|
|
|
Scenarios and parameters listed in point 1 shall be used, when these scenarios are relevant for the ODD of the ADS.
If the manufacturer deviates from the parameters proposed in point 1, the safety performance metrics and inherent assumptions used by the manufacturer shall be documented in the documentation package. The safety performance metrics and inherent assumptions chosen shall demonstrate that the fully automated vehicle is free of unreasonable safety risks. The validity of such safety performance metrics and inherent assumptions shall be supported by in-service monitoring data.
|
1.3.
|
Parameters to be used for the lane change scenarios by the fully automated vehicle
|
1.3.1.
|
The scenarios and parameters, with regard to lane change, shall be applied as specified in UN Regulation No.157.
|
|
Parameters to be used for the turning and crossing scenario by the fully automated vehicle.
|
|
In the absence of more specific traffic rules, the following requirements shall be taken into account with regard to interaction with other road users involved in the movement when turning and crossing (see Figure 1) in dry and proper road pavement conditions.
|
|
In the case of merging with privileged traffic during turning with and without crossing the opposite traffic direction, privileged traffic in the target lane should not have to decelerate. However, it must be ensured that the TTC of the approaching privileged traffic in the target road (case (a) in Figure 1) never falls below the threshold defined as:
With:
equal to the speed of the fully automated vehicle
equal to the speed of the privileged approaching traffic
equal to 3 m/s2 being the maximum admissible deceleration for the privileged approaching traffic.
equal to 1.5s being the reaction time of the privileged approaching
|
|
In the case of a turning manoeuvre crossing the opposite traffic direction, when considering oncoming traffic, privileged traffic in the target lane should not have to decelerate. However, if justified by the traffic density, it must be ensured — in addition to the distance from the approaching privileged traffic in the target road — that the TTC of the privileged crossing traffic to the fictitious collision point (point of intersection of the trajectories, case (b) in Figure 1) never falls below the threshold defined as:
With:
equal to the speed of the privileged conflicting traffic
equal to 3 m/s2 being the maximum admissible deceleration for the privileged crossing traffic.
equal to 1.5s being the reaction time of the privileged crossing traffic
The same applies to crossing with privileged traffic (case (c) in Figure 1): The TTC of privileged traffic to the imaginary collision point (point of intersection of the trajectories) shall never fall below the threshold defined in the present point.
Figure 1: Visualisation of the distances during turning and crossings.
Case (a): Distance to the approaching privileged traffic in the target lane during turning-in.
Case (b): Additional distance to reverse opposite traffic to be observed when turning by crossing the opposite traffic direction as a result of reverse traffic. Case (c): distance to the privileged crossing traffic to be respected when crossing.
|
|
Parameters to be used for the emergency manoeuvre scenarios by the fully automated vehicle (DDT under critical scenarios)
|
|
The ADS shall avoid a collision with a leading vehicle which decelerates up to its full braking performance provided that there was no cut-in by another vehicle.
|
|
Collisions with cutting in vehicles, pedestrians and cyclists travelling in the same direction, as well as with pedestrians who can start jaywalking shall be avoided at least within the conditions determined by the following equation.
With:
being the time to-collision at the moment of the cut-in of the vehicle or cyclist by more than 30 cm in the lane of the fully automated vehicle.
being the relative speed in metres per second [m/s] between the fully automated vehicle and the cutting-in vehicle (positive if the ADS is faster than the cutting-in vehicle).
being the maximum deceleration of the fully automated vehicle and assumed to be equal to
2.4 m/s2 for fully automated vehicles transporting standing or not fastened vehicle occupants;
6 m/s2 for other fully automated vehicles.
being the time required by the fully automated vehicle to initiate an emergency braking and assumed to be equal to 0.1 s
being the time to reach the maximum deceleration and assumed to be equal to
0.12 s for fully automated vehicles transporting standing or not fastened vehicle occupants;
0.3 s for other fully automated vehicles
The compliance with this equation is required only for road users cutting in, and only if the inserting road users were visible at least 0,72 seconds before cut-in:
This results in a required collision avoidance when another road user enters ego lane above the following TTC values (for example shown for speeds in 10 km/h steps). These requirements shall be met independently of environmental conditions.
