
Trolleys, Risk and Consequences: A Model For Understanding Robocar Morality

The morals of making robocars are very complex.  Developers firmly believe they must test on public roads, even though they know this means exposing unwitting members of the public to some small risk.  After testing, deployments will certainly have accidents, including additional fatal ones, a correctly frightening and discouraging prospect. At the same time, success promises fantastic improvements in road safety and saving the lives of immense numbers of people who would have died if people didn’t have the opportunity to trade off riskier human driving for a robocar ride.

Recent revelations concerning Uber’s 2018 fatal collision with a pedestrian in Tempe Arizona are bringing these issues back to the spotlight, and increasing the need to understand them.  There have been many essays and opinions on how to think about robocar risks and morals. Here I hope to present both a refined view, and a guide to understanding the thinking around it. We’ll look at:

  1. Understanding the different styles of moral thinking people do in different situations (or even at the same time)
  2. The way the law, society and insurance treat risky driving, accidents and bad accidents.
  3. The risks, and casualties, we seem to willingly embrace when it comes to driving (and learning to drive) for remarkably small benefits.
  4. How our view on whether “the ends justify the means” varies whether we talk of deliberate ill acts vs. deliberate small risks.
  5. The big benefits that come when one small fleet of robocars learn to drive more safely, then that’s copied, as software, out to millions of them — something we’ve never been able to do with human drivers.
  6. The risks and principles of current robocar testing and development approaches, and how Uber violated them.
  7. The great benefit if we get it right.

It turns out that a combination of lessons from the true original “trolley problem” (the one with trolleys, not robocars) and measuring risk creation rather than tragedies can help us build a better understanding, and legal regime to handle the hard question of robots that will both harm and save people.   We can save millions of lives if we are willing to tolerate the same risks found in letting teen-agers learn and then drive, or pizza chains to deliver pie. Just about everybody working on robocars is keen to have them save lives, and to have them start doing that as soon as they can, but for that to happen the public has to understand and even embrace the process.  To do that, we must understand both our moral instincts and our math, and the difference between risk and tragedy.

The difficulty in understanding these issues was brought home to me by a lunch conversation with a friend earlier this year.  The friend was quite disturbed about the risks of early prototypes. I asked him if it was reasonable if the result were that 100 people died during testing, but a million were saved by deployment.   He was clear that this was not OK, and he’s not alone.

Human morals are complex and tricky, and they vary a lot based on situations.  Few of us are pure in our principles, and we use different principles when making personal judgments than we do when making collective decisions as a society, or in courts.  To understand this problem — and how to come to the best solution, it is necessary to understand how people think about this, and in some cases, possibly change that thinking to create a result that most agree is better.

The answer may lie in the fact that while we don’t accept that great ends can justify immoral means, we’re very willing, it turns out, to accept that even modestly beneficial ends can justify means with small immoral risks.

The types of morals

Roughly speaking, philosophers group moral systems into two broad classes.   The first demands a code of rules and principles, and defines wrong as violating those, regardless of the result.  The expensive word for these systems is “deontological’ but we’ll just call them rule-based. On the other side are results based systems, that measure right and wrong by what actually happens.  These are known as “consequentialist” morals. One particular subset is the “utilitarian” rule — to provide the greatest good for the greatest number of people, or in the negative sense, to provide the least harm to the fewest number.

Sometimes we love the utilitarian principles, especially as a society.  As individuals, we tend to distrust them, for they are tied with the dangerous idea that “the ends justify the means” which has led to so many moral horrors throughout history.   Most of us are not strictly of one school or the other. As noted, we change based on whether we are a person or a society, and we bend our thinking based on our personal view of the ends more than we would like to admit.

A pure utilitarian would happily approve of cars killing 100 to save a million — it’s a utilitarian no-brainer.   At the same time, many will have discomfort with it. The answer, I suspect, is to understand how as individuals we have an understandable focus on incidents and tragedy, while as a society we have a focus on risk evaluation and public goods.

