system. That requirement applies to Level 3 automation.
100
NHTSA has made an initial step toward considering future development of ADS standards. In October 2018,
the agency issued an advance notice of proposed rulemaking titled “Pilot Program for Collaborative Research on
Motor Vehicles with High or Full Driving Automation” (Federal Register, vol. 83, no. 196, October 10, 2018: 50872–
50883). The notice focuses on how the agency can encourage and facilitate research needed to inform the development
and establishment of ADS standards, if necessary.
NTSB Highway Accident Report
50
While the current iteration—Automated Vehicles 3.0—presents a policy architecture that
applies across transportation modes, it retains the limiting aspects: cursory guidance, voluntary
report submission, and absence of report assessment. The NTSB communicated those views to the
US Department of Transportation in response to the publication of Automated Vehicles 3.0.
101
The
NTSB stated that “Among the NTSB’s concerns is that on-road testing by manufacturers of new
technology cannot serve to demonstrate safety,” and that “A comprehensive, multipronged
approach that defines system safety before on-road pilot testing is needed.”
As of the date of this report, 16 manufacturers and developers have submitted a voluntary
safety self-assessment report.
102
By way of comparison, 62 developers have received an ADS
testing permit in California.
103
Further, even those safety self-assessment reports submitted to
NHTSA vary considerably in the level of detail they provide, as well as in the topics they discuss.
This lack of uniformity is a result of the voluntary nature of the reports, the cursory guidance, and
the absence of report assessment.
Based on its latest automated vehicle policy and its other public communications, it appears
that NHTSA does not intend to develop ADS safety standards or assessment protocols at the
present time. The NTSB recognizes the complexity of developing safety standards for a
production-level ADS. Nevertheless, a framework for the primary emphasis of this investigation—
testing of ADSs—is attainable, and the basis for the framework is already established in NHTSA’s
automated vehicle policy.
2.3.2.2 Recommendations. Since 1995, the NTSB has continually advocated the
implementation of ADASs in all highway vehicles and has placed implementation of collision
avoidance systems on its Most Wanted List every year since 2016.
104
The NTSB also recognizes
that ADASs and other advanced systems, such as ADS, have the potential to mitigate or prevent
crashes on our roadways. A promise of the upcoming ADSs is that such systems will be safer than
a human driver. Until that promise is realized, the testing of a developmental ADS—with all its
expected failures and limitations—requires appropriate safeguards when conducted on public
roads.
NHTSA’s automated vehicle policy provides insufficient instructions on how developers
should accomplish the safety goals of the 12 safety-related areas. More limiting aspects of the
policy pertain to (1) the absence of a NHTSA process for evaluating the adequacy of a safety
self-assessment report, and (2) the lack of a mandatory submission requirement. The shortcomings
of the policy are exacerbated by the lack of assessment procedures and the difficulties in their
development. For example, 1 of the 12 safety areas is “object and event detection and response,”
pertaining to the capability of an ADS to detect, classify, and respond to objects and events in the
101
The NTSB submitted comments on Automated Vehicles 3.0 (Docket No. DOT-OST-2018-0149) on
December 20, 2018.
102
The list of the entities, along with the safety self-assessment plan they submitted, can be found on NHTSA’s
website (accessed December 6, 2019).
103
For further discussion, see section 2.3.4.1.
104
The NTSB made its first recommendation pertaining to collision avoidance technology in 1995 (Safety
Recommendation H-95-44) when it asked the US Department of Transportation to begin testing collision warning
systems in commercial fleets.
NTSB Highway Accident Report
51
environment. In this report, we have discussed the significant challenges pertaining to ADS
development, particularly system perception—detection, classification, and path prediction. The
NTSB recognizes the difficulties in developing a standardized metric for assessing the perception
of an ADS. In another of the 12 safety elements of its automated vehicle policy—HMI—NHTSA
makes a weak case for monitoring driver engagement. The agency states, “Entities are encouraged
to consider whether it is reasonable and appropriate to incorporate driver engagement monitoring
. . . .” For those reasons, a determination of whether sufficient safeguards exist for the testing of a
developmental ADS on public roads requires a holistic assessment of all relevant safety areas,
particularly when performance metrics may not exist.
The traditional division of oversight, in which NHTSA controls vehicle safety and the
states monitor drivers, may not be easily applicable to developmental automated test vehicles. It
might not be immediately apparent who controls the vehicle, or whether vehicle control and
supervision are shared between the computer (the vehicle) and the human operator. The lack of a
meaningful, or any, policy from the states leaves the public vulnerable to potentially unsafe testing
practices. And the lack of a comprehensive policy from NHTSA leaves the states without an
effective tool for assessing the safety of an entity’s testing practices. To ensure that testing of
automated vehicles on public roads is conducted with minimal safety risk, meaningful action from
both NHTSA and the states is critical.