[km/h]
|
[s] for vehicles with standing or unfastened vehicle occupants
|
[s] for other vehicles
|
10
|
0,74
|
0,48
|
20
|
1,32
|
0,71
|
30
|
1,9
|
0,94
|
40
|
2,47
|
1,18
|
50
|
3,05
|
1,41
|
60
|
3,63
|
1,64
|
If a lane change with a lower TTC is carried out to the lane of the fully automated vehicle, it can no longer be assumed that there will be no collision avoidance. The control strategy of the ADS may change between collision avoidance and mitigation only if the manufacturer can demonstrate that this increases the safety of the vehicle occupants and the other road users (e.g. by prioritising braking over an alternative manoeuvre).
|
|
The ADS shall avoid a collision with a crossing pedestrian or a cyclist in front of the vehicle.
|
|
Urban and rural driving conditions
|
|
The ADS shall avoid a collision, up to a speed of 60 km/h, with an unobstructed pedestrian crossing with a lateral speed component of not more than 5 km/h or an unobstructed cyclist crossing with a lateral speed component of not more than 15 km/h in front of the vehicle. This shall be ensured independently from the specific manoeuvre the ADS is undertaking.
|
|
In the case the pedestrian or the cyclist proceed with higher speed than the aforementioned values and the ADS can no longer avoid collision, the control strategy of the ADS may change between collision avoidance and mitigation only if the manufacturer can demonstrate that this increases the safety of the vehicle occupants and the other road users (e.g. by prioritizing braking over an alternative manoeuvre).
|
|
The ADS shall mitigate a collision with an obstructed pedestrian or cyclist crossing in front of the vehicle by reducing its speed at impact by at least 20 km/h. This shall be ensured independently from the specific manoeuvre the ADS is undertaking.
|
|
For the purpose of demonstrating fulfilment of the previous requirements related to crossing of pedestrians and cyclists in front of the vehicle, test and assessment scenarios developed under the European New Car Assessment Programme (Euro NCAP) may be taken as guidance.
|
|
Motorway driving conditions
|
|
The relevant scenarios, with regard to pedestrian crossing, shall be applied as specified in UN Regulation No.157.
|
|
In the case the pedestrian crosses with parameter values outside the boundaries specified in UN Regulation 157 and the ADS can no longer avoid collision, the control strategy of the ADS may change between collision avoidance and mitigation only if the manufacturer can demonstrate that this increases the safety of the vehicle occupants and the other road users (e.g. by prioritizing braking over an alternative manoeuvre).
|
|
Parameters to be used for Hub to Hub fully automated vehicles
|
|
Operation on motorway
|
|
The relevant scenarios, with regard to operation speed and automatic lane change, shall be applied as specified in UN Regulation No.157.
|
|
Motorway entry
|
|
The fully automated vehicle shall be able to safely enter the motorway by adapting the speed to the traffic flow, and activate the relevant direction indicator according to the traffic rules.
The direction indicator shall be deactivated once the vehicle has performed the lane change manoeuvre (LCM). The parameters used in the lane change scenario shall be applied.
|
|
Motorway exit
|
|
The fully automated vehicle shall be able to anticipate the targeted motorway exit by driving on the adjacent lane to the exit lane and shall not unnecessarily decelerate before the LCM into the exit lane starts.
The fully automated vehicle shall apply the direction indicator in accordance with the traffic rules, and perform the LCM into the exit lane without undue delay.
The direction indicator shall be deactivated once the LCM has been completed in compliance with the traffic rules in the country of operation.
|
|
Passing a toll station
|
|
Depending on the ODD, the fully automated vehicle shall be able to select the proper passing gate, and adapt its speed to that permitted limits within the toll area while considering the traffic flow.
|
|
Operation on other road types than motorways
|
|
Depending on the ODD, the relevant scenario defined in points 1.3. to 1.5 above shall be applied.
|
|
Parameters to be used for Automated valet parking
|
|
Depending on the ODD, the relevant scenarios defined in points 1.3. to 1.5 above shall be applied. The parameters to be used for these scenarios may need to be adapted to take into account of the limited driving speed and the general lack of visibility that may occur in a parking facility. Special attention shall be given to avoiding of collision with pedestrians and in particular with children and prams.
