New developments on EDR (Event Data Recorder) for automated vehicles

Abstract With the upcoming new legislative rules in the EU on Event Data Recorder beginning 2022 the question is whether the discussed data base is sufficient for the needs of clarifying accidents involving automated vehicles. Based on the reconstruction of real accidents including vehicles with ADAS combined with specially designed crash tests a broader data base than US EDR regulation (NHTSA 49 CFR Part 563.7) is proposed. The working group AHEAD, to which the authors contribute, has already elaborated a data model that fits the needs of automated driving. The structure of this data model is shown. Moreover, the special benefits of storing internal video or photo feeds form the vehicle camera systems combined with object data is illustrated. When using a sophisticate 3D measurement method of the accident scene the videos or photos can also serve as a control instance for the stored vehicle data. The AHEAD Data Model enhanced with the storage of the video and photo feeds should be considered in the planned roadmap of the Informal Working Group (IWG) on EDR/ DSSAD (Data Storage System for Automated Driving) reporting to UNECE WP29. Also, a data access over the air using technology already applied in China for electric vehicles called Real Time Monitoring would allow a quantum leap in forensic accident reconstruction.


State of the art for traflc accident clarification using vehicle data
In Germany, a "Data Storage System for Automated Driving" (DSSAD) for vehicles with a level of automation ≥ SAE Level 3 was legally prescribed by § 63a StVG in 2017 [1]. In order to clarify possible liability issues, the DSSAD documents whether the system or the driver has controlled the vehicle [1]. The UNECE plans to introduce a DSSAD standard in 2020 [2]. Since 2006, NHTSA has defined with the regulation "49 CFR Part 563" uniform requirements for the accuracy, collection, storage, survivability, and retrievability of vehicle-specific crash event data in vehicles equipped with an event data recorder (EDR) [4]. This EDR functionality is generally implemented in the airbag control unit [5]. The regulation "49 CFR Part 563" applies only to the vehicle categories M1 and N1 [4,6]. As a result, heavy trucks, buses, motorcycles, agricultural and forestry vehicles, trailers or special purpose vehicles are not required to be equipped with an EDR. The US EDR records the vehicle data listed in "49 CFR Part 563.7", which are useful for accident investigations and the evaluation of restraint systems [4]. The regulation further requires that an accident analyst must be able to retrieve the data of an EDR without the support of the vehicle manufacturer using a "commercially available tool/device" [4]. As the regulation of the US EDR has been in force since 2006 no data elements important for the investigation of accidents involving automated, connected or electrified vehicles are taken into account. In addition, many accidents involving pedestrians and cyclists in particular, are not recognized as significant events for data storage activation because of insufficient trigger criteria [7,8].
The European Commission has decided to legally prescribe the EDR for new vehicle types by 2022 [9]. Also China will legally prescribe an EDR by January 2021 [10]. The specification is being developed in a specially established informal working group (IWG EDR/DSSAD) and has not yet been completed [3]. An EDR similar to the US standard is particularly favored by manufacturers and the supplier industry. This impression could be gained at the previous meetings and telephone conferences of the IWG EDR/DSSAD, which the authors participated in.
In summary, the current and planned EDR and DSSAD solutions are not and probably will not be sufficient to fully clarify traffic accidents with automated and connected vehicles [8].
Parallel to these developments, many manufacturers are recording non-standardized accident data of the vehicle [11][12][13]. Experiences from the main author's daily work as an accident analyst show that the amount and triggering of this data is usually very intransparent in this context. Furthermore, it should be mentioned in this context that generally the manufacturers decide which data will be made available to an independent expert, for example in the case of a trial.
China is following a special approach in the field of electromobility. It is mandatory that all data from the traction battery as well as the associated environmental variables are translated in real time from the vehicle's bus systems to a transmission unit as part of Real Time Monitoring (RTM). These data are buffered and sent to government servers [14].

