Operational Design Domain
Safety Implications of transitioning through ODDs

Autonomous vehicles (AV), in their pursuit of fully autonomous driving, will be required to support larger Operational Design Domains (ODD) comprising of diverse operating conditions. Safety is paramount when driving under changing operating conditions (un)supported by the ODD. Just like humans adjust their driving behavior in response to changes in driving conditions e.g., slowing down in case of a sudden downpour, or busy roads; AVs need to adapt their behavior as well. In case of humans, the response can be reactive - front vehicle brakes suddenly, or pro-active – traffic signal turns yellow, and the front vehicle might brake. Changing operating conditions, e.g., weather conditions like rain, also invoke a pro-active response from drivers in anticipation of increased risks (i.e., changing safety demands).

German drivers learn the "Halber-Tacho" rule which requires maintaining a following distance of half of the current driving speed from the front vehicle. However, humans instinctively switch to larger distances when it starts to rain. AVs, however, lack these human instincts and strictly adhere to their underlying safety models. A behavior adaptation to changing operating conditions at runtime although desired, may not always be possible and/or sufficient to mitigate the increased risk (or safety demands).

Challenges by changing operating conditions

We investigated the safety implications of runtime adaptation to changing operating conditions by the simple example of a highway vehicle following scenario, see Figure 1. The vehicle following use-case is especially significant for Automated Driving System (ADS) features like Adaptive Cruise Control (ACC). Depending on the selected ODD, the corresponding safety demands can vary. In our investigations, we use a physics-based safety model to compute the safe following distance, given the speeds of both vehicles. The safety model configuration (e.g., maximum braking force, response time, etc.) depends on the active ODD. For example, due to slippery roads, the maximum braking force is severely reduced in Snow ODD compared to ClearWeather ODD. Changes in safety demands need to be accounted for and always fulfilled.

Consider a situation where our AV (Ego vehicle) maintains a safe distance calculated for ODDi. When the operating conditions change, for instance, it starts raining, and we enter ODDj bringing new safety configurations into effect. Thus, the current distance, although safe for ODDi, may not be safe for ODDj. A straightforward measure would be that our AV attempts to increase the following distance. However, from a safety standpoint, we need to additionally consider the following:

• current AV braking capability is sufficient to avoid rear-end collision, incase the front vehicle performs emergency braking
• time required to be safe again, w.r.t to new ODDj.

We derive thresholds for the minimum braking capacity and the time to safety in accordance with the ISO-26262 safety standards. The thresholds serve as an effective decision-making criterion to ascertain if ongoing Dynamic Driving Task (DDT) can be continued or if a fail-safe Minimum Risk Manuever (MRM) needs to be executed. Additionally, they form a crucial part of safety case arguments while performing a safety analysis of ADS Driving features against their corresponding ODD. A detailed account of the research can be found in our publication here.

In the third part of our series, we discuss how the actual operating conditions can be monitored at runtime to determine if the ADS system is operating within its designated ODD(s), as well as detect ODD transitions effectively.

This project was funded by the Bavarian State Ministry of Economic Affairs, Regional Development and Energy as part of the project thematic support for the Development of the Institute for Cognitive Systems.