If the process of submission of safety self-assessment reports were mandatory and included
evaluation and approval by NHTSA, it could serve as a criterion for judging whether a developer’s
approach to ADS development and testing met the minimal intent of the 12 safety areas. NHTSA’s
approval of a safety plan could also provide a minimum safeguard for the testing of developmental
ADSs on public roads. Furthermore, assessment by NHTSA would provide important support to
states when evaluating the appropriateness of a developer’s approach to the testing of automated
vehicles.
The NTSB concludes that mandatory submission of safety self-assessment reports—which
are currently voluntary—and their evaluation by NHTSA would provide a uniform, minimal level
of assessment that could aid states with legislation pertaining to the testing of automated vehicles.
Therefore, the NTSB recommends that NHTSA require entities who are testing or who intend to
test a developmental ADS on public roads to submit a safety self-assessment report to the agency.
The NTSB further recommends that NHTSA establish a process for the ongoing evaluation of the
safety self-assessment reports as required in Safety Recommendation H-19-47 and determine
whether the plans include appropriate safeguards for testing a developmental ADS on public roads,
including adequate monitoring of vehicle operator engagement, if applicable.
2.3.3 Industry Efforts
Without federal ADS standards or state-mandated requirements for testing on public roads
(see section 2.3.4), it is up to developers—traditional vehicle manufacturers, technology-based
companies, new entities, and associations—to determine the needed safety mechanisms and
countermeasures before testing their ADS-equipped vehicles on public roads. Coalitions are
forming to address that need.
NTSB Highway Accident Report
52
In March 2015, the SAE’s On-Road Automated Driving Committee issued Guidelines for
Safe On-Road Testing of SAE Level 3, 4, and 5 Prototype Automated Driving Systems (ADS).
105
While the document does not establish performance criteria or test procedures, it contains an
intermediate level of guidance on several issues relevant to the Tempe crash, specifically, operator
training and oversight. The guidelines assume that testing would be conducted under the
supervision of a person inside a test vehicle. The document also provides guidance on (1) the
selection of test routes and graduated road testing—expanding the complexity of a geographical
domain, (2) the stages of software development, and (3) the conditions under which, and the
methods by which, an operator or the system itself would disengage the ADS.
Industry efforts are also evident in the development of standards for ADS evaluation.
Currently in the approval process, UL standard 4600, developed by UL and Edge Case Research,
is expected to be approved by the end of 2019.
106
The standard is being created with a goal of
establishing safety principles and processes for evaluating automated vehicles. It intends to present
a pathway for creating a safety case that would include topics such as risk analysis, evaluation of
safety-relevant aspects of the design process, and validation of autonomy. The focus of UL 4600
is on production-level ADSs with Levels 4 or 5 of automation. The standard is not expected to
contain comprehensive guidance for testing such systems.
2.3.4 State Approach: Legislating Automated Vehicle Testing
In the absence of federal ADS safety standards or specific ADS assessment protocols,
many states have begun legislating requirements for automated vehicle testing. The development
of state-based requirements could be attributed to the concerns of many states about the safety risk
of introducing ADS-equipped vehicles on public roads. The requirements vary. Some states, such
as Arizona, impose minimal restrictions. Other states have established requirements that include a
more in-depth application and review process. Below, we discuss the process for approving
applications for the testing of ADS-equipped vehicles in three states, including Arizona.
2.3.4.1 California. Before testing or deploying ADS-equipped vehicles on public roads in
California, a company must apply for and obtain a permit. In September 2014, the state adopted
its first regulations on the testing of automated vehicles, and in April 2018, expanded the
regulations to include requirements for driverless operation.
107
The California Department of
Motor Vehicles (DMV) issues three types of automated vehicle permits: (1) a testing permit that
requires a vehicle operator to be present inside a vehicle; (2) a testing permit that allows testing
without an operator inside a vehicle; and (3) a deployment permit—nontesting operation for public
use.
108
105
SAE standard J3018, retrieved from the SAE website on June 10, 2019.
106
UL, formerly Underwriters Laboratories, is the world’s largest organization that, following established
standards, conducts safety and quality testing on a broad range of products; products that pass the tests receive UL
certification. UL also works to establish new or consolidate existing global standards.
107
California Vehicle Code Section 38750 requires the Department of Motor Vehicles to adopt regulations
governing both the testing and public use of autonomous vehicles on California roadways. The code was accessed on
December 6, 2019.
108
See California DMV for more information. The website was accessed on December 6, 2019.
NTSB Highway Accident Report
53
Conditions for obtaining a permit for testing with an operator inside a vehicle include
(1) specialized training of vehicle operators; (2) that an operator be in physical control of the
vehicle or actively monitoring the vehicle’s operations; (3) completion of previous testing in
controlled conditions; (4) prohibition on transporting passengers for a fare; and (5) reporting of
crashes, as well as annual submission of the frequency of ADS disengagements, initiated by a
vehicle operator or by the system.
