AI4People: Ethical Guidelines for the Automotive Sector – Fundamental Requirements and Practical Recommendations

This paper presents the work of the AI4People-Automotive Committee established to advise more concretely on specific ethical issues that arise from autonomous vehicles (AVs). Practical recommendations for the automotive sector are provided across the topic areas: human agency and oversight, technical robustness and safety, privacy and data governance, transparency, diversity, non-discrimination and fairness, societal and environmental wellbeing, as well as accountability. By doing so, this paper distinguishes between policy recommendations that aim to assist policymakers in setting acceptable standards and industry recommendations that formulate guidelines for companies across their value chain. In the future, the automotive sector may rely on these recommendations to determine relevant next steps and to ensure that AVs comply with ethical principles

which can be achieved through accountability measures such as audits and logging mechanisms (see Guideline 3 and 7). Certainly, incompatibilities and trade-offs between fundamental rights can emerge; for example, life and security can be in tension with the right to self-determination. On the one hand, AVs are expected to improve traffic flow and decrease fatalities that are due to human error. On the other hand, automated driving systems reduce the driver's autonomy, perhaps to the point of being a mere passenger. In this regard, the Ethics Commission on Automated and Connected Driving (BMVI, 2017) formulated the following guideline: "In a free society, the way in which technology is statutorily fleshed out is such that a balance is struck between maximum personal freedom of choice in a general regime of development and the freedom of others and their safety" (Lütge, 2017, p. 550). In conflict situations, policymakers and legislators should decide which fundamental rights are to be prioritized.

Policy Recommendations
• Relevant fundamental rights to be considered in the field of autonomous driving are: human dignity, right to self-determination and liberty, right to life and security, right to protection of personal data, right to equality and non-discrimination as well as the right to explanation. • It must be realized that there will be no technologies or policies that maximize all fundamental rights for everybody simultaneously. There will always be trade-offs. Therefore, policymakers and legislators should decide which fundamental rights are to be prioritized in particular situations. • In doing so, policymakers and legislators should cooperate with multiple stakeholders to obtain necessary information for executing an evaluation and subsequent agreement on compromises and prioritization.

Human Agency and oversight -Including Monitoring, Training, Human-Machine Interfaces and External Control of Vehicle data
A few guidelines have already been developed that highlight the importance of maintaining personal autonomy in AVs, including possible requirements for a 'stop' or 'override' button (European Commission, 2020b;Lütge, 2017). At the same time, autonomy requires informed and deliberate control, and so overrides (and other measures) should not necessarily be universal. In particular, admissibility of human override should be conditional on two aspects: 1. The level of automation of the AV 2 : a. For levels up to and including 3, there should be an override function that can be executed at any time; b. For level 4, there should be an override function that can be executed only when not impacting or undermining the safety mechanisms of the AV (e.g., one helpful factor to satisfy this requirement might be to implement overrides with a time lag). The rationale for this is that, if individuals were allowed to intervene immediately at any point, the inherent logic and longer-term plan completion of the technically functional AV is disrupted which may lead to increased risks for all parties involved; c. For level 5, it is not necessary to include an override function, as it would take away many of the original advantages such as inclusive accessibility (e.g., by excluding elderly, disabled individuals, youth or individuals who do not hold a driving license), safety (e.g., humans taking control may be out of practice), trust (e.g., giving drivers the impression that the system could fail), and comfort (e.g., limiting opportunities for new and more comfortable mobility options and designs) 3 ; 2. The state and behavior of the driver: a. When the driver's abilities are impaired (e.g., due to alcohol consumption), the availability of an override function should be limited and preceded by a request for confirmation.
Nevertheless, recent examples of AVs involved in crashes draw attention to the failing assumption of responsibility by individuals. The underlying problems relate to overconfidence in, or overreliance on, the AI system as companies do not adequately warn drivers and/or drivers violate the guidelines provided by the companies.
Therefore, companies must clearly distinguish and make apparent whether a driverless system is being used or whether a driver remains accountable for driving (Lütge, 2017). In order to realize effective human agency and clarity over personal responsibility, our approach concerning AVs is threefold: 1. Companies should put in place technical safeguards to help drivers remain fully aware and ready to take over the driving when the AV expects them to. AVs should monitor drivers and help drivers remain awake and attentive. For example, current driving monitoring systems using camera-based facial recognition technology determine the driver's level of vigilance and trigger alerts to the driver when signs of distraction are detected (Research & Markets, 2019). Other monitoring systems are related to the amount of torque in the steering wheel. For example, Tesla (2020) locks the activation of the autopilot mode if the driver seems inattentive (e.g., insufficient torque is applied or warnings are repeatedly ignored). The upcoming regulation on automated lane keeping systems will obligate car manufacturers to introduce driver availability recognition systems and clarify the criteria that assess whether a driver is deemed to be unavailable (e.g., eye closure) (UNECE, 2020b). UNECE also considers that "[a]utomated/autonomous vehicles should include driver engagement monitoring in cases where drivers could be involved (e.g., take-over requests) " (UNECE, 2019, p. 3). It is important that handovers be aligned with the level of automation: As the level of automation increases, drivers engage more in other activities such as watching a video, which decreases human capability to take over control (Merat et al., 2014). Thus, handovers should conform to human capabilities by, for example, obviating "the need for an abrupt handover of control to the driver (emergency)" (Lütge, 2017, p. 556). There is currently no agreement on what constitutes a comfortable transition time, and so we do not propose a universal prescription on this point. In the meantime, companies should provide documentation that justifies their particular handover window. A possible starting point for determining a reasonable transition time might be that AVs, as they drive, could learn about the capabilities of drivers from aggregated traffic data and adjust the vehicle's parameters accordingly (respecting a safe minimum time response). 2. Companies should train drivers on the capabilities and limitations of AVs (European Commission, 2020b), so that individuals can make informed decisions and do not over rely on the vehicle's capabilities (see also UNECE, 2019). This training should be tailored to different demographic groups, given recent studies that show demographic differences in interactions with AVs (Manser et al., 2019). Training programs should cover topics such as the "[system's] functional intent, operational parameters, system capabilities and limitations, engagement/disengagement methods, HMI, emergency fallback scenarios, operational design domain parameters (i.e., limitations), and mechanisms that could alter [the system's] behavior while in service" (NHTSA, 2017, p. 15). Drivers should also be trained on the purpose of using an AVs, the degree of automation, and conditions for potential system failures (Manser et al., 2019). 3. The importance of human autonomy applies not only to drivers but also to humans outside the vehicle such as pedestrians. Therefore, companies should ensure that these latter individuals can also exercise their autonomy. For example, AVs should have mechanisms to show pedestrians that they have been recognized and reveal the AV's motion intentions, perhaps with LED strips to convey perception information (e.g., displaying cool colors for far away obstacles and warm colors for near obstacles in the environment) (Florentine et al., 2016). These external humanmachine interfaces facilitate human agency for pedestrians, as they enable them to feel less anxious about the technology and have more information to move freely and safely. However, further research is required to determine the most useful interfaces (Rouchitsas & Alm, 2019).
Additionally, external oversight mechanisms need to be put in place to control for adequate human agency. Therefore, although internal overriding functions may not always or immediately be available for (drivers in) AVs, general oversight should be possible at all times. Live and total oversight is both impracticable and unwarranted (Lütge, 2017). However, under certain circumstances, such as following a fatal accident, and depending on the legal and regulatory framework in place in the country where the accident occurred, it may be appropriate to designate an organization in each jurisdiction that is permitted to retrospectively look at the code and data within the AV to determine the cause of the accident (for more information see Guideline 7).