Those who have read my writings will know I hate the common application of the famous “Trolley Problem” to robocars.  In this application, people imagine the software in a car having to decide between killing two different sets of people in a crash.   We’re morbidly fascinated with the idea of machines deciding who lives and who dies, something that used to be the province of the gods.  In reality this is a ridiculously rare situation, and solving it is not on anybody’s priority list. Nor do programmers and companies want to have to write moral algorithms, they would much rather policy makers answer such questions and write laws that they will gladly follow.

The original trolley problem, however, has a real function which is quite useful here.  It was designed to help us understand our own moral thinking, to help us understand the difference between the rules-based and results-based moral systems — and thus to help teach philosophy classes.  The true trolley problem can help us understand this situation.

As you may recall, in the original problem, a trolley is hurtling down the tracks with broken brakes.  Somebody (the actual immoral person in this scenario) has tied 5 people to the main track, and one person to a side track.  You can throw a switch to divert the trolley, and kill the one person, to save the 5. Up to 90% of people actually take the utilitarian (results based) path and choose to throw the switch, but some refuse to.   (Or rather, they do in a classroom exercise. The YouTube show “Mind Field” did an experiment trying to trick people into thinking they were really in this situation.  Spoiler alert: The majority of them simply froze with fear.)

I like to say that the engineer’s solution to this problem is more straightforward — fix the brakes on the trolley.   Robocar engineers will mostly work to assure their cars never get in this situation, even though it occurs very rarely.

More interesting than the basic trolley problem are the variations that moral philosophers have dreamed up.  In one variant, you don’t throw the switch, you push a fat man onto the tracks to stop the trolley — fewer people will do that, since it’s a more participatory murder.   In the most extreme version, you forget the trolley and just imagine five patients in desperate need of organ transplants. You can grab a man walking down the street, cut him up and save all 5 of them — almost nobody will do that, even though under pure utilitarian rules it is the same problem.

Almost nobody will do that because as I said, few of us are purely of one school or the other.  It’s hard for us to change our thinking. To understand and deal with the issues around testing and deploying self-driving cars, we must transcend the natural, individual instinct to see things as “just” the individual tragedies they are, and to think as a society does, about deciding what risks are acceptable and should be permitted, and which should not.

In addition, we have a much stronger objection to tragedy that happens to uninvolved “bystander” parties, but we don’t have nearly the same objection to simply exposing them to smaller risks.  Finally, we are more afraid of being harmed by independent machines than by people. We’re funny that way and as such people don’t like being killed by robots — we would rather be killed, it seems, by drunks.

Morals of driving

So what does moral philosophy have to do with cars?   For that, we need to start thinking about the morals of car accidents.   Here, individuals and societies differ. Societies, and law in particular don’t like to describe something as immoral or evil unless there was ill intent or mens rea as the law calls it.  Almost all felonies require ill intent, and without it there is (at most) a much lesser charge.   Because of that, it is not uncommon for somebody to kill somebody with their car and face no legal punishment.  They will face financial punishment but this is handled by insurance. They walk away only with the sense of guilt over what took place.    This is only true when killing the person was completely unintentional, and in fact fully counter to their intentions. Without the intent to kill — or serious and wilful negligence — there is no murder or even vehicular manslaughter.

At the same time, we work hard to find bad intent or negligence, because it bothers us greatly that something as tragic as a death could go without response.  But when it was truly an accident — by which I mean it took place within the normal risks of prudent driving — there is no legal consequence, only at most an insurance-paid financial consequence.

On the other hand, consider speeding.   Speeding is illegal, even if frequently done yet rarely punished in some places.  When you speed, you know, or should know, you are speeding. In doing so, you are exposing other people on the road to additional risk, though luckily almost all of the time nothing happens.  While you’ll certainly get a speeding ticket if you have an accident while speeding, most are issued just for speeding that harmed nobody. Almost all of us speed, and we do it for fairly trivial reasons — we want to get somewhere a tiny bit faster.  It may be counter to intuition, but deliberately speeding is more immoral and illegal in our system than accidentally killing — but we are personally much more tolerant of the speeding.