|
|
Scenarios not covered by point 1.
|
|
Scenarios that are not listed in point 1 shall be generated to cover reasonably foreseeable critical situations, including failures and traffic hazards within the operational design domain.
|
|
When ADS capabilities depend on remote capabilities, scenarios shall include failures and traffic hazards stemming from the corresponding remote capabilities.
|
|
The method to generate scenarios that are not listed in section 1, shall follow the principles set in Appendix 1 to Part 1 of this Annex.
|
|
The method used by the manufacturer to generate scenarios that are not listed in point 1 shall be documented in the documentation package to be provided for the ADS assessment.
|
|
Appendix 1 to Part 1 of Annex 3
Principles to be followed to derive scenarios relevant for the ODD of the ADS
|
|
|
|
Scenarios shall be derived from the ODD of the fully automated vehicle.
|
|
Generation and classification of scenarios
|
|
From a qualitative perspective, scenarios can be classified into Nominal / Critical / Failure and correspond to normal or emergency operation. For each of these categories, a data-based approach and a knowledge-based approach can be used to generate corresponding traffic scenarios. A knowledge-based approach utilizes expert knowledge to identify hazardous events systematically and create scenarios. A data-based approach utilizes the available data to identify and classify occurring scenarios.
|
|
Nominal scenarios
|
|
A series of analytical frameworks can help the manufacturer to derive additional nominal scenarios to ensure coverage for the specific application. These frameworks are divided into:
|
|
ODD analysis
|
|
An ODD may consist of scenery elements (e.g., physical infrastructure), environmental conditions, dynamic elements (e.g., traffic, vulnerable road users) and operational constraints to the specific ADS application. The aim of this analysis is to identify the characteristics of the ODD, allocate properties and define interactions between the objects. Here the effect of ODD on the behaviour competencies is explored. An example of the analysis is provided in Table 1.
|
|
Table 1 – Dynamic elements and their properties
|
|
OEDR Analysis: Behaviour competency identification
|
|
Once the objects and relevant properties have been identified, it is possible to map the appropriate ADS response. The ADS response is modelled on applicable functional requirements and by applying the performance requirements of this regulation and the traffic rules of the country of operation.
The outcome of the OEDR analysis is also a set of competences that can be mapped to the behavioural competences applicable to the ODD, to ensure compliance with the relevant regulatory and legal requirements. Table 2 provides a qualitative example of a matching event – response.
The combination of objects, events, and their potential interaction, as a function of the ODD, constitute the set of nominal scenarios pertinent to the ADS under analysis. The identification of nominal scenarios is not limited to traffic conditions but also covers environmental conditions, human factors, connectivity and miscommunication. As parameters (assumptions) for the events are yet to be defined, the nominal scenarios derived from the application of the analysis are to be considered in their functional and logical abstraction layer.
|
|
Table 2 – Behaviour competences for given events
|
|
|
|
Critical scenarios can be derived by either considering edge-case assumptions on nominal traffic scenarios (data-based) or applying standardised methods (knowledge-based) for the evaluation of operational insufficiencies (see example of methods in point 3.4.5. of Part 2). The identification of critical scenarios is not limited to traffic conditions but also covers environmental conditions, human factors, connectivity and miscommunication. Critical scenarios correspond to emergency operation of the ADS.
|
|
|
|
These scenarios aim to assess how the ADS responds to a failure. Different methods are available in literature (see example of methods in point 3.5.5. of Part 2).
For each of the behaviour failures and consequential effects identified, the manufacturer shall put in place relevant strategies when developing the ADS (i.e., fail-safe).
When applying the failure scenarios, the objective is to assess the ability of the ADS to comply with requirements for safety-critical situations, including for example ‘The ADS shall manage safety-critical driving situations’ and ‘The ADS shall safely manage failure modes’ and their respective sub-requirements.
|
|
Assumptions: Logical to concrete scenarios
|
|
To ensure that the scenarios identified in the previous points are ready to be assessed through simulation or physical testing, the manufacturer may need to coherently parametrise them by applying assumptions.
|
|
The manufacturer shall provide evidence supporting the assumptions made such as data collection campaigns performed during the development phase, real-world accidentology and realistic driving behaviour evaluations.