Industry Recommendations
• There should be a conditional override option allowing the control to be handed back to the driver. The admissibility of an override function depends on the level of automation of the AV (up to level 3: at any time; level 4: corresponding to safety mechanisms of an AV; level 5: not required) as well as on the state and behavior of the driver (e.g., impaired ability). • AVs should continuously assess and monitor the driver's attentiveness and ability to intervene.
Before operation, the AV could pose control questions to the driver (e.g., did you ingest any drugs or alcohol?); during operation, the AV could use sensors and biometric technology to do so. The upcoming UN Regulation on Automated Lane Keeping Systems can serve as a baseline for car manufacturers to develop appropriate driver attentiveness recognition systems. • Handover should correspond to the driver's capabilities. Therefore, AVs could learn about drivers' capabilities and response times during operation from aggregated data and adjust the vehicle's parameters accordingly (respecting a safe minimum time response). • Companies should provide documentation that justifies their particular handover window. • Training programs should be tailored to different demographic groups and exhibit minimum elements that should be regarded in a training curriculum (e.g., limitations and capabilities of AVs) based on findings of recent studies. • AVs should offer a 'training mode', for the first kilometers to train drivers on the AV's functioning. • External human-machine interfaces should clearly communicate about the vehicle's motion intention and awareness of other traffic participants to humans outside the vehicle.

Policy Recommendations
• Policymakers should finalize what constitutes acceptable and legitimate override functions and define applicable situations for activation. • Policymakers should determine standards for drivers' monitoring, training requirements, handover routines and external human-machine interfaces. These standards should be as global as possible. • Policymakers in each jurisdiction should consider designating an organization in each jurisdiction that is allowed to look at the code and data within the AV in the event of a fatal accident involving an AV or a corresponding legal proceeding.