109
A permit for testing without an operator has more stringent
requirements, including continuous remote monitoring of the vehicle status and previous extensive
testing in controlled conditions that closely simulate the ODD in which the testing will be
conducted on public roads.
The California DMV reviews applications and can request clarification or additional
documentation before issuing an approval. As of January 28, 2019, the DMV had approved
62 permits for testing with a vehicle operator inside a vehicle, only 1 permit for testing without an
operator, and no permits for production-level automated vehicles.
110
2.3.4.2 Pennsylvania. Pennsylvania also has an application and review process for testing
ADS-equipped vehicles in the state. In June 2016, the Pennsylvania Department of Transportation
(PDOT) established an autonomous vehicle policy task force. When ATG was conducting ADS
testing in Pittsburgh before the Tempe crash, PDOT did not yet have guidance for testing
automated vehicles in the state. In July 2018, the PDOT task force published Automated Vehicle
Testing Guidance.
111
In a conversation with NTSB investigators, members of the task force said
that the circumstances of the Tempe crash, and the way ATG conducted its testing, significantly
influenced PDOT’s July 2018 guidance.
Unlike the California DMV, PDOT grants permits only for ADS testing with an operator
inside a vehicle. PDOT does not issue permits for ADS testing without an operator inside a vehicle
or for public deployment of driverless automated vehicles. In communication with NTSB
investigators, PDOT stated that the Pennsylvania vehicle code requires a driver to be inside a
vehicle. That regulatory restriction prohibits a vehicle without a driver—a test or a production
vehicle—from operating on public roads in Pennsylvania.
To obtain a permit, a developer submits a notice of testing that includes (1) basic
information about the applicant, the vehicles, and the drivers; (2) the applicant’s acknowledgement
that it has met 12 safety-based criteria on data recording, operator training and testing, and ADS
operation; and (3) either the NHTSA safety self-assessment report or a PDOT safety risk
mitigation plan.
112
Some of the conditions for obtaining a PDOT testing permit—as covered in the
applicant’s acknowledgements and risk mitigation plan—include (1) previous testing in simulated
109
For more details on the requirements for testing with a driver, see California DMV testing requirements. The
website was accessed on December 6, 2019.
110
Waymo is the only company that received a permit for testing without a driver inside a vehicle, but as of the
date of this report, the company has not yet begun such testing. The websites for the holders of the driver and driverless
permits were accessed on June 10, 2019.
111
See PDOT guidance (accessed December 6, 2019).
112
Two of the developers that applied for the permit submitted the safety self-assessment report in lieu of the
PDOT application. For a detailed description of the application requirements for an automated vehicle testing permit,
see the PDOT automated vehicle testing guidance in the NTSB public docket for this investigation (HWY18MH010).
NTSB Highway Accident Report
54
and closed-course settings; (2) a training plan for vehicle operators that covers driving and
hazard-detection skills and a comprehensive understanding of ADS functionality; (3) measures for
addressing operator fatigue and inattentiveness; (4) a requirement for an operator to be either in
physical control of a vehicle or actively monitoring the vehicle’s operation; (5) a description of
safety measures in case of ADS disengagement, regardless of the reason; and (6) a prohibition on
transporting passengers for a fare. Furthermore, if a developer intends to test at speeds over
25 mph, either a second operator must be in the front seat of the test vehicle or a single operator
must undergo enhanced training.
113
As of the date of this report, all developers conducting ADS
testing in Pennsylvania have two operators inside their test vehicles.
PDOT evaluates the testing application material and may request additional documentation
or clarification before deciding whether to approve a testing permit. As of the date of this report,
none of the companies that submitted an application had received immediate permit approval. All
six companies were required to submit additional documentation or provide further clarification
before a permit was granted.
However, PDOT does not require developers testing ADS-equipped vehicles in the state to
obtain a permit. Although the application process is voluntary, PDOT told NTSB investigators that
all six developers that test in the state have applied for and received a testing permit. The agency
said that obtaining the permit is an incentive in itself, because the permit serves as a stamp of
approval by the state.
By the time ATG resumed ADS testing in December 2018, PDOT had established guidance
for ADS testing on public roads. ATG applied to test ADS-equipped vehicles and was granted a
testing permit from PDOT. Considering that ATG is currently testing at speeds of up to 25 mph,
the company’s use of two vehicle operators—in excess of PDOT requirements—could be
considered a cautious approach and a substantial change from its previous testing procedures in
Tempe (where ATG tested with a single operator on a roadway that had a speed limit of 45 mph).