The true moral issue in operating cars, I believe, revolves around deliberately exposing others to risk.  Or to get more specific, to unacceptably high risk. All driving involves exposing others to risk.  In fact, it is probably — by a large margin — the thing we do that exposes others to the most risk.   We all know the staggering toll of death, injuries and property damage from driving — more people have died from car accidents than were killed in all the wars and terrorism in the history of the United States going back to the Revolutionary war.   It’s a disturbingly risky thing, but it’s so important to us that we have decided to accept, for ourselves and others, this relatively high risk. We do so intentionally, though we often forget about it, and we’re certainly bad at remembering the math of it.   We deem this basic level of risk “acceptable” in our laws and lives.

Societies have decided that the thing which is wrong, the thing which is illegal, is not the specific casualties, but rather intentionally or negligently exposing others to extraordinary risk.

We’ve written laws to forbid exposing others to exceptional risk, which ticket you for speeding, bad lane changes or careless driving.  We judge those immoral, as they are done with intent or negligence, and yet we don’t judge the truly unintentional fatality as immoral. That doesn’t stop those involved in seeing it as a great tragedy, for it is one, and this is our totally natural reaction.  But as a society, writing and enforcing laws, we think differently.

We include a surprising number of risks in the “acceptable” column when it comes to driving.  Consider some of the things we do, of which only the last three are illegal:

  • We drive in heavy, complex traffic
  • We drive in rain, snow and at night
  • We drive in areas crowded with pedestrians and cyclists
  • We drive cars with modest mechanical issues
  • We drive cars without Automatic Emergency Braking and other advanced tech
  • We drive sleepy, even falling asleep. (Two states have laws against drowsy driving.)
  • We drive when we are reckless teen-agers, with a fresh licence
  • We drive with a learner’s permit, supervised by an adult
  • We drive when we are seniors with failing senses and reaction times
  • We drive with just below the legal limit of alcohol
  • Even though it’s illegal, we drive while impaired
  • Even though it’s illegal, we fiddle with devices and even write text messages
  • In the USA, it’s very common to speed, often by a large margin

Let’s consider the prototype robocar.   When a team puts a robocar out on the road, they are deliberately exposing other road users to risk.   It is not their intention to cause any accident of course, in fact it is their intention not to.

The test robocars, up to this point with a few exceptions, are always operated with a human “safety driver” behind the wheel, ready to take over in the event of a problem.  There is almost always a second person as well, both monitoring the systems and keeping an extra set of eyes on the road from time to time. This can be compared to the situation with a new teen-age driver with a learner’s permit, accompanied by a driving instructor.  The driving instructor has their own brake pedal and can grab the wheel, like the safety driver in the robocar. Teen drivers with driving instructors actually have a pretty decent safety record, and so do almost all of the robocar teams — with Uber as a glaring exception I’ll get to later.

Those teen drivers, once they get their licence after passing a fairly minimal test, become the most dangerous drivers on the road.   We let them out to give them mobility, but also because this is the only way to turn them into the safer middle-aged drivers they will eventually become.  We accept the risk of the new teen driver in the hope of getting that safer future driver. Each risky teen we let out produces just one safer adult, or rather slightly less than one because too many of them never make to that safer age.

As noted, the robocar team is also knowingly putting the public at some risk.  The payoff, however, is immense. The small training fleet will improve the safety of all the cars that come after it, which eventually means millions of cars.   By accepting the early risk of testing and development, we get a payoff of vastly reduced risk in the future. That reduced risk comes when the cars drive more safely than people, and the people stop putting others at risk by driving themselves, preferring to take a safer robocar ride.   This is particularly true if those people drink or do any of the activities listed above.

Some argue that we should consider not just extraordinary risk but necessary risk.  That it can also be wrong to expose people to ordinary risk if it’s not necessary. In particular, they argue that current teams are doing more testing than they need to do, and this is wrong.  This may be true (though of course just how much is needed is a subject of legitimate debate.) Nonetheless, if we look at the reasons people take risks on the road, from delivering food to getting home a minute sooner, they hardly seem to meet this bar of necessity, even though we tolerate them.