Technical Robustness and Safety -Including Resilience to Attack and Security, Fallback Plan and General Safety, Accuracy and Reliability
A prime requirement of AVs should be safety, both in ordinary operations and if subject to adversarial attack (Lütge, 2017).
There are many differing forms of potential threats to AVs, and so governmental entities such as the ENISA (2019) or UNECE (2020a) have created holistic summaries and categorizations of relevant dangers and vulnerabilities. Firstly, there are threats that do not solely apply to AVs but also to conventional vehicles such as technical malfunctions and outages including sensor and other failures (ENISA, 2019). Secondly, there are threats that are particularly important for AVs and can be subsumed under the term 'cybersecurity'. Potential cybersecurity threats include the following: • Hijacking such as unauthorized information disclosure or extraction of copyrighted or proprietary software from vehicle systems (product piracy) (UNECE, 2020a); • Abuse such as attacks on back-end servers that stops the vehicle's functioning (e.g., disruptions of communication and external connectivity) or threats regarding the vehicle's update procedures (e.g., preventing the rollout of critical software updates) (UNECE, 2020a); • Passive behavioral attacks such as individuals intentionally interfering with AVs. For example, human drivers might tend to drive more aggressively around AVs or jaywalking may increase because it is known that AVs respect the safety distance.
There are several categorizations of threats that relate to the data stored in vehicles on an associated server and to the information exchanged during communication between the vehicle and the server. These threats can impact the safe operation of the vehicle, alter the software operation, and generate data breaches, though many of these threats are not specific to AVs but also can be found in current vehicles.
It is essential to develop mechanisms to test an AV's cybersecurity management system before operation. The EU Cybersecurity Act aims to establish a general certification framework for ICT digital products, services, and processes that allows the "creation of tailored and risk-based EU certification schemes" (ECCG, 2020). Similarly, the UN is preparing a regulation on uniform provisions concerning the approval of vehicles with regard to cybersecurity and of their cybersecurity management systems. For example, the draft regulation (as of March 2020) proposes an international approval mark or the verification of a manufacturer's compliance by an approval authority (UNECE, 2020a). In the future, such clear regulations and standardized tests will be necessary so that all companies are informed about, and comply with, the universal requirements for cybersecurity management systems. Governments should "promote mutual recognition systems and certification schemes that are built upon international standards [...] to facilitate international harmonization on privacy and security" (Joaquin Acosta, 2019, p. 215). SAE J3061, a comprehensive cybersecurity implementation guideline for the automotive industry, can serve as a starting point (SAE International, 2016).
Additional to threats, measures need to be developed that assess the general functionality of an AV. The Ethics Commission on Automated and Connected Driving suggests that "[t]he public sector is responsible for guaranteeing the safety of the automated and connected systems introduced and licensed in the public street environment. Driving systems thus need official licensing and monitoring" (Lütge, 2017, p. 550). For example, a kind of TÜV, i.e. a technical inspection agency, for AVs could be developed. Relevant factors to be assessed here are accuracy, reliability and fallback options of AVs. In terms of accuracy and reliability, it could be tested to what extent the AV's underlying "AI meets, or exceeds, the performance of a competent & careful human driver", refrains from engaging in "careless, dangerous or reckless driving behavior" as well as to what extent it "remains aware, willing and able to avoid collisions at all times" (ADA, 2020). SAE International published a more detailed and elaborate list of driving safety performance assessment metrics such as minimum safe distance factors or proper responses (Wishart et al., 2020). Furthermore, safeguards against technical failures and outages need to be established. The IEEE P7009 standard for fail-safe design of autonomous and semi-autonomous systems could serve as a baseline for developers. The standard provides clear procedures for measuring, testing, and certifying a system's ability to fail safely as well as instructions for improvement in the case of unsatisfactory performance (IEEE, 2019).
In terms of general safety and fallback plans, "[i]n emergency situations, the vehicle must autonomously, i.e., without human assistance, enter into a 'safe condition'" (Lütge, 2017, p. 556). This condition has been specified by proposing the terms 'minimal risk condition' and 'minimum risk maneuver'. The Minimal risk condition is "[a] condition to which a user or an ADS may bring a vehicle after performing the DDT [dynamic driving task] fallback in order to reduce the risk of a crash when a given trip cannot or should not be completed" (SAE International, 2018, p. 11). The "Minimum risk maneuver means a procedure aimed at minimizing risks in traffic, which is automatically performed by the system" (Leonhardt, 2018, p. 12). Causes for the execution of such a maneuver could be detection that the driver is inactive and not reacting to transition demands, or reaching system failure / boundaries when the driver is not responding to transition demands. In such situations, potential maneuvers could entail "further lane keeping for a certain time, enlarging gap to other road users, […] slowing down to standstill" (BMVI, 2015, p. 4). What constitutes an appropriate maneuver depends on (1) the operation condition of the vehicle (e.g., technical failures that hinder the AV to perform a fallback), (2) the prevailing environmental conditions (e.g., density of traffic) and (3) regulatory boundary conditions (Leonhardt, 2018). Although SAE J3016 (Leonhardt, 2018) makes significant progress regarding the nature of a safe or minimal risk condition, the definition of such conditions as well as the particular circumstances in which such conditions should be activated (e.g., incidents that leave the driver incapacitated such as a stroke) need to be further determined and harmonized.
Overall, experimenting with new AVs and testing their technical robustness and safety should follow a stepwise approach: For example, "the levels of testing that should be conducted before testing on open roads, including, for example, the use of simulation, hardware-in-the-loop testing" should be identified and standardized (European Commission, 2020a, p. 29). Recognizing the challenges of physical test strategies for AVs (length of time they take to complete, high number of hours of drive time required), ESTECO has developed a white-box / scenario-based verification system to investigate the performance of ADAS/AD functions across different sensors, algorithms, actuation and scenarios (ESTECO, 2020). Systems like these can act as helpful antecedents to actual testing on open roads.

Industry Recommendations
• The prime requirement of AVs should be safety.
• In addition to threats that relate to conventional vehicles, manufacturers of AVs should particularly focus on cybersecurity threats. In doing so, companies need to comply with regulations for cybersecurity management systems. SAE J3061 could serve as a guideline to design cybersecurity into AVs throughout the entire development life cycle process. • In terms of general functionality and safety, vehicles need to pass an official test that assures the system's accuracy, reliability and adequacy of its fallback options. The SAE Driving Safety Performance Assessment Metrics and the IEEE P7009 standard could serve as a baseline to design fail-safe mechanisms of autonomous and semi-autonomous systems.

Policy Recommendations
• Regulations need to be developed that reflect consensus on the method by which to grant approval to a vehicle's cybersecurity management system. • Policymakers need to work with industry experts to develop a standardized test for the general functionality and safety of AVs to assure the system's accuracy, reliability and adequacy of its fallback options. This test could serve as a basis for the approval of AVs for sale to consumers. • Policymakers need to collaborate with industry experts to determine and harmonize the definition of a 'safe condition' / 'minimal risk condition', the corresponding 'minimum risk maneuvers', and the circumstances in which such maneuvers should be executed. In doing so, SAE J3016 could serve as a baseline.