2.3.4.3 Arizona. As of the date of this report, Arizona did not have specific requirements
pertaining to the testing of automated vehicles with an operator inside. According to Arizona
Executive Order 2018-04, developers testing an ADS without a person inside a vehicle are required
to acknowledge in writing that their test vehicles meet a few basic requirements—including that
they are capable of achieving minimal risk conditions. Developers testing with an operator inside
are not required to submit a statement or adhere to any conditions other than those that apply to
nonautomated vehicles. The executive order does not contain any additional requirements or
guidelines for ADS testing. ATG did not submit any statement or application to ADOT before or
during its testing in Tempe, because its ADS vehicles always had at least one vehicle operator
inside.
Despite the circumstances of the Tempe crash, Arizona has not made any changes to the
requirements for ADS testing in the state. Although ADOT revoked ATG’s privilege to test its
ADS after the crash, it is worth reiterating that as of the date of this report, other developers can
113
As part of the application process, under “Operational Requirements,” PDOT states: “Testers requesting use
of a single safety driver for operations on trafficways posted above 25 mph must present evidence of an enhanced
performance driver training plan for Department review.”
NTSB Highway Accident Report
55
test their ADSs in Arizona in the same way ATG did at the time of the crash. Furthermore, when
they are being tested with an operator inside, other ADS-equipped vehicles do not need to meet
any conditions beyond those that apply to general traffic vehicles.
The NTSB concludes that Arizona’s lack of a safety-focused application-approval process
for ADS testing at the time of the crash, and its inaction in developing such a process since the
crash, demonstrate the state’s shortcomings in improving the safety of ADS testing and
safeguarding the public. Therefore, the NTSB recommends that Arizona require developers to
submit an application for testing ADS-equipped vehicles that, at a minimum, details a plan to
manage the risk associated with crashes and operator inattentiveness and establishes
countermeasures to prevent crashes or mitigate crash severity within the ADS testing parameters.
The NTSB further recommends that Arizona establish a task group of experts to evaluate
applications for testing vehicles equipped with ADSs, as described in Safety Recommendation
H-19-49, before granting a testing permit.
2.3.4.4 Statewide Recommendation. As June 2019, 21 states had no regulations
pertaining to ADS testing.
114
Although 29 states had some type of ADS-related policy, the
requirements for testing varied considerably.
115
Furthermore, the existence of a regulation is not a
sure indication of a comprehensive and safety-driven ADS testing policy. Indeed, Arizona is 1 of
the 29 states that had some regulations pertaining to ADS testing.
This report discusses two states—California and Pennsylvania—that have developed
safety-driven requirements or guidance for ADS testing. However, no comprehensive studies have
examined the efficacy of state regulations—based on safety metrics—and the policies adopted by
California and Pennsylvania may not necessarily represent the best approach.
For example, although Pennsylvania’s operator-monitoring requirements are more
stringent than California’s—at least one person is required inside a vehicle—the application
process is voluntary. While PDOT stated that all entities that are currently conducting ADS testing
in the state have submitted an application and received a permit, a mandatory application process
might be necessary elsewhere. The California DMV’s requirement for annual reporting of system
disengagements has been criticized as having unintended negative consequences (Koopman and
Osyk 2019). To reduce the number of disengagements, a developer could decide to modify the
system to increase the threshold at which it disengages, potentially increasing risks by operating
at the edge of the safety envelope. On the other hand, a developer who approached testing more
conservatively, by requiring multiple safety redundancies for an ADS to remain engaged, could
experience more disengagements.
Other states, especially those without any regulations for the testing of automated vehicles,
would benefit from adopting regulations that require a thorough review of developers’ safety plans,
including methods of risk management. As described its second automated vehicle policy, NHTSA
has worked with stakeholders to develop a model policy for state legislatures pertaining to ADS
testing. In its guidance, the agency listed several actions that states should consider adopting,
114
The information was retrieved from the National Conference of State Legislatures website on June 10, 2019.
115
As of the date of this report, 40 states have some type of ADS-related policy, according to the National
Conference of State Legislatures website. However, the policies in many of those states are unrelated to testing
NTSB Highway Accident Report
56
including the creation of an internal process for issuing permits for ADS testing. One of the
stakeholders was the American Association of Motor Vehicle Administrators (AAMVA), which
has developed numerous model programs for motor vehicle administration, law enforcement, and
highway safety in general. The association serves as a clearinghouse for highway safety issues and
represents state and municipal officials.
In May 2018, the AAMVA published Jurisdictional Guidelines for the Safe Testing and
Deployment of Highly Automated Vehicles.
116
Although the guidance contains elements of ADS
testing (fewer elements than in NHTSA’s automated vehicle policy, however), the AAMVA
document also lacks specific guidance for developers on how to accomplish the included
recommendations. The guidance does include one important element, a recommendation to
jurisdictions to identify a lead agency and establish an automated vehicle committee to develop
strategies for addressing automated vehicle testing.