|
|
|
|
The type-approval authority granting the type-approval or the technical service acting on its behalf shall verify through targeted spot checks and tests, in particular as specified in point 4 of this annex, that the safety argumentation provided by the documentation complies with the requirements of Annex 2 and that the design and processes described in documentation are actually implemented by the manufacturer.
|
|
While based on the provided documentation, evidences provided for the audit of the safety management system and the assessment of the ADS safety concept carried out to the satisfaction of the type-approval authority in accordance with this regulation, the residual level of safety risk of the type-approved ADS is deemed to be acceptable for the entry into service of the vehicle type, the overall ADS safety during the ADS lifetime in accordance with the requirements of this regulation remains the responsibility of the manufacturer requesting the type-approval.
|
|
Definitions
For the purposes of this annex,
|
|
‘safety concept’ means a description of the measures designed into the ADS, so that the fully automated vehicle operates for the scenarios and events relevant to the ODD in such a way that it is free of unreasonable safety risks to the vehicle occupants and other road users under fault (functional safety) and non-fault conditions (operational safety). The possibility of a fall-back to partial operation or even to a back-up system for vital ADS functions shall be a part of the safety concept.
|
|
‘units’ means the smallest divisions of system components which will be considered in this annex, since these combinations of components will be treated as single entities for purposes of identification, analysis or replacement.
|
|
‘transmission links’ means the means used for inter-connecting distributed units for the purpose of conveying signals, operating data or an energy supply. This equipment is generally electrical but may, in some part, be mechanical, pneumatic or hydraulic.
|
|
‘range of control’ means an output variable and defines the range over which the system is likely to exercise control.
|
|
‘boundary of functional operation’ means the boundaries of the external physical limits within which the ADS is able to perform the dynamic driving tasks.
|
|
|
|
Requirements
|
|
The manufacturer shall provide a documentation package which gives access to the basic design of the ADS and the means by which it is linked to other vehicle systems or by which it directly controls output variables as well as off-board hardware/software and remote capabilities.
|
|
The function(s) of the ADS, including the control strategies, and the safety concept, as laid down by the manufacturer, shall be explained.
|
|
Documentation shall be brief, yet provide evidence that the design and development has had the benefit of expertise from all the ADS fields which are involved.
|
|
For periodic technical inspections, the documentation shall describe how the current operational status of the ADS can be checked.
|
|
The type-approval authority shall assess the documentation package which shall show that the ADS:
|
|
(a)
is designed and was developed to operate in such a way that it is free from unreasonable risks for a vehicle occupants and other road users within the declared ODD and boundaries;
|
|
(b)
fulfils the performance requirements of Annex 2 of this Regulation;
|
|
(c)
was developed according to the development process/method declared by the manufacturer.
|
|
Documentation shall be made available in three parts:
|
|
(a)
Application for type-approval: the information document submitted to the type-approval authority at the time of the type-approval application shall contain brief information on the items listed in Annex I. It will become part of the type-approval.
|
|
(b)
The formal documentation package for the type-approval, containing the material listed in this section 3. (with the exception of that of point 3.5.5.) which shall be supplied to the type-approval authority for the purpose of conducting the ADS type-approval. This documentation package shall be used by the type-approval authority as the basic reference for the verification process set out in point 4. of this annex. The type-approval authority shall ensure that this documentation package remains available for a period of at least 10 years counted from the time when production of the vehicle type is definitely discontinued.
|
|
(c)
Additional confidential material and analysis data (intellectual property) of point 3.5.5. which shall be retained by the manufacturer, but made open for inspection (e.g. on-site in the engineering facilities of the manufacturer) at the time of the ADS type-approval. The manufacturer shall ensure that this material and analysis data remains available for a period of 10 years counted from the time when production of the vehicle type is definitely discontinued.
|
|
General description of the ADS
|
|
A description shall be provided giving a simple explanation of the operational characteristics of the ADS and ADS features.
|
|
The description shall include :
|
|
the operational design domain such as maximum speed of operation, road type (e.g. dedicated lane), country(ies)/areas of operation, road conditions and environmental conditions required (e.g. no snow), etc.)/ Boundary conditions
|
|
basic performance (e.g. object and event detection and response, off board infrastructure needed during operation)
|
|
Interaction with other road users
|
|
main conditions for minimum risk manoeuvres.