Privacy and data Governance -Including Respect for Privacy, Transparency and Communication, and Access to data
Conventional vehicles collect data through event data recorders (that record technical information about a vehicle's operation involved in crashes) and on-board diagnostic information (to access information about driver behavior, emission measures or diagnose performance issues). With new technological options, connected vehicles and AVs will make transportation safer and more convenient. However, many features depend on the collection and processing of ever more data in order to function effectively (Future of Privacy Forum, 2017). Therefore, it is essential to specify the type and scope of data that AVs are permitted to collect. Three types of data can be distinguished that warrant special attention: • Geolocation data (e.g., for activating route navigation), which could reveal the passenger's location and life habits of individuals (EDPB, 2020). • Biometric data (e.g., for user recognition or tracking of driver's attention), which could be used to enable unauthorized access to a vehicle and enable access to a driver's profile settings and preferences (EDPB, 2020). The collection of this type of data applies not only to drivers but also to individuals outside the vehicle such as pedestrians. • Driver behavior data, which could reveal unlawful behavior, including traffic violations such as speeding (EDPB, 2020).
Some of this data will be collected automatically, and some will require consent from the vehicle owner or driver in order to activate and use certain functions. Careful consideration needs to be given to the collection of data from inside the vehicle that relates to things other than the operation of the vehicle. Additionally, individual's rights should be considered at group level (e.g., drivers versus pedestrians) (European Commission, 2020a). For example, data (especially, biometric data) of external parties such as individuals walking on the street should warrant special protection. Although the European Commission (2020a) has additionally problematized data collection when AVs pass through particular locations such as private and non-public settings, we suggest that collecting data in private spaces should not in general be restricted in order to guarantee an AV's functionality. The focus should instead be on the mode of data collection and sharing.
Overall, services that collect and share data should comply with all applicable laws, and be accompanied by a strict privacy and data governance policy that includes, but is not limited to, the following (Future of Privacy Forum, 2017): 1. Transparency and Communication: Manufacturers need to provide clear and concise privacy policies to the vehicle owners that describe data collection and use. These policies must be readily understood by vehicle owners. These policies could, for example, be displayed in the purchase agreement, user manual or in the interface of an app. This is also in line with the General Data Protection Regulation (GDPR) stating that controllers must, before personal data is obtained, provide the data subjects with information necessary to ensure transparent processing about the existence of automated decision-making. 2. Affirmative and Explicit Consent: The driver's educated and affirmative consent is required before certain sensitive data is collected or used. This requirement is particularly critical for marketing uses, or if the data will be shared with unaffiliated third parties. This is in line with the guideline of the Ethics Commission on Automated and Connected Driving about the permissibility to use data that is generated by AVs for other business models, which states that lastly "[i]t is the vehicle keepers and vehicle users who decide whether their vehicle data that are generated are to be forwarded and used" (Lütge, 2017, p. 555). Additionally, even in the absence of laws requiring it, users should always have the right to opt-out or request that particular data not be collected, unless those data are critical for the AV safe system's operation. 3. Limited and Useful Sharing With Third Parties: There should only be limited circumstances where manufacturers are allowed to share a vehicle's data with external parties. Under appropriate conditions and with the appropriate safeguards, data that guarantees safe operation of the vehicle and other traffic participants as well as data that provides benefits to overall society and is of public interest should be shared. For example, AVs could provide information to the local department of transportation about a pothole on the road, so that infrastructure inspections and maintenance resources can be better allocated (in consideration of a fair and unbiased distribution of resources) and traffic information can be shared to improve traffic flow and promote safety. Accordingly, the European Commission has issued a regulation requiring public or private road operators and service providers to share and exchange relevant road safety-related traffic data such as the observation of a temporary slippery road or exceptional weather conditions (European Commission, 2013). Personally identifiable information must always be given the highest levels of protection. If data must be shared with third parties due to the above mentioned reasons, they should be anonymized and deidentified before being transmitted (EDPB, 2020). For example, the EU Data Task Force partnered with TomTom to improve road safety by sharing anonymized vehicle and infrastructure data between countries and manufacturers. For example, this will allow the detection of dangerous road conditions such as slippery roads and issue warnings to other traffic participants. "The EU Data Task Force (DTF) will use a decentralised data collaboration architecture to share vehicle-generated data […]. The datasets will then be taken by TomTom, processed further, and delivered back to other vehicles and road authorities via its live Traffic services" (Europawire, 2019). In line with Article 3(c) of Directive 2010/40/EU, data and procedures for the provision of road safety-related traffic information should be free of charge to users (European Commission, 2013). However, past studies showed individuals can sometimes be identified using anonymized data (Archie et al., 2018;Techcrunch, 2006), and so companies must ensure that the shared data does not permit re-identification (e.g., by minimizing collected data or using differential privacy techniques). 4. Compliance With Pertinent Data Protection Standards and Regulations: All data collection and processing obviously must respect relevant regulations (EDPB, 2020), such as the GDPR that applies to the processing of personal individual data, as well as the ePrivacy directive for information access on the terminal equipment of a user (EDPB, 2020; European Commission, 2020b). The IEEE P7002 standard specifies how to manage privacy issues for systems that collect personal data, e.g., by providing a guideline for a privacy impact assessment (IEEE, 2019).

Industry Recommendations
• Manufacturers should follow a strict privacy and data governance policy that includes transparency and communication to users, requesting affirmative consent and allowing limited sharing of data with third parties (including governments). In doing so, companies should comply with applicable standards and regulations such as the GDPR, the ePrivacy directive or the IEEE P7002. • Before transmitting personal information from an AV to third parties, steps must be taken to ensure that it cannot be traced back to an individual. • Manufacturers should implement data protocols defining who can have access to data under which conditions.

Policy Recommendations
• Before receiving AV data, policymakers need to make clear what types of AV data they are seeking and how that data will enable them to improve public safety or some other legitimate public purpose (e.g., improve infrastructure, traffic flow and law compliance). • At the EU level, building on Article 3(c) of Directive 2010/40/EU, consideration should be given to expanding the list of events and relevant traffic information that should be communicated free of charge.

Transparency -As A Key Mechanism to Realize all other Requirements
In the automotive sector, we contend that transparency is not a freestanding desideratum, but rather a key mechanism to realize the other principles or requirements. Transparency plays a major role for achieving the principle of privacy and data governance, requiring that manufacturers provide vehicle owners with information regarding data collection practices and intended uses (for more information see Guideline 3). Similarly, to satisfy the principle of accountability, the implementation of explicit transparency measures such as logging mechanisms or black boxes are essential (for more information see Guideline 7). The IEEE P7001 ("Transparency of Autonomous Systems") standard can serve as a baseline to address these issues.