117
However, the guidance does not include
recommendations requiring developers to submit a safety plan and for the automated vehicle
committee to review and approve such a plan.
The NTSB concludes that, considering the lack of federal safety standards and assessment
protocols for ADSs, as well as NHTSA’s inadequate safety self-assessment process, states that
have no, or only minimal, requirements related to automated vehicle testing can improve the safety
of such testing by implementing a thorough application and review process before granting testing
permits. Therefore, the NTSB recommends that AAMVA inform the states about the
circumstances of the Tempe, Arizona, crash and encourage them to (1) require developers to
submit an application for testing ADS-equipped vehicles that, at a minimum, details a plan to
manage the risk associated with crashes and operator inattentiveness and establishes
countermeasures to prevent crashes or mitigate crash severity within the ADS testing parameters,
and (2) establish a task group of experts to evaluate the application before granting a testing permit.
116
The guidance was created by the Autonomous Vehicle Best Practices Working Group, a task group created by
the AAMVA (accessed December 6, 2019).
117
NHTSA’s Automated Driving Systems 2.0 policy includes a suggestion to the states to consider “new oversight
activities on an administration level to support States’ roles and activities as they relate to ADSs.” NHTSA continues
by saying that it “does not expect that States will need to create any particular new entity in order to support ADS
activities . . . .”
NTSB Highway Accident Report
57
3 Conclusions
3.1 Findings
1. None of the following were factors in the crash: (1) driver licensing, experience, or
knowledge of the automated driving system operation; (2) vehicle operator substance
impairment or fatigue; or (3) mechanical condition of the vehicle.
2. The emergency response to the crash was timely and adequate.
3. The pedestrian’s unsafe behavior in crossing the street in front of the approaching vehicle
at night and at a location without a crosswalk violated Arizona statutes and was possibly
due to diminished perception and judgment resulting from drug use.
4. The Uber Advanced Technologies Group did not adequately manage the anticipated safety
risk of its automated driving system’s functional limitations, including the system’s
inability in this crash to correctly classify and predict the path of the pedestrian crossing
the road midblock.
5. The aspect of the automated driving system’s design that precluded braking in emergency
situations only when a crash was unavoidable increased the safety risks associated with
testing automated driving systems on public roads.
6. Because the Uber Advanced Technologies Group’s automated driving system was
developmental, with associated limitations and expectations of failure, the extent to which
those limitations pose a safety risk depends on safety redundancies and mitigation
strategies designed to reduce the safety risk associated with testing automated driving
systems on public roads.
7. The Uber Advanced Technologies Group’s deactivation of the Volvo forward collision
warning and automatic emergency braking systems without replacing their full capabilities
removed a layer of safety redundancy and increased the risks associated with testing
automated driving systems on public roads.
8. Postcrash changes by the Uber Advanced Technologies Group, such as making Volvo’s
forward collision warning and automatic emergency braking available during operation of
the automated driving system (ADS), added a layer of safety redundancy that reduces the
safety risks associated with testing ADSs on public roads.
9. Had the vehicle operator been attentive, she would likely have had sufficient time to detect
and react to the crossing pedestrian to avoid the crash or mitigate the impact.
10. The vehicle operator’s prolonged visual distraction, a typical effect of automation
complacency, led to her failure to detect the pedestrian in time to avoid the collision.
NTSB Highway Accident Report
58
11. The Uber Advanced Technologies Group did not adequately recognize the risk of
automation complacency and develop effective countermeasures to control the risk of
vehicle operator disengagement, which contributed to the crash.
12. Although the installation of a human-machine interface in the Uber Advanced
Technologies Group test vehicles reduced the complexity of the automation-monitoring
task, the decision to remove the second vehicle operator increased the task demands on the
sole operator and also reduced the safety redundancies that would have minimized the risks
associated with testing automated driving systems on public roads.
13. Although the Uber Advanced Technologies Group had the means to retroactively monitor
the behavior of vehicle operators and their adherence to operational procedures, it rarely
did so; and the detrimental effect of the company’s ineffective oversight was exacerbated
by its decision to remove the second vehicle operator during testing of the automated
driving system.
14. The Uber Advanced Technologies Group’s postcrash inclusion of a second vehicle
operator during testing of the automated driving system, along with real-time monitoring
of operator attentiveness, begins to address the oversight deficiencies that contributed to
the crash.
15. The Uber Advanced Technologies Group’s inadequate safety culture created conditions—
including inadequate oversight of vehicle operators—that contributed to the circumstances
of the crash and specifically to the vehicle operator’s extended distraction during the crash
trip.