|
|
interaction concept with vehicle occupants, the on board operator (if applicable) and the remote intervention operator (if applicable).
|
|
the means to activate or deactivate the ADS by the on-board operator (if relevant) or the remote intervention operator (if relevant), vehicle occupants (if relevant) or other road users (if relevant).
|
|
operational measures (e.g. on-board operator or remote intervention operator needed) to be met to ensure safety during the fully automated vehicle operation.
|
|
Description of the functions of the ADS
|
|
A description shall be provided giving an explanation of all the functions including control strategies to ensure the robust and safe operation of the ADS and the methods used to perform the dynamic driving tasks within the ODD, and the boundaries under which the automated driving system is designed to operate, including a description on how this is ensured.
|
|
Any enabled or disabled automated driving functions for which the hardware and software are present in the vehicle at the time of production, shall be declared and are subject to the requirements of this annex as well as Annex 2 of this Regulation, prior to their use in the vehicle. The manufacturer shall also document the data processing if continuous learning algorithms are implemented.
|
|
A list of all input and sensed variables shall be provided and the working range of these defined, along with a description of how each variable affects the ADS behaviour.
|
|
A list of all output variables that are controlled by the ADS shall be provided and an explanation given, in each case, of whether the control is direct or via another vehicle system. The range over which the ADS is likely to exercise control on each such variable shall be defined.
|
|
Limits defining the boundaries of functional operation including ODD-limits shall be stated where appropriate to ADS performance.
|
|
The human machine interface (HMI) concept with the vehicle occupants/on-board operator/remote intervention operator (if any) when ODD limits are approached and then reached shall be explained. The explanation shall include the list of types of situations in which the ADS will generate a support request to the on board operator/remote intervention operator (if applicable), the way the request is performed, the procedure that handles a failed request and the minimum risk manoeuvre. Signals and information given to the on-board operator/remote intervention operator, vehicle occupants and other road users in each of the above aspects shall also be described.
|
|
ADS layout and schematics
|
|
Inventory of components.
|
|
A list shall be provided, collating all the units of the ADS and mentioning the other vehicle systems as well as off-board hardware/software and remote capabilities that are needed to achieve specified performance of the ADS to be approved according to its ODD.
|
|
An outline schematic showing these units in combination, shall be provided with both the equipment distribution and the interconnections made clear.
|
|
This outline shall include:
|
|
(a) perception and objects detection including mapping and positioning
|
|
(b) Characterisation of Decision-making
|
|
(d) The ADS data elements.
|
|
(e) links and interface with other vehicle systems, off-board hardware/software and remote capabilities
|
|
Functions of the units
|
|
The function of each unit of the ADS shall be outlined and the signals linking it with other units or with other vehicle systems shall be shown. It shall include off board systems supporting the ADS and other vehicle systems. This may be provided by a labelled block diagram or other schematic, or by a description aided by such a diagram.
|
|
Interconnections within the ADS shall be shown by a circuit diagram for the electric transmission links, by a piping diagram for pneumatic or hydraulic transmission equipment and by a simplified diagrammatic layout for mechanical linkages. The transmission links both to and from other systems shall also be shown.
|
|
There shall be a clear correspondence between transmission links and the signals carried between units. Priorities of signals on multiplexed data paths shall be stated wherever priority may be an issue affecting performance or safety.
|
|
Identification of units
|
|
Each unit shall be clearly and unambiguously identifiable (e.g. by marking for hardware, and by marking or software output for software content) to provide corresponding hardware and documentation association. Where a software version can be changed without requiring the replacement of the marking or component, the software identification must be by software output only.
|
|
Where functions are combined within a single unit or indeed within a single computer, but shown in multiple blocks in the block diagram for clarity and ease of explanation, only a single hardware identification marking shall be used. The manufacturer shall, by the use of this identification, affirm that the equipment supplied conforms to the corresponding document.
|
|
The identification defines the hardware and software version and, where the latter changes such as to alter the function of the unit as far as this Regulation is concerned, this identification shall also be changed.