diversity, Non-discrimination and Fairness -Including the Avoidance of Unfair Bias, Responsible Balancing of Risks and Accessibility
Generally and regarding the operations of AVs, no distinction between individuals should be allowed and fair treatment of all humans should be enacted. This is clearly stated in the Universal Declaration of Human Rights: "[e]veryone is entitled to all the rights […] without distinction of any kind, such as race, colour, sex, language, religion, political or other opinion, national or social origin, property, birth or other status" (United Nations, 1948, p. 2;Kriebitz & Lütge, 2020). In the field of AI (e.g., AVs), this obligation becomes ever more important as implicit biases and discrimination may unintentionally, and without transparency, be incorporated into algorithms. Studies show that systems can have differential performance for people of different ethnic groups, which consequently can result in them being harmed. For example, a study from the Georgia Institute of Technology illustrates how state-of-the-art AI object detection systems are less likely to detect pedestrians with darker skin color than those with lighter skin (Wilson, Hoffman & Morgenstern, 2019). Another study from the US National Institute for Transportation and Communities investigated the driving behavior through crosswalks that "revealed that Black pedestrians were passed by twice as many cars and experienced wait times that were 32% longer than White pedestrians" (Goddard, Kahn, & Adkins, 2015, p. 2). If such driving data is fed into a machine-learning algorithm, the system may discover this discriminatory pattern and adapt it into its functioning (Forbes, 2020). In order to ensure non-discriminatory programming and functioning, the systems need to be trained and tested for unfair bias. Companies should test their algorithms for bias and discrimination and demonstrate that certain fairness standards are met (Vox, 2019). Laws could be enacted, for example, that mandate that facial recognition software used by public entities and companies must be independently tested for bias (Secretary of State Washington, 2020). The IEEE P7003 standard for algorithmic bias considerations sets out instructions for eliminating bias when developing algorithms: it provides developers of algorithms for autonomous systems with protocols and includes criteria for selecting validation data sets (IEEE, 2019). The training should be different depending on the location where the system operates: when a technology is launched into the market, companies could localize it using location specific data. Companies could ensure that their development teams are sufficiently diverse to guard against intentional and implicit bias being incorporated into their algorithms and technologies (Vox, 2019).
Past literature has extensively debated dilemma situations (e.g., unforeseen and unavoidable accidents) with reference to the famous trolley cases. The ideal is to avoid such situations in which accidents are unavoidable in the first place; for example, the lateral position of AVs on a lane can be adjusted to tune the risk posed to all other traffic participants (e.g., how much room should be given to a bicyclist?). Therefore, we argue to move away from the debate around dilemma situations. Instead, a responsible balancing of risk or estimated harm should be permitted for AVs at all times. This balancing decision should not be based on personal features of individuals such as age or gender (Lin, 2016;Lütge, 2017). Instead, as the severity of injury increases in proportion to the kinetic energy, estimated harm could be quantified and balanced by more objective factors such as the type or speed of particular traffic participants and the impact angle under which a collision would occur (Geißlinger et al., 2020). Taking into account the type of road users would grant vulnerable traffic participants (e.g., pedestrians or cyclists) the same level of protection as other road users (European Commission, 2020a). Overall, the consideration of these factors could help achieve a "[g]eneral programming to reduce the number of personal injuries" (Lütge, 2017, p. 552).
Besides the unbiased vehicle's internal functioning, AVs should be human-centric (European Commission, 2020a). In particular, AVs should be equally usable for and accessible to all individuals, which requires a non-discriminatory design. For example, age or the presence of a disability is not always considered by automotive companies, leading to potential issues of discrimination. Therefore, levels of differing abilities need to be acknowledged (e.g., a young individual may have quicker reflexes for executing requests than elderly people) and the systems need to be adapted accordingly for different users, so that everyone can benefit from this new technology (for more information see also Guideline 1).

Industry Recommendations
• Companies should test their vehicle's AI systems for unfair performance differences across skin tone, gender, age and other characteristics. The IEEE P7003 standard can serve as a baseline to address and eliminate issues of bias in the creation of algorithms. • When a technology is launched into the market, companies should localize it using data and train the model using multiple diverse data sets that are location specific. • The AI developing team should be as inclusive as possible to include the broadest group possible in terms of demographics such as ethnicity. • A responsible balancing of risks and estimated harm to reduce the number of personal injuries should be permitted for AVs without discriminating against personal characteristics. Instead, factors underlying the balancing could include the type or speed of particular traffic participants and the impact angle under which a collision would occur. • The personalization of AVs should be accessible by design and as inclusive as possible (e.g., disabilities included). Before an AV is released onto the streets, companies should demonstrate their plans and actions that ensure customizing-options to their vehicles (e.g., possibility to take away seats or include a ramp for entering the vehicle with a wheelchair).

Policy Recommendations
• Consideration should be given to having ethics standards boards test and assess that the systems for AVs are working properly, fairly and in an unbiased manner. • Consideration should be given to requiring carmakers to explain the procedures they have put in place to make their designs accessible and avoid biases before granting them authorization to sell their vehicles to the public.

Societal and Environmental wellbeing -Including Sustainability and Environmental Friendliness and Social Impact
In terms of societal and environmental wellbeing, the Sustainable Development Goals adopted by all United Nations Member States can serve as a reference point. Goal 3 (to "[e]nsure healthy lives and promote well-being for all at all ages") and goal 11 (aiming to "[m]ake cities and human settlements inclusive, safe, resilient and sustainable") are particularly relevant to this topic (United Nations, 2015, p. 14). Companies and policymakers in the automotive sector should focus on meeting the following objectives: 1. Increased Public Health and Mobility: AVs can improve society's health by avoiding fatalities that are due to human error (Bartneck et al., 2019). This is in line with Vision Zero, which states that eventually no one will and shall be killed or seriously injured within the road transport system (Ministry of Transport and Communications, 1997). The introduction of AVs could offer greater mobility solutions for a major part of society that is mobility-impaired, whether the elderly, young (without a driving license) or those who were otherwise unable to drive (BCG, 2017;WEF, 2018). This could positively affect mental health (e.g., due to feeling less dependent on others) and create a more inclusive society (Lim & Taeihagh, 2018). These benefits, however, can only be realized if safety and diversity standards are adhered to (for more information see Guideline 2 and 5); 2. Better Traffic Flow: AVs could reduce congestion and delays (e.g., during peak hours) and improve traffic flows and efficiency, especially when combined with shared mobility options. For example, using a traffic simulation model for Boston, it was found that the simulations that had included AV technology yielded less congestion, shorter travel times and more street space and (BCG, 2017;WEF, 2018). These benefits stem mostly from AVs' connectivity to external communication networks so that data can be managed and distributed in real time enabling methods such as platooning (Lim & Taeihagh, 2018). However, if not managed properly, it could also increase traffic flow and generate inefficiencies of uncoordinated traffic (Joaquin Acosta, 2018a). Proactive measures such as adopting a fitting physical and digital infrastructure, could improve the existing traffic situation by at least 15-20% (Inframix, 2020); 3. Decreased Carbon Emissions: Widespread adoption of AVs could reduce environmental degradation through reduced emissions and energy consumption (BCG, 2017). This is especially true if unnecessary acceleration and braking is reduced (Lim & Taeihagh, 2018). A concrete action point for companies would be to design AI systems that reduce vehicles' CO2 emissions. For example, companies could offer by default an eco-driving mode with a speed average that minimizes emissions and avoids unnecessary acceleration or braking. Many of the benefits relating to the reduction of carbon emission can be achieved by combining AVs with other disruptive technologies such as the electrification of vehicles (BCG, 2020). In addition, promoting AV shared mobility could "lessen the environmental impact of passenger vehicles by decreasing the number of vehicles on the road" (Joaquin Acosta, 2018a, p. 3). A concrete action point for policymakers would be to facilitate research and development for solutions to combine AVs with other disruptive technologies (e.g., electrification, shared mobility).
While these potential benefits are substantial, there is also significant uncertainty about the net impact of introducing AVs. Many measures of benefits focus on improvements per vehicle-mile traveled (VMT). However, the increased mobility and convenience benefits will potentially lead to significant increases in VMTs, potentially leading to increased total pollution, congestion, and so forth, despite the per-VMT gains (Geary & Danks, 2019). Thus, as technology continually develops, companies and policymakers in the automotive sector should follow a stepwise implementation process to ensure that introduction of AVs provides net benefits. Moreover, this implementation process must be combined with a simultaneous adaption of infrastructure (physical and digital). "Needed structural improvements include dedicated lanes to separate AVs from other traffic, and sensors to enable selfdriving cars to communicate with their environment" (BCG, 2020). Otherwise, if AVs enter traffic in an uncoordinated way and without a fitting infrastructure, traffic flow and other benefits may be degraded. Several projects of the EU Horizon 2020 program have been focusing on this challenge (e.g., CoEXist or Inframix) (European Commission, 2019).
City planners, road operators and local authorities should use the findings of such projects to make informed decisions on where to roll out new mobility models and how to update their road network accordingly. Collaboration with multiple private-sector leaders and national agencies is key to fostering innovation and progress: "the success of AMoD [autonomous mobility on demand] will depend to a large extent on establishing close partnerships among mobility providers, infrastructure companies, and city authorities" (BCG, 2020).