16. The Uber Advanced Technologies Group’s plan for implementing a safety management
system, as well as postcrash changes in the company’s oversight of vehicle operators,
begins to address the deficiencies in safety risk management that contributed to the crash.
17. Mandatory submission of safety self-assessment reports—which are currently voluntary—
and their evaluation by the National Highway Traffic Safety Administration would provide
a uniform, minimal level of assessment that could aid states with legislation pertaining to
the testing of automated vehicles.
18. Arizona’s lack of a safety-focused application-approval process for automated driving
system (ADS) testing at the time of the crash, and its inaction in developing such a process
since the crash, demonstrate the state’s shortcomings in improving the safety of ADS
testing and safeguarding the public.
19. Considering the lack of federal safety standards and assessment protocols for automated
driving systems, as well as the National Highway Traffic Safety Administration’s
inadequate safety self-assessment process, states that have no, or only minimal,
requirements related to automated vehicle testing can improve the safety of such testing by
implementing a thorough application and review process before granting testing permits.
NTSB Highway Accident Report
59
3.2 Probable Cause
The National Transportation Safety Board determines that the probable cause of the crash
in Tempe, Arizona, was the failure of the vehicle operator to monitor the driving environment and
the operation of the automated driving system because she was visually distracted throughout the
trip by her personal cell phone. Contributing to the crash were the Uber Advanced Technologies
Group’s (1) inadequate safety risk assessment procedures, (2) ineffective oversight of vehicle
operators, and (3) lack of adequate mechanisms for addressing operators’ automation
complacency—all a consequence of its inadequate safety culture. Further factors contributing to
the crash were (1) the impaired pedestrian’s crossing of N. Mill Avenue outside a crosswalk, and
(2) the Arizona Department of Transportation’s insufficient oversight of automated vehicle testing.
NTSB Highway Accident Report
60
4 Recommendations
As a result of its investigation, the National Transportation Safety Board makes the
following new safety recommendations.
To the National Highway Traffic Safety Administration:
Require entities who are testing or who intend to test a developmental automated
driving system on public roads to submit a safety self-assessment report to your
agency. (H-19-47)
Establish a process for the ongoing evaluation of the safety self-assessment reports
as required in Safety Recommendation H-19-47 and determine whether the plans
include appropriate safeguards for testing a developmental automated driving
system on public roads, including adequate monitoring of vehicle operator
engagement, if applicable. (H-19-48)
To the state of Arizona:
Require developers to submit an application for testing automated driving system
(ADS)-equipped vehicles that, at a minimum, details a plan to manage the risk
associated with crashes and operator inattentiveness and establishes
countermeasures to prevent crashes or mitigate crash severity within the ADS
testing parameters. (H-19-49)
Establish a task group of experts to evaluate applications for testing vehicles
equipped with automated driving systems, as described in Safety Recommendation
H-19-49, before granting a testing permit. (H-19-50)
To the American Association of Motor Vehicle Administrators:
Inform the states about the circumstances of the Tempe, Arizona, crash and
encourage them to (1) require developers to submit an application for testing
automated driving system (ADS)-equipped vehicles that, at a minimum, details a
plan to manage the risk associated with crashes and operator inattentiveness and
establishes countermeasures to prevent crashes or mitigate crash severity within the
ADS testing parameters, and (2) establish a task group of experts to evaluate the
application before granting a testing permit. (H-19-51)
To the Uber Technologies, Inc., Advanced Technologies Group:
Complete the implementation of a safety management system for automated
driving system testing that, at a minimum, includes safety policy, safety risk
management, safety assurance, and safety promotion. (H-19-52)
NTSB Highway Accident Report
61
BY THE NATIONAL TRANSPORTATION SAFETY BOARD
ROBERT L. SUMWALT, III JENNIFER HOMENDY
Chairman Member
BRUCE LANDSBERG
Vice Chairman
Report Date: November 19, 2019
NTSB Highway Accident Report
62
Board Member Statement
Vice Chairman Bruce Landsberg filed the following concurring statement on
November 25, 2019.
The automated vehicle (AV) event that resulted in a fatally injured pedestrian was not an accident.
Accidents are unpredictable and unforeseeable. Rather, this was a crash that was predictable and
avoidable. Crashes regularly happen on the highways—we know exactly what went wrong and
how to prevent them. Driver-error-related crashes typically exceed 90 percent of all crashes. No
surprises there. Here, automation played a significant part. Unfortunately, humans, who had the
ability to prevent the crash, did not. Automation in vehicles has great potential, but it must be
developed and managed carefully. That didn’t happen here.
AVs are just now being tested, so one might think this was an “accident.” But the sequence of
events was predictable except for the exact time and place. The AV sensing mechanisms and
software were, and are, in early development. There remains significant risk despite widespread
marketing enthusiasm.