Urgency of a sophisticated EDR concept
From the perspective of an independent accident analyst, this status quo already leads to the problems described below in modern vehicles and will become even more apparent in vehicles with a higher degree of automation in the future. In order to be able to present the facts more clearly, an exemplary accident scenario shall help: Imagine a modern vehicle with pedestrian and cyclist detection is involved in an accident with a cyclist. The cyclist crosses abruptly and without a hand signal the lane of the car. The cyclist is hit by the car and the head contact with the right A-pillar causes the cyclist to die at the accident site. This accident was physically unavoidable, as the cyclist crossed the lane of the car in such a way that defensive reactions were not possible even with the most modern technology. Due to the large mass differences and the streaking collision, the car equipped with EDR functionality does not record any data in the airbag ECU. However, the integrated assistance systems in the vehicle have registered the accident and stored the data in the data memory, which can only be accessed by the manufacturer. In addition to detailed driving dynamics data and data on the functional status and mode of operation of the individual assistance systems, video data including the object data of the vehicle environment generated by sensor fusion are also stored in the event of an accident. These data could verify the technical unavoidability of the accident by the driver of the car or by the installed assistance systems.
As the final vehicle positions were changed before the arrival of the police or an expert due to the traffic situation, a retrospective, classical accident analysis without these additional vehicle data leads to very large tolerances. Consequently, when considering the situation in favor of the cyclist, the accident could have been avoided for the car driver or also for the assistance systems installed.
In the context of a civil proceeding, the cyclist's surviving dependents seek a trial against the vehicle driver. In the operating manual of the vehicle it is clearly stated that vehicle data beyond the EDR are stored in the context of an accident. With reference to the basic data protection regulation, the driver requests the manufacturer to disclose this data. As the vehicle involved in the accident has overthe-air services, the data relevant to the accident has been transmitted automatically to the manufacturer shortly after the accident. He was able to interpret the data. In addition, these data prove that the accident was unavoidable for the driver. While the accident was also unavoidable for the system, it is plausible that in this case the data will also be made available to the court. If, however, the manufacturer concludes during the analysis of the accident that malfunctions were present in the active assistance systems and these were possibly the cause or contributory cause of the accident, it is questionable whether the complete data set will be transmitted to the court. In case of any doubt, due to the lack of standardization of this data, the manufacturer will argue that certain data elements were not stored for this specific accident situation in the vehicle.
Furthermore, there may be constellations possible in which the significantly larger amount of data recorded in proprietary systems may contradict recorded EDR data. An obvious example is that the US EDR only records the indicated speed, which can deviate by 10% from the actual center-of-mass speed of the vehicle during a full braking maneuver with ABS control intervention [15]. From the authors' perspective, this situation will lead to the grotesque situation that -depending on the persistence and level of knowledge of the prosecuting authorities or the experts involved as well as the eagerness of the manufacturers to cooperate -accidents can or cannot be clarified, even though the stored data allow a reliable clarification in any case. Court practices in Germany already show today that manufacturers are increasingly being requested by the courts to provide this data. It can be assumed that this proce-dure will continue to increase with the increasing market penetration of (partially) automated vehicles, with a corresponding workload for the manufacturers. In addition, it can already be seen that external data sources such as smartphone data, data from dashboard and surveillance cameras and data from intelligent infrastructure are increasingly being introduced into court proceedings [16]. This will lead to a real data chaos with partly contradictory data sources. If no standardized database is available, lengthy and cost-intensive court proceedings will be the result, in which not all accidents can be clarified completely and residual doubts will probably remain [17]. If, however, especially considering automated driving, a residual doubt remains after traffic accidents regarding the correct functionality of the system, this has the potential to undermine the acceptance or trust in this technology. This complicates its commercialization significantly [18]. It is important that confidence in the technology is built up, with complete accident investigation and the avoidance of system errors as central elements. The traceability of decisions made by the system must always be ensured. This addresses also explainable Artificial Intelligence (AI).
For this reason, the informal working group AHEAD (Aggregated Homologation proposal for Event data recorder for Automated Driving) was founded in order to push ahead with the standardization of the database needed for a future EDR [19]. The objective is to record only as few data as necessary in order to be able to clarify all accidents reliably and without residual doubt. The principle of data minimization and data protection was given the highest priority by AHEAD. The structure of the database can be seen in Figure 2.