Industry Recommendations
• When developing their products, automotive companies should consider integrating and providing benefits of increased public health and mobility, better traffic flow and decreased carbon emission. • Manufacturers should offer by default an eco-driving mode with a speed average that avoids unnecessary acceleration or braking and thus reduces carbon emissions. • When developing AVs, car manufacturers should try to integrate other disruptive technologies such as electrification and shared mobility.

Policy Recommendations
• Policymakers should follow a stepwise implementation process and concentrate on mixed traffic scenarios. Policymakers should promote the integration of AVs in existing transport systems instead of competition between them, for example, by prioritizing research and development of AV solutions for public and shared mobility. • A simultaneous adaption of physical and digital infrastructure is essential (e.g., lanes that separate AVs from other traffic). • In doing so, collaboration with multiple actors such as private-sector leaders and national agencies is key to fostering innovation and progress (e.g., make use of projects investigating differing mobility models).

Accountability -Including Auditability, Measures of Transparency, Reporting of Negative Impact, and Redress
The attribution of liability and responsibilities for AVs is a challenging issue. "The first step towards the creation of a culture of responsibility is the study, deliberation and agreement on the different responsibilities of different stakeholders" (European Commission, 2020a, p. 56). In case of accidents, the AV itself cannot be held morally accountable since it is not considered a moral agent (Gogoll & Müller, 2017). Responsible parties will instead be manufacturers, component suppliers, technology companies, infrastructure providers or car holders / drivers. Therefore, policymakers should clarify the concept of a producer as well as review regulations on product liability (e.g., European Commission, 2018). This will, of course, vary depending on the motor vehicle laws in place in different countries. When adapting existing regulations to AVs, regulators may have to choose between different liability regimes for different situations and levels of automation. For example, strict liability concepts may mean that for AVs, the manufacturer can be held liable if the automated mode is switched on, whereas, if not, the driver is considered liable. On the other hand, one could argue that liability should move gradually from one actor to the next (e.g., from the car manufacturer to the driver) depending on the driver's level of autonomy and solo action. For guidance, regulators could look to Law Labs (Joaquin Acosta, 2018b). Law Labs are a proposed concept to experiment with different regulatory approaches for a given innovation (e.g., AVs), similar to how regulatory sandboxes experiment with innovations in controlled environments (operating under temporary regulatory exemptions). For example, traffic rules could be revised and it could be investigated under which circumstances AVs are allowed to not to comply with a traffic rule (European Commission, 2020a). In order to provide clarity about the causes of accidents, companies in the automotive sector may want to consider the following issues.

Regularly Conduct Internal and External Audits
In terms of internal audits, manufacturers should execute continuous optimization and tests. This is in line with the guidelines of the Ethics Commission on Automated and Connected Driving, which state that "[l]iability for damage caused by activated automated driving systems is governed by the same principles as in other product liability […:] manufacturers or operators are obliged to continuously optimize their systems and also to observe systems they have already delivered" (Lütge, 2017, p. 553). In doing so, companies should conduct a risk assessment by listing factors that may increase risk and uncertainty regarding a vehicle's operation and by proactively implementing appropriate countermeasures. Risks may stem from the vehicle's technology (e.g., technical failure to transmit sensor data), the actions of other traffic participants (e.g., disobeying traffic law such as jaywalking), external circumstances (e.g., the state of the road, weather conditions) or the vehicle's driving behavior (e.g., speed).
In addition to adhering to internal standards and audit requirements, external test centers could perform conformity assessments and grant certifications since "independent assessment will increase trust and ensure objectivity" (European Commission, 2020b, p. 25). Common audit areas for a certification system are -similar to the AI4People requirements -autonomy and control, fairness, transparency, reliability, security and data protection. Expected benefits of an AI certification would be trust in the application, orientation for customers and developers, fulfillment of norms such as cybersecurity and data security and comparable market equality (IAIS, 2019).