Automation Complacency—Automation complacency occurs when the operator becomes very
comfortable with the technology and relaxes the oversight that they are supposed to provide. It’s
present in many crashes and seen in all modes of transportation. Automation performs remarkably
well most of the time and therein lies the problem. Human attention span is limited, and we are
notoriously poor monitors.
Driver Inattention—The safety driver knew that cell phone use was prohibited while the vehicle
was moving. Distracted driving has reached epidemic proportions and this crash is just one more
tragic example. On this trip, the safety driver spent 34 percent of the time looking at her cell phone
while streaming a TV show. The longest inattentive period was 26 seconds and in the 3 minutes
prior to the crash, she glanced at the phone 23 times! Why would someone do this? The report
shows she had made this exact same trip 73 times successfully. Automation complacency!
Pedestrian Inattention—A few more links in the crash sequence include darkness and an
impaired pedestrian who elected to cross a divided highway well away from any crosswalk.
According to the NTSB’s Special Investigation Report: Pedestrian Safety, published in September
2018, the potential for a pedestrian fatality was highly predictable. Nearly 75 percent of pedestrian
fatalities occur during hours of darkness, and over 70 percent occur between intersections, away
from crosswalks. Arizona law requires pedestrians to yield to motor vehicles between
intersections, and there was signage prohibiting crossing in that area. A crosswalk was located
about 300 feet away.
About 40 percent of fatally injured pedestrians are under the influence of alcohol. In this event,
the postmortem toxicology showed the pedestrian to have about 10 times the therapeutic dose of
methamphetamines in her system, which likely would have impaired her judgment and perception
of impending threats. As drug use, both legal and illegal, becomes more prevalent, this risk will
increase. While some may feel this is victim-blaming, my belief is that everyone has some
NTSB Highway Accident Report
63
responsibility for intentional acts regarding their own safety: exercising good judgment and
following the law.
Technology—Uber Advanced Technologies Group (ATG) started its test program in Tempe,
Arizona, with two humans aboard—a safety driver and an observer (event tagger) who would
document any mistakes the vehicle made and report them back to the engineers to address. But
since everything was going so well and the tagging process was made easier, ATG decided that a
dedicated observer was not needed. The vehicle was performing as well or better than expected.
Automation complacency!
The vehicle, a Volvo SUV XC90, was equipped with driver-assist systems to detect pedestrians
by providing alerts and braking. However, concerns about radar frequency interference between
the Volvo’s and ATG’s systems led ATG to deactivate the Volvo system. In hindsight, the Volvo
system was better able to detect a pedestrian under the circumstances that fateful night.
Uber ATG management had installed inward- and outward-facing cameras, but no one was
monitoring the cameras to see if the no-cell-phone rules were being followed. Trust but verify!
The report goes into considerable detail on the company’s safety management system, or lack
thereof. To Uber ATG’s credit, it is taking prompt action to address the shortcomings the NTSB
identified.
NHTSA’s Inaction—Finally, we chastised the National Highway Traffic Safety Administration
(NHTSA) for not providing definitive leadership to the states to manage the expansive growth in
AV testing. During the meeting, Member Jennifer Homendy read NHTSA’s mission statement,
which is to “Save lives, prevent injuries, and reduce economic costs due to road traffic crashes,
through education, research, safety standards and enforcement activity.”
NHTSA would like to advance technology without squelching innovation. This permissive
approach, while simultaneously preserving safety, is complex and not without risk. The AV
guidance laid out in its documents is advisory only. As such, it’s dependent upon either a
company’s willingness to adopt or a state’s desire to better oversee the critical AV safety issues
on our public roads.
It’s time for NHTSA to live up to its stated goals and create appropriate safety regulation in this
developmental area. Regulations can change as technology evolves and experience grows. It’s a
dynamic environment, but evolution in nature and in technology where lives are at stake is a brutal
process. Natural processes are unavoidable, but NHTSA is working in a controllable environment.
It should work with the stakeholders to put safety first and technology advancement second.
The more sophisticated the automation, the more complex the software and hardware
programming. There are hundreds of thousands or millions of lines of code, and bugs can be
extremely difficult to eliminate when buried deeply in a system. Ultimately, it will get better, but
the development process matters. Aviation automation, an area much in the news lately, is child’s
play compared to surface vehicles, and we’re still debugging aircraft software, some 70 years later!
Bringing automated vehicles beyond the driver-assisted level is going to take a while, and
collectively we need to be on guard!
NTSB Highway Accident Report
64
Appendix: Investigation
The National Transportation Safety Board (NTSB) received notification of the crash in
Tempe, Arizona, on March 19, 2018, and launched investigators from the Office of Highway
Safety to address highway and vehicle factors, motor carrier operations, human performance, and
onboard recorders. The team also included staff from the NTSB’s Office of Research and
Engineering.