AHEAD focused especially on data elements related to ADAS / HAD / AD, V2X communication, electromobility and cyber security, as these have not been sufficiently considered in previous EDR concepts. In addition to this work, a scientific solution for a future EDR on an independent basis is systematically developed in the research group of the authors at Technische Hochschule Ingolstadt. The proceeding is the following: Based on the expert knowledge of the authors, in combination with the corresponding databases of DEKRA Automobil GmbH and publicly accessible accident databases [21], accident scenarios are systematically developed which cannot be sufficiently clarified by classical accident analysis under consideration of the US EDR. Afterwards, data elements are identified which will help to clarify the accident scenarios of the future with the highest possible accuracy and without remaining doubts. These data elements will be validated by the analysis of real accidents as well as by specially designed tests on the test The individual accident scenarios are analyzed as completely as possible, similarly to the commissioning of an expert by a court, so that the necessity of the individual data elements can be assessed by a practical procedure. In addition, for an accident reconstruction of the future it is necessary to reproduce these scenarios virtually with the appropriate tools in order to be able to answer questions regarding the avoidability of the accident by the driver or the system. This approach is shown below using the recording of videos from the system cameras as an example of an explicit data element.

Necessity for storing system videos and associated object data -one video tells more than 1000 Terabyte
It is becoming obvious that the storage of system videos within an EDR concept is regarded critically by many stakeholders. First of all, data protection reasons are cited, since outdoor videos could also include uninvolved persons or vehicles. Interior videos are regarded as even more critical, since it is assumed that the privacy of the occupants will be partially violated [3]. However, from an accident analysis point of view, the advantage of an event-based approach is that data are only stored in the case of a relevant event (usually an accident). In this circumstance, the recorded persons and vehicles would not be uninvolved. They would be witnesses of the accident. In order to illustrate the necessity of storing at least external system videos, the following example of a real accident is used.
At an intersection with the traffic regulation "right over left", an accident between a motorcycle approaching from the right and a passenger car approaching from the left, as seen by the motorcyclist, occurs. The high throw distance of the motorcyclist is conspicuous during the classical accident investigation. With appropriate virtual reconstruction methods, a speeding offence of the motorcyclist can be determined based on the throw distance. The accident took place in a zone with a 30 km/h speed limit.
In reliable calculations, despite very precise 3D accident documentation, even using the latest reconstruction methods, tolerances of up to +/−10 km/h for the collision speed of the motorcyclist can occur. This can be assumed due to the uncertainties of the variable parameters and the mathematical limits of the calculation models used. This is evidenced by similar cases of the main author's professional practice.
There are no traces of the pre-collision phase of both vehicles due to installed ABS systems or uninitiated braking. In addition, no independently retrievable EDR is installed in the vehicles involved in the accident. Even if an EDR was installed, it could not be assumed that the accident would be stored in the EDR because of the streaking collision that took place. In these cases the trigger thresholds according to 49 CFR Part 563 are often not met. However, the car involved sends extensive data proprietarily to a server of the manufacturer. The amount of data sent permanently or event-based is not transparent for independent third parties. In this specific case, all system videos documenting the accident could be backed up with a prosecutor's order. A freeze frame of the front camera is shown in Figure 3.
By using these videos, the accident and in particular the cause of the accident can be clarified significantly more precisely [22]. The videos show, beside the speeding of the motorcyclist, also a visual occlusion for the vehicle driver by a crossing VW Touran. The exact synchronization of the vehicles with the VW Touran involved in the accident in terms of time and distance is not possible without the corresponding video material.
The involved vehicle perceives its environment on the basis of its installed sensor systems and associated sensor fusion. These sensor fusion data enable the recognition and tracking of objects. This object information -for example, at which point in time the vehicle recognized and clas- sified the motorcycle as a hazard -would be very useful for further accident analysis. A reaction point of the vehicle could be determined and avoidance scenarios by the vehicle could be examined with a correspondingly complex virtual simulation. In this way it can be proven whether the accident was avoidable or unavoidable for the system.
Prerequisite for such an approach is the availability of the object data in combination with the system camera data. Using this method it is possible to correlate the perspectival right embedded object data and hence the perception of the vehicle with the visual perception of a human using the stored video. Thus it would be possible to check whether boundaries of an object were recognized properly. In combination with a very precise 3D measurement of the accident scene the distances and speeds that the system calculated could be checked via analyzing the system videos [17]. As a result, indications of faulty or incorrectly calibrated sensor systems could be detected more easily. This approach could also be used for future periodical technical inspections (PTI) if the inspection environment is known very precisely in 3D and access to the vehicle's object data is possible [23].