Implement Explicit Measures of Transparency
These transparency measures should pertain to the development as well as the operation of AVs. Before operation, during the development phase, companies should retain records and data including data sets used for training (e.g., selection process) and document the programming and training methodologies. This is particularly important if authorities seek to review the underlying logic of a system and inspect relevant documentation (European Commission, 2020b). Also, during operations, relevant information should be recorded through logging mechanisms and black boxes integrated into AVs (Lütge, 2017). Regarding the black box, companies could consider an event data recorder and data storage system for AVs that record data of "the system status, occurrence of malfunctions, degradations or failures in a way that can be used to establish the cause of any crash and to identify the status of the automated/autonomous driving system and the status of the driver" (UNECE, 2019, pp. 3-4). These measures will ensure that the functioning and actions of AVs are explainable in retrospect. Overall, "[i]nternational standardization of the […] documentation (logging) is to be sought in order to ensure the compatibility of the logging or documentation obligations as automotive and digital technologies increasingly cross national borders" (Lütge, 2017, p. 555). For example, the upcoming regulation on automated lane keeping systems will determine what events are recorded by data storage systems for AVs (e.g., emergency maneuvers, failures) (UNECE, 2020b). IEEE P7001 provides such a standard for the transparency and accountability of autonomous systems so that the reasons why a technology makes certain decisions can be determined (IEEE, 2019). Similarly, SAE J3197 aims to govern data element definition, to provide a minimum data element set and common data output formats for an automated driving system data logger (SAE International, 2020).
Finally, external communication and reporting of performance and negative impact should be regularly required for companies in the automotive sector. Manufacturers and regulators should anticipate that individuals will want explanations when an AV's system did not perform as expected and intended. This is similarly stated in the ethical guidelines for trustworthy AI: "Whenever an AI system has a significant impact on people's lives, it should be possible to demand a suitable explanation of the AI system's decision-making process" (High-level Expert Group on Artificial Intelligence, 2019, p. 18). In California, for example, Transportation Network Companies (TNCs) such as Lyft have to provide the California Public Utilities Commission with reports regarding zero tolerance complaints, violations and collisions of their vehicles on an annual basis (California Public Utilities Commission, 2020). Further information to disclose may be the tradeoffs made within algorithms, the number of past accidents put into context (e.g., relative number of accidents during test drives compared to total number of test drives) as well as safety measures initiated to counteract these accidents. Thereby data, algorithmic and AI literacy is improved (European Commission, 2020a).

Industry Recommendations
• Manufacturers should continuously conduct internal audits (e.g., assessing potential risks to the safe operation of AVs) and subsequently optimize their systems. • Manufacturers should be transparent about the scope and process of their internal audits and risk assessments (e.g., space of conditions that are checked for). • The internal audits should be complemented with regular external audits by independent test centers. • Manufacturers should develop specific measures of transparency. This includes storing records and data of the underlying system logic (e.g., used training data sets) as well as logging mechanisms and black boxes (e.g., an event data recorder and data storage system) that document the actions of / in AVs during operation. The upcoming UN Regulation on Automated Lane Keeping Systems can serve as a baseline for vehicle manufacturers to develop appropriate data storage systems for AVs. SAE J3197 and the IEEE P7001 standard can serve as a baseline to address requirements for transparency and accountability of autonomous systems. • Companies should transparently communicate and report performance and negative impacts of AVs (e.g., number of collisions, tradeoffs within algorithms).

Policy Recommendations
• Regulators should adapt laws and regulations concerning AVs and liability as the technology continues to develop. Regulators should clarify where responsibility lies in certain situations and ensure that privacy and cybersecurity damages are taken into account. • Policymakers should consider establishing test centers that regularly request that companies perform conformity assessments and provide certifications.

CoNCLUSIoN
This paper provides practical recommendations for the automotive sector to deal with ethical issues regarding: human agency and oversight, technical robustness and safety, privacy and data governance, transparency, diversity, non-discrimination and fairness, societal and environmental wellbeing as well as accountability. By doing so, this paper distinguishes between policy and industry recommendations in suggesting first steps to be taken by both policymakers and companies. The following list summarizes all recommendations. In the future, we encourage stakeholders in the automotive sector to rely on these recommendations to determine relevant actions and to ensure that AVs comply with ethical principles.

Policy Recommendations
• Relevant fundamental rights to be considered in the field of autonomous driving are: human dignity, right to self-determination and liberty, right to life and security, right to protection of personal data, right to equality and non-discrimination as well as the right to explanation. • It must be realized that there will be no technologies or policies that maximize all fundamental rights for everybody simultaneously. There will always be trade-offs. Therefore, policymakers and legislators should decide which fundamental rights are to be prioritized in particular situations. • In doing so, policymakers and legislators should cooperate with multiple stakeholders to obtain necessary information for executing an evaluation and subsequent agreement on compromises and prioritization.

Industry Recommendations
• There should be a conditional override option allowing the control to be handed back to the driver. The admissibility of an override function depends on the level of automation of the AV (up to level 3: at any time; level 4: corresponding to safety mechanisms of an AV; level 5: not required) as well as on the state and behavior of the driver (e.g., impaired ability). • AVs should continuously assess and monitor the driver's attentiveness and ability to intervene.
Before operation, the AV could pose control questions to the driver (e.g., did you ingest any drugs or alcohol?); during operation, the AV could use sensors and biometric technology to do so. The upcoming UN Regulation on Automated Lane Keeping Systems can serve as a baseline for car manufacturers to develop appropriate driver attentiveness recognition systems. • Handover should correspond to the driver's capabilities. Therefore, AVs could learn about drivers' capabilities and response times during operation from aggregated data and adjust the vehicle's parameters accordingly (respecting a safe minimum time response). • Companies should provide documentation that justifies their particular handover window. • Training programs should be tailored to different demographic groups and exhibit minimum elements that should be regarded in a training curriculum (e.g., limitations and capabilities of AVs) based on findings of recent studies. • AVs should offer a 'training mode', for the first kilometers to train drivers on the AV's functioning. • External human-machine interfaces should clearly communicate about the vehicle's motion intention and awareness of other traffic participants to humans outside the vehicle.

Policy Recommendations
• Policymakers should finalize what constitutes acceptable and legitimate override functions and define applicable situations for activation. • Policymakers should determine standards for drivers' monitoring, training requirements, handover routines and external human-machine interfaces. These standards should be as global as possible. • Policymakers in each jurisdiction should consider designating an organization in each jurisdiction that is allowed to look at the code and data within the AV in the event of a fatal accident involving an AV or a corresponding legal proceeding.

