Automated Driving System Safety Measurement Part I: Operating Envelope Specification

ions and discusses their potential for providing a foundation for ADS safety measurement. ADS Safety Abstractions The definition of ODD is included in the April 2021 version of the SAE International (SAE) J3016 document, Taxonomy and Definitions for Terms Related to Driving Automation Systems for On-Road Motor Vehicles [2]. This discussion of ADS safety abstractions begins with a review of that definition. Definition: Operational Design Domain (ODD) comprises the operating conditions under which a given driving automation system or feature thereof is specifically designed to function, including, but not limited to, environmental, geographical, and time-of-day restrictions, and/or the requisite presence or absence of certain traffic or roadway characteristics. [2] The ODD, or operating conditions under which the ADS or feature is designed to function, can be documented using a set of reference operating conditions. As mentioned earlier, there are multiple efforts underway to develop and build consensus around such a reference set in the form of taxonomies or lists of operating conditions. Given a reference set of operating conditions—an ODD framework—an ODD for a given ADS can then be formed and potentially compared to that of other ADS. The ODD of an ADS is thus a design artifact in that it expresses the design intent of the developer. The descriptions of SAE driving automation levels 3 (L3), 4 (L4), and 5 (L5) (see Fig. 1), SAE J3016 use the term fallback. J3016 focuses on fallback-ready users for L3. L4 and L5 ADS-equipped vehicles can perform a fallback maneuver to achieve a minimal risk condition (MRC) on exit from its ODD or in the event of a DDT performance-relevant system failure. There are also situations where fallback is not "required" for L4/5 such as when the ADS is no longer functional, in which case J3016 suggests "a failure mitigation strategy may apply (see 3.11 and 8.6)" for some L4/5 systems. The assessor of ADS operating behaviors and the ADS-equipped vehicle itself need to reason and perform calculations about the driving environment. To function the ADS-equipped vehicle needs to be aware of its current operating environment. Thus, there is a need for an additional safety-related abstraction that: • describes operating conditions in a way that is measurable; 6 DOI: https://doi.org/10.4271/J3016_202104