|
|
Installation of sensing system components
|
|
The manufacturer shall provide information on the installation options for the individual components that comprise the sensing system. These options shall include, but are not limited to, the location of the component in/on the vehicle, the material(s) surrounding the component, the dimensioning and geometry of the material surrounding the component, and the surface finish of the materials surrounding the component, once installed in the vehicle. The information shall also include installation specifications that are critical to the ADS’s performance, e.g. tolerances on installation angle.
|
|
Changes to the individual components of the sensing system, or the installation options, shall be notified to the type-approval authority and be subject to further assessment.
|
|
Safety concept of the manufacturer and validation of the safety concept by the manufacturer
|
|
The manufacturer shall provide a statement which affirms that the ADS is free from unreasonable risks for the vehicle occupants and other road users.
|
|
In respect of software employed in the ADS, the outline architecture shall be explained and the design methods and tools used shall be identified (see 3.5.1). The manufacturer shall show evidence of the means by which they determined the realisation of the ADS logic, during the design and development process.
|
|
The manufacturer shall provide the type-approval authority with an explanation of the design provisions built into the ADS so as to ensure functional and operational safety. Possible design provisions in the ADS are for example:
|
|
(a)
fall-back to operation using a partial system.
|
|
(b)
redundancy with a separate system.
|
|
(c)
diversity of systems performing the same function.
(d) removal or limitation of the automated driving function(s).
|
|
If the chosen provision selects a partial performance mode of operation under certain fault conditions (e.g. in case of severe failures), then these conditions shall be stated (e.g. type of failure) and the resulting limits of effectiveness defined (e.g. immediate initiation of a minimum risk manoeuvre) as well as the warning strategy to the operator/remote operator, occupants and other road users (when applicable).
|
|
If the chosen design provision selects a second (back-up) or diverse means to realise the performance affected by the fault , the principles of the change-over mechanism, the logic and level of redundancy and any built-in checking features shall be explained and the resulting limits of effectiveness defined.
|
|
If the chosen design provision selects the removal of the automated driving function(s), this shall be done in compliance with the relevant provisions of this regulation. All the corresponding output control signals associated with this function shall be inhibited.
|
|
The manufacturer shall also provide the type-approval authority with an explanation of the operational safety measures to be put in place for the safe operation of the ADS such as an on-board operator or a remote intervention operator, supporting off-board infrastructure, transport and physical infrastructure requirements, maintenance measures, etc.
|
|
The documentation shall be supported, by an analysis that shows, how the ADS will behave to mitigate or avoid hazards that can have a bearing on the safety of vehicle occupants and other road users.
|
|
The chosen analytical approach(es) shall be established and maintained by the manufacturer and shall be made open for inspection by the type-approval authority at the time of the type-approval and afterwards.
|
|
The type-approval authority shall assess the application of the analytical approach(es):
|
|
(a)
Inspection of the safety approach at the concept level.
This approach shall be based on a Hazard analysis / Risk assessment appropriate to system safety.
|
|
(b)
Inspection of the safety approach at the ADS level including a top down (from possible hazard to design) and bottom up approach (from design to possible hazards). The safety approach may be based on a failure mode and effect analysis (FMEA), a fault tree analysis (FTA) and a System-theoretic process analysis (STPA) or any similar process appropriate to system functional and operational safety.
|
|
(c)
Inspection of the validation/verification plans and results including appropriate acceptance criteria. This shall include testing appropriate for validation, for example, hardware in the Loop (HIL) testing, vehicle on-road operational testing, testing with real end users, or any other testing appropriate for validation/verification. Results of validation and verification may be assessed by analysing coverage of the different tests and setting minimum coverage thresholds for various metrics.
|
|
The documentation shall confirm that at least each of the following items is covered where applicable under (a)-(c):
|
|
(i)
Issues linked to interactions with other vehicle systems (e.g. braking, steering);
|
|
(ii)
Failures of the automated driving system and system risk mitigation reactions;
|
|
(iii)
Situations within the ODD where a system may create unreasonable safety risks for the vehicle occupants and other road users due to operational disturbances (e.g. lack of or wrong comprehension of the vehicle environment, lack of understanding of the reaction from the operator/remote operator, vehicle occupants or other road users, inadequate control, challenging scenarios)
|
|
(iv)
Identification of the relevant scenarios within the boundary conditions and management method used to select scenarios and validation tool chosen.
