Safe operation of an AS requires that the ODM boundary is correctly recognised. If the AS is unaware that its operation has moved outside of the ODM as defined in Activity 2 then its safety may not be assured.
Example 30 - Autonomous car leaving a motorway Automotive
A car is only capable of operating autonomously on a motorway, but during operation there are lane closures and move to a minor road running due to an accident. In this case the car must recognise that this situation represents an ODM boundary, as minor roads are not included in the ODM.
The approach that the AS will use during operation to determine and interpret the ODM boundary shall be determined based upon a consideration of the capability of the AS to sense and understand the ODM. Since perfect recognition of the ODM boundary will not be possible, it will always be necessary to make approximations and assumptions to reflect the AS sensing capabilities. In some cases it may not be possible to directly detect the ODM features using the sensors available to the AS. In such cases it may be that “proxy” measurements are required to be used to recognise the ODM boundary.
Example 31 - Car's rainfall sensor Automotive
The ODM for an autonomous car specifies a maximum permitted intensity of rainfall. The car is fitted with a rainfall sensor as part of the automatic windscreen wiper system. The vehicle makes use of this sensor for recognising the ODM boundary. As such the rapid wiper threshold is used as a proxy for the maximum rainfall intensity permitted by the ODM. Since the rapid wiper threshold is less than the intensity defined for the ODM this is determined to be acceptable to use for ODM recognition.
Note 27 - Challenges to recognising the ODM boundary
Recognition of the ODM boundary is often challenging for a number of reasons including:
Many parameters may interact to form the ODM boundary, such as weather conditions, speed etc. For instance, an autonomous vehicle may only be able to progress through fog when visibility is at least 10 metres, during daytime, when speed is less than 60mph.
There may be a complex boundary shape/envelope/volume with ‘holes’ or difficult geometry. For example a medical image recognition system which can be used for detection of tumours in radiological images only for patient age ranges 40‐45 and 65‐85 (due to the extent of the available training data).
The AS itself may have to use an interpretation of the boundary which may be a different, or simplified approximation of the actual ODM boundary, to give appropriate margins. For example instead of a more complex boundary condition where a drone is able to fly in wind speeds less than 15 km/h and gusts of up to 20 km/h, the interpretation of the boundary the drone uses is wind speeds less than 12 km/h.
It may take some time for the processing and analysis of the sensor data to establish whether the AS is near or has crossed the ODM boundary.
The sensor data used to determine the ODM boundary may be approximate, noisy or subject to infrequent updates. All sensors have an accuracy, resolution and a reading lag time; some also have a polling interval. Sensors may age and deteriorate and readings drift or become subject to bias or noise over time. Individual sensor data may be subject to errors or variations and may have to be averaged with others or over time. This is particularly a problem in harsh environments such as marine, automotive or aviation. In this case the sensing of the ODM may be delayed, or incorrect for some time. Margins therefore have to be implemented for operation, i.e. working to a smaller ODM, so that in all reasonable scenarios the actual ODM boundary can be sensed.
‘Flip‐flopping’ between boundary states may occur, i.e rapid switching between in and out detections. The maximum rate at which changes with respect to the ODM boundary are detected by the AS must be considered. It may be better to indicate the AS as outside of ODM for a minimum period of time if there are likely to be many boundary detection events in a short period of time. Hysteresis biased towards early recognition, i.e. conservative detection, may be needed.
The approach for determining the ODM boundary during operation shall be documented ([HH]) together with any assumptions and approximations made. It shall be demonstrated that the AS is able to recognise the ODM boundary as interpreted during operation. This will involve consideration of at least four recognition cases:
AS is approaching the ODM boundary from within the ODM.
AS is crossing the ODM boundary.
AS is approaching the ODM boundary from outside the ODM.
AS is re‐entering the ODM from outside.
For each of the four cases above, it shall be determined how these may be unsafe through consideration of:
Timeliness ‐ ODM boundary recognised too early or too late.
Accuracy ‐ false positive recognition (ODM boundary recognised mistakenly) or false negative recognition (ODM boundary not recognised when it should be).
Hysteresis ‐ AS holds on to a ODM boundary recognition state for too short or too long a period.
For any of the cases that are determined to be potentially hazardous it shall be demonstrated that those cases are sufficiently mitigated by the AS. There are a number of approaches for this including testing of scenarios relating to each of these cases. Testing alone however may not be able to provide sufficient evidence where the ODM boundary is complex (as testing can only sample the boundary space). Simulations and analysis of the ODM boundary recognition may therefore also
be needed (see Stage 8 for further guidance on this).
The results of the ODM boundary recognition assessment shall be documented ([II]).