Basically, it has to be stated that system videos in combination with corresponding object data are an absolute prerequisite for such an exact and complex accident reconstruction. For this reason, the videos should be stored in an event data recorder of the future. Especially since pictures and videos are able to depict the accident sequence for a technical layman in a more comprehensible and vivid way than any other recording data could. It is important to note that optical effects such as lens distortion and other special characteristics of the system cameras used must be taken into account in order to avoid incorrect impressions. The necessary adjustments of the videos and angle of view are not trivial and should be restricted to a holistic acci-dent analysis. The usage of this kind of videos would result in significantly more legal certainty, as accidents could be clarified better or accident types could be clarified, which are not yet resolvable at all. For example, in the case of the above-mentioned accident, the visual coverage of the VW Touran would not be resolved without videos.
In addition, if these very precisely reconstructed accidents were fed as quickly as possible into an anonymous accident database, the following advantage would result for the development of automated and connected vehicles: Manufacturers would be able to learn from accidents involving not only their own vehicles but from all relevant accidents. For example, this method could be used to check virtually whether a particular accident scenario, that was difficult for a competitor's system to recognize and therefore caused the accident, is also difficult for the manufacturers own system. Besides false learnings of AI that could potentially affect a whole fleet could be detected promptly.

Outlook
Analogous to the reason given above for storing system videos or environmental data in the EDR of the future, each data element or cluster additionally proposed in the data list developed by AHEAD has to be verified. Real accidents in combination with right designed laboratory tests are the most appropriate way to prove the necessity of a data element and its detailed definition in terms of accuracy and resolution. Further experiments in cooperation with DEKRA and FSD GmbH are already planned at the CARISSMA Research Centre.
However, the presented EDR concept is only one important aspect in a holistic concept for an accident analy- sis of the future in order to be able to clarify accidents more precisely to pass on the lessons learned more effectively to the relevant authorities. In the current forensic accident analysis, it is often the case that, due to the exclusive right of exploitation of state prosecution and courts, an accident analysis report is usually only used for court-relevant questions. Conclusions, for example regarding particularly critical accident scenarios for certain assistance systems or traffic infrastructure issues (e.g. confusing traffic routing) are usually not addressed by the expert nor can manufacturers or road traffic authorities access these expert opinions.
For this reason, the authors designed a holistic approach according to Figure 4 in order to elevate the accident analysis of the future to a new level.
The data generated during an event is first recorded in an EDR. The data is automatically transmitted to a data trustee via a secure data connection and an over-the-air interface. The big advantage of this method is that in the event of a fire, for example, in which the EDR could potentially be destroyed, the data is secured by the data trustee in case of appropriate network coverage. Once the data is fully, authentically and with integrity received by the data trustee, it could also be physically deleted from the vehicle. The advantage would be in case of a sale of the vehicle that possible accident data of the seller could not be accessed by a buyer, which would be desirable for data protection reasons. It could also be imagined that certain data, such as traction battery values or mileage, which are decisive for the value of a vehicle, could be logged on the event data recorder in a non-over writable form for inspection by a buyer or corresponding expert.
In addition, in the case of real-time access by EDR to the vehicle's bus systems, it would be advisable to carry out sovereign inspections of the vehicle. This is technically possible, as shown by the Real Time Monitoring (RTM) for electric vehicles prescribed in China [14]. This offers completely new possibilities for PTI, in order to check the increasingly complex sensor systems for malfunctions and correct calibration independently of the vehicle system. At the same time, the values recorded by the EDR with regard to the specified tolerances could also be checked during PTI. An over-the-air solution via a data trustee also has the advantage of simple data handling by authorized accident analysts or experts as they easily could access the data in a web-based solution. In combination with a stateof-the-art accident reconstruction, including a very precise 3D accident site measurement with the exhaustion of all digital forensic possibilities, it also would be feasible to reconstruct a very accurate, virtual scenario of the course of the accident. This could be anonymized and transferred in an open scenario format to a corresponding accident scenario database, which could be accessed by all interested stakeholders. As a result, such an accident reconstruction of the future would fulfill three essential tasks outstandingly: First of all, this approach ensures legal certainty and data privacy for all. Accidents can be solved reliably and both the manufacturer and the driver involved can exculpate themselves if necessary. This creates trust on all sides.
In addition, the significantly more accurately reconstructed accidents can feed anonymous accident scenario databases, which would be of enormous value to a large number of stakeholders. In particular, the conclusion derived promptly from an accident would be of significant value for the development of highly automated vehicles as well as for the further improvement of a safe traffic infrastructure. These aspects are largely neglected in the classical accident analysis.
Finally, it can be argued that access to EDR data in real time could significantly improve the quality of PTI [23].