|
|
(v)
Decision making process resulting in the performance of the dynamic driving tasks (e.g. emergency manoeuvres), for the interaction with other road users and in compliance with national traffic rules
|
|
(vi)
Reasonably foreseeable misuse by the vehicle occupants/other road users, mistakes or misunderstanding by the operator/remote operator/occupants/other road users (e.g. unintentional override) and intentional tampering of the ADS.
|
|
(viii)
Cybersecurity threats on the safety of the ADS (to be covered by the analysis done in accordance with UN Regulation No 155 on Cyber Security and Cyber Security Management System).
|
|
(viii)
Operational safety issues: problems with the supporting off-board infrastructure, problem with the remote intervention operator, loss of connectivity, lack of maintenance, etc.
|
|
The assessment by the type-approval authority shall consist of spot checks to establish that argumentation supporting the safety concept is understandable and logical and implemented in the different functions of the ADS. The assessment shall also check that validation plans are robust enough to demonstrate safety (e.g. reasonable coverage of chosen scenarios testing by the validation tool chosen) and have been properly completed.
|
|
It shall demonstrate that the operation of fully automated vehicle is free from unreasonable risks for the vehicle occupants and other road users in the operational design domain, i.e. through:
|
|
(a)
an overall validation target (i.e. overall validation acceptance criteria) supported by validation results, demonstrating that the entry into service of the ADS will overall not increase the level of risk for the vehicle occupants and other road users compared to a manually driven vehicles ; and
|
|
(b)
a scenario specific approach (i.e. scenario based validation acceptance criteria) showing that the ADS will overall not increase the level of risk for the vehicle occupants and other road users compared to a manually driven vehicles for each of the safety relevant scenarios;
|
|
The type-approval authority shall perform or shall require to perform tests as specified in point 4. of this Annex to verify the safety concept.
|
|
This documentation shall itemize the parameters being monitored and shall set out, for each failure condition of the type defined in point 3.5.4. of this annex, the warning signal to be given to the operator/remote operator/vehicle occupants/other road users and/or to service/technical inspection personnel.
|
|
This documentation shall also describe the measures in place to ensure the ADS is free from unreasonable risks to vehicle occupants, and other road users when the performance of the ADS is affected by environmental conditions e.g. climatic, temperature, dust ingress, water ingress, ice packing, inclement weather.
|
|
Verification and tests
|
|
Taking into account the results of the analysis of the manufacturer’s documentation package, the type-approval authority shall request the tests to be performed or witnessed by the Technical Service to check specific points arising from the assessment.
|
|
The functional operation of the ADS, as laid out in the documents required in point 3., shall be tested as follows:
|
|
Verification of the function of the ADS
|
|
The type-approval authority shall verify the ADS under non-failure conditions by testing on a track a number of selected functions, as deemed necessary by the type-approval authority, from those described by the manufacturer, and by checking the overall behaviour of the ADS in real driving conditions including compliance with traffic rules.
|
|
These tests shall include scenarios whereby the ADS is overridden by the remote intervention operator (if applicable).
|
|
These tests can be based on test scenarios listed in Part 3 of this Annex and/or on additional scenarios not covered by part 3.
|
|
The test results shall correspond with the description, including the control strategies, provided by the manufacturer in point 3.2. and shall comply with the performance requirements of this regulation.
|
|
Verification of the ADS safety concept
|
|
The reaction of the ADS shall be checked under the influence of a faults in any individual unit by applying corresponding output signals to electrical units or mechanical elements in order to simulate the effects of internal failure within the unit. The type-approval authority shall conduct or witness this check for at least one individual unit, but shall not check the reaction of the ADS to multiple simultaneous failures of individual units.
|
|
The type-approval authority shall verify that these tests include aspects that may have an impact on vehicle controllability and user information (HMI aspects e.g. interaction with the operator/remote operator).
|
|
The type-approval authorities shall also check a number of scenarios that are critical for the Object and Event Detection and Response (OEDR) and Characterisation of the decision-making and HMI functions of the ADS (e.g. object difficult to detect, when the ADS reaches the ODD boundaries, traffic disturbance scenarios, connectivity issue, problem with off board systems, remote capabilities issues e.g. the absence of the remote intervention operator) as