Here we must think in the results based way.   The robocar team’s work vastly reduces the risk in the world, and as a society we have to see that as a good thing.  Indeed, we must shake our head that we ever allowed the large risk of human driving up to this point. Like the teen driver, we can see the trade-off of accepting some risk in training and early driving to get that reduction in the future.    Exposing others to risk is the immoral act, preventing it is the moral one. The balance is good.

Measuring Risk

The balance is very, very, very good.  We can borrow a term from risk analysis and say that 1 mile of driving generates 0.1 “micromorts” of risk around the world.   A micromort is a 1 in a million risk of fatality. In the USA, the number is better than the global average — about 0.013 micromorts per mile.

It turns out that you can calculate the risk reduction that comes from having safer robocars sooner very easily.   You calculate how much safer they will be in the far future — let’s say twice as safe as humans in the US, or 1/250th of a micromort per mile — and you multiply that by the extra miles of human driving in the period you delay initial deployment.    This presumes that by delaying initial deployment you similarly delay full saturation by the same amount of time. That’s not fully correct but it’s a good approximation. So if you delay that deployment by a year, as a result there will be — and this is a huge number — over half a trillion more micromorts of risk in the world, or around a half-million morts.   Delay it by just a day and it’s 1.5 billion micromorts more risk the world will endure.  We drive that much — by my count, around 1.7 light years every year, about the only way that light-years can be used as a unit of human activity.

(You may ask, why do I write about “biillions of micromorts” rather than the easier to write “thousands of lives?”  That’s the whole point of this essay, to learn how to think about testing as a million tiny risks, each with a higher benefit, rather than as a series of tragic deaths.  Just as we view a billion Pizza deliveries as a billion similar tiny risks in exchange for merely a billion more convenient suppers.)

The few thousand prototype robocars out there are creating risk, but not that much.  If we presumed they were grossly unsafe drivers — which they are not — it would still be 100,000 micromorts in their whole testing life.   Compared to 1.5 billion added for each day of delay. These numbers are difficult to ignore. 100,000 risk units vs trillions — given some reasonably conservative assumptions like 10 million miles of testing and getting done 2-3 years faster.

Yet we still have trouble.  In one variant of the trolley problem, people are told that throwing the switch will not run over a single person tied to the tracks, but rather derail the train and send it over a hill into the home of a sleeping man, killing him.   People are much more reluctant to pull the switch. It is supposed that this is because the person tied to the tracks is “involved” in the situation but the sleeping one is an uninvolved bystander. As moral individuals, we are not so ready to accept or cause the death of somebody so uninvolved.   But we are very willing as we drive, it seems, to accept exposing uninvolved people to small amounts of risk.

How good is safety driving?

How much risk?  Well, the leading company in the field is Waymo.  I worked on their project 7 years ago when it was inside Google.  They have driven well over 10 million miles, and only had one at-fault minor property damage accident.   They have had a larger number of other-at-fault accidents than would be expected, and the issues behind that are worthy of a different article, but even including those accidents still produces a very good safety record — better than the average driver and certainly better than that freshly licenced teen.    It’s very likely that any pizza chain is exposing the public to more risk per mile than Waymo is, and all we get out of that is delivery of tasty pies, not the vast reduction of risk promised by the success of these cars. Not even the conversion of young drivers into mature ones.

Tesla publishes numbers for the number of miles between accidents in Teslas using Autopilot vs. not using Autopilot.  Their most recent numbers were 4.3M miles with Autopilot on and 2.7M with it off. Tesla doesn’t define what an accident is, and because Autopilot is almost entirely a highway product there will naturally be lower rates in the places it is used — but these numbers are pretty good even considering those factors.  They suggest that the risk of having a single untrained consumer in the role of safety driver in a highway situation is decently within the bounds of acceptable risk, backing up the claim that two well trained safety drivers suffice by a large margin. Oddly, it is less clear what this means about untrained solo drivers when the system gets so good that they become complacent, or about driving on urban streets, but Tesla will shortly expand their supervised offerings to include city streets and help answer these questions.  They are already answered for trained safety drivers, with the one big exception being Uber.