The Volvo Car Group, Volvo Car USA LLC, the Uber Advanced Technologies Group, and
the Arizona Department of Transportation were parties to the investigation.
NTSB Highway Accident Report
65
References
Advisory Committee on the Safety of Nuclear Installations (ACSNI). 1993. ACSNI Human
Factors Study Group: Organising for Safety. Third report. (London: Her Majesty’s
Stationery Office).
Cooper, F. J., and B. K. Logan. 2004. Drugs and Human Performance Fact Sheets. DOT HS 809
725. Washington, DC: NHTSA.
Davies, D. R., and R. Parasuraman. 1982. The Psychology of Vigilance. London, England:
Academic Press.
Funk, K., B. Lyall, J. Wilson, R. Vint, M. Niemczy, C. Suroteguh, and G. Owen. 1999. “Flight
Deck Automation Issues.” International Journal of Aviation Psychology 9: 109–123.
Itkonen, T., J. Pekkanen, and O. Lappi. 2015. “Driver Gaze Behavior Is Different in Normal Curve
Driving and When Looking at the Tangent Point.” PloS One 10(8):e0135505
https://doi.org/10.1371/journal.pone.0135505.
Kandil, F., A. Rotter, and M. Lappe. 2010. “Car Drivers Attend to Different Gaze Targets When
Negotiating Closed vs. Open Bends.” Journal of Vision 10: 1–11.
Koopman, P., and B. Osyk. 2019. Safety Argument Considerations for Public Road Testing of
Autonomous Vehicles. SAE Technical Paper 2019-01-0123. https://doi.org/10.4271/2019-
01-0123.
McDonald, A. B., D. V. McGehee, S. T. Chrysler, N. M. Askelson, L. S. Angell, and B. D. Seppelt.
2016. “National Survey Identifying Gaps in Consumer Knowledge of Advanced Vehicle
Safety Systems.” Transportation Research Record: Journal of the Transportation
Research Board 2559:1–6.
Metzger, U., and R. Parasuraman. 2001. “The Role of the Air Traffic Controller in Future Air
Traffic Management: An Empirical Study of Active Control Versus Passive Monitoring.”
Human Factors 43: 519–528.
Moray, N., and T. Inagaki. 2000. “Attention and Complacency.” Theoretical Issues in Ergonomics
Science 1: 354–365.
NHTSA (National Highway Traffic Safety Administration). 2016. Federal Automated Vehicles
Policy—Accelerating the Next Revolution in Roadway Safety. NHTSA docket 2016-0090.
Washington, DC: NHTSA.
_____. 2017. Automated Driving Systems 2.0: A Vision for Safety. DOT HS 812 442. Washington,
DC: NHTSA.
_____. 2018. Preparing for the Future of Transportation: Automated Vehicles 3.0. Washington,
DC: NHTSA.
NTSB Highway Accident Report
66
NTSB (National Transportation Safety Board). 1997. Grounding of the Panamanian Passenger
Ship Royal Majesty on Rose and Crown Shoal near Nantucket, Massachusetts, June 10,
1995. MAR-97/01. Washington, DC: NTSB.
_____. 2017. Collision Between a Car Operating with Automated Vehicle Control Systems and a
Tractor-Semitrailer Truck Near Williston, Florida, May 7, 2016. HAR-17/02. Washington,
DC: NTSB.
_____. 2018. Pedestrian Safety. NTSB/SIR-18/03. Washington, DC: NTSB.
_____. 2019a. Rear-End Collision Between a Car Operating with Advanced Driver Assistance
Systems and a Stationary Fire Truck, Culver City, California, January 22, 2018.
HAB-19/07. Washington, DC: NTSB.
_____. 2019b. Bicyclist Safety on US Roadways: Crash Risks and Countermeasures.
NTSB/SS-19/01. Washington, DC: NTSB.
Parasuraman, R., and D. H. Manzey. 2010. “Complacency and Bias in Human Use of Automation:
An Attentional Integration.” Human Factors 52: 381-410.
Parasuraman, R., R. Molloy, and I. L. Singh. 1993. “Performance Consequences of Automation-Induced
‘Complacency.’” International Journal of Aviation Psychology 3: 1–23.
Prinzel, L. J., III. 2002. The Relationship of Self-Efficacy and Complacency in Pilot-Automation
Interaction. NASA/TM-2002-211925. Hampton, Virginia: National Aeronautics and
Space Administration.
Shinar, D. 1977. “Eye Movements in Curve Negotiation.” Human Factors 19: 63–71.
Teoh, E. R. 2019. “What’s in a Name? Drivers’ Perceptions of the Use of Five SAE Level 2
Driving Automation Systems.” Arlington, Virginia: Insurance Institute for Highway
Safety.