Industry Recommendations
• The prime requirement of AVs should be safety.
• In addition to threats that relate to conventional vehicles, manufacturers of AVs should particularly focus on cybersecurity threats. In doing so, companies need to comply with regulations for cybersecurity management systems. SAE J3061 could serve as a guideline to design cybersecurity into AVs throughout the entire development life cycle process. • In terms of general functionality and safety, vehicles need to pass an official test that assures the system's accuracy, reliability and adequacy of its fallback options. The SAE Driving Safety Performance Assessment Metrics and the IEEE P7009 standard could serve as a baseline to design fail-safe mechanisms of autonomous and semi-autonomous systems.

Policy Recommendations
• Regulations need to be developed that reflect consensus on the method by which to grant approval to a vehicle's cybersecurity management system. • Policymakers need to work with industry experts to develop a standardized test for the general functionality and safety of AVs to assure the system's accuracy, reliability and adequacy of its fallback options. This test could serve as a basis for the approval of AVs for sale to consumers. • Policymakers need to collaborate with industry experts to determine and harmonize the definition of a 'safe condition' / 'minimal risk condition', the corresponding 'minimum risk maneuvers', and the circumstances in which such maneuvers should be executed. In doing so, SAE J3016 could serve as a baseline.

Industry Recommendations
• Manufacturers should follow a strict privacy and data governance policy that includes transparency and communication to users, requesting affirmative consent and allowing limited sharing of data with third parties (including governments). In doing so, companies should comply with applicable standards and regulations such as the GDPR, the ePrivacy directive or the IEEE P7002. • Before transmitting personal information from an AV to third parties, steps must be taken to ensure that it cannot be traced back to an individual. • Manufacturers should implement data protocols defining who can have access to data under which conditions.

Policy Recommendations
• Before receiving AV data, policymakers need to make clear what types of AV data they are seeking and how that data will enable them to improve public safety or some other legitimate public purpose (e.g., improve infrastructure, traffic flow and law compliance). • At the EU level, building on Article 3(c) of Directive 2010/40/EU, consideration should be given to expanding the list of events and relevant traffic information that should be communicated free of charge.

Industry Recommendations
• Companies should test their vehicle's AI systems for unfair performance differences across skin tone, gender, age and other characteristics. The IEEE P7003 standard can serve as a baseline to address and eliminate issues of bias in the creation of algorithms. • When a technology is launched into the market, companies should localize it using data and train the model using multiple diverse data sets that are location specific. • The AI developing team should be as inclusive as possible to include the broadest group possible in terms of demographics such as ethnicity. • A responsible balancing of risks and estimated harm to reduce the number of personal injuries should be permitted for AVs without discriminating against personal characteristics. Instead, factors underlying the balancing could include the type or speed of particular traffic participants and the impact angle under which a collision would occur. • The personalization of AVs should be accessible by design and as inclusive as possible (e.g., disabilities included). Before an AV is released onto the streets, companies should demonstrate their plans and actions that ensure customizing-options to their vehicles (e.g., possibility to take away seats or include a ramp for entering the vehicle with a wheelchair).

Policy Recommendations
• Consideration should be given to having ethics standards boards test and assess that the systems for AVs are working properly, fairly and in an unbiased manner. • Consideration should be given to requiring carmakers to explain the procedures they have put in place to make their designs accessible and avoid biases before granting them authorization to sell their vehicles to the public.

Industry Recommendations
• When developing their products, automotive companies should consider integrating and providing benefits of increased public health and mobility, better traffic flow and decreased carbon emission. • Manufacturers should offer by default an eco-driving mode with a speed average that avoids unnecessary acceleration or braking and thus reduces carbon emissions. • When developing AVs, car manufacturers should try to integrate other disruptive technologies such as electrification and shared mobility.

Policy Recommendations
• Policymakers should follow a stepwise implementation process and concentrate on mixed traffic scenarios. Policymakers should promote the integration of AVs in existing transport systems instead of competition between them, for example, by prioritizing research and development of AV solutions for public and shared mobility. • A simultaneous adaption of physical and digital infrastructure is essential (e.g., lanes that separate AVs from other traffic).
• In doing so, collaboration with multiple actors such as private-sector leaders and national agencies is key to fostering innovation and progress (e.g., make use of projects investigating differing mobility models).

Industry Recommendations
• Manufacturers should continuously conduct internal audits (e.g., assessing potential risks to the safe operation of AVs) and subsequently optimize their systems. • Manufacturers should be transparent about the scope and process of their internal audits and risk assessments (e.g., space of conditions that are checked for). • The internal audits should be complemented with regular external audits by independent test centers. • Manufacturers should develop specific measures of transparency. This includes storing records and data of the underlying system logic (e.g., used training data sets) as well as logging mechanisms and black boxes (e.g., an event data recorder and data storage system) that document the actions of / in AVs during operation. The upcoming UN Regulation on Automated Lane Keeping Systems can serve as a baseline for vehicle manufacturers to develop appropriate data storage systems for AVs. SAE J3197 and the IEEE P7001 standard can serve as a baseline to address requirements for transparency and accountability of autonomous systems. • Companies should transparently communicate and report performance and negative impacts of AVs (e.g., number of collisions, tradeoffs within algorithms).

Policy Recommendations
• Regulators should adapt laws and regulations concerning AVs and liability as the technology continues to develop. Regulators should clarify where responsibility lies in certain situations and ensure that privacy and cybersecurity damages are taken into account. • Policymakers should consider establishing test centers that regularly request that companies perform conformity assessments and provide certifications.

1
All co-authors of this paper constitute the AI4People-Automotive Committee. 2 The levels refer to the taxonomy developed by the SAE International (2018) for six levels of driving automation, ranging from no driving automation (level 0) to full driving automation (level 5).

3
The override function does not need to be similar to the way we are driving today such as taking over using a steering wheel or a paddle. On the contrary, the control can be a function provided through some interfaces that do not take away the original advantages of AVs such as inclusive accessibility.