In March of 2018, Uber’s vehicle struck and killed Elaine Herzberg, a Tempe, Arizona woman who was crossing an otherwise empty road outside of a crosswalk.  Most of us in the industry found it astounding that Uber’s vehicle did not detect her easily and brake with plenty of time. The reasons for that failure have been extensively discussed but the upshot is, as conclued by the National Transportation Safety Board, myself and many others, that it was 99.9% a human failure.  Uber made very bad choices on choosing and training safety drivers, decided to have only one instead of two for foolish reasons, and did not monitor the safety drivers’ attention to safety.   As a result, the safety driver ignored all protocols and was allegedly watching a TV show on her phone when Uber’s system, as a particularly poorly designed prototype, failed to detect the pedestrian when expected, and for more poor reasons failed to act when she was finally detected at the last moment.  The safety driver’s job was to watch the road and manually brake and steer in the event of such failures. She did not, and the result was tragic. The failure was with the safety driver and her selection and training — all teams have system failures that need intervention, particularly in their early days — but there was lots of other blame to go around.   Uber shut down their testing and 18 months later, has only resumed limited operations in Pittsburgh, though it hopes to do more.

There is a strong argument that the safety driver was negligent and exposed the public to an entirely unacceptable level of risk by trying to watch TV when her job was to watch the car and the road.   If so, she should be punished for it. People have argued that Uber followed very bad practices in many areas and did so either wilfully or negligently. If so, this is the sort of thing it makes sense to punish or try to prevent.   In reality, because the victim was both homeless and crossing at a place explicitly signed as not for crossing, Uber’s punishment turned out to be light in the courts, though not with the public or governments. They were kicked out of Arizona, probably for a very long time.

In order to regulate the safety of robocar testing and eventual deployment, we must learn to judge how much risk the teams are exposing the public to.   We want systems in place to motivate them to keep that risk below acceptable levels. But we would be foolish, in the extreme, if we demand that risk level be drastically lower than other risk levels we tolerate for much smaller benefits.  The reward is so high, in fact, that there are arguments that we should tolerate this being one of the riskier things we allow on the roads, though we don’t want to and don’t need to accept previously unacceptable levels of risk.   But if we’re going to let millions of drivers travel sleepy on icy roads with 0.07% alcohol in their blood — and we do that for very little positive gain — we would be wise to tolerate levels below this from the robocar test fleets.

Not that companies want to take that level of risk upon themselves.  In fact, many of them have invested billions of dollars and their company reputations into these projects.  Even before Uber had to stop all operations (possibly forever) teams knew that any such incident could be ruinous for their project and their company, as well as their own consciences.   The vast majority are very diligent at keeping the risk to the lowest levels they can. That doesn’t mean that all companies can be trusted — they can’t — and that we don’t want to establish good principles of safety and even create additional deterrents to stop bad practices.   We should, but we should not go overboard in imagine that our regulators can tell these companies the nitty gritty of how to invent entirely new ways to increase safety. Because each day of delay is 3 billion micromorts.


There is part of us that has rules-based morals — we want to prevent any death we can, especially to uninvolved bystanders.  But there is a part of us that has results-based morals as well, particularly when it comes to evaluating risk levels rather than tragedies.   We simultaneously are overwhelmed by any death we could have prevented, yet are eager to take small risks for ourselves and others when we see even mild reward. 

We can say that we don’t like a plan where 100 might die to build something that saves a million.  At the same time we can say we don’t mind taking large numbers of tiny risks to much, much, much more vastly reduce our risk in the future.

We mix our personal and societal reactions when an actual tragedy occurs.  Our courts and laws try to promote what is best for society, but at the same time our moral instincts mean that even the slightest extra risk — one that would normally go unpunished — is hunted for and responded to in extreme ways.  Violations of the rules which are tolerated every day, like speeding, are punished severely when something happens and speeding is present, even if it clearly wasn’t the cause of the accident. We don’t want law that capricious but we also can’t tolerate tragedy.

Insurance companies think of the big picture, as do we when we buy their policies.  Governments think that way too. We must come to think this way and embrace our small-risk-taking side if we are to solve the true tragedy that is the result of the poor track record of human drivers.

Read and leave comments at this page.


This website uses cookies. By continuing to use this site, you accept our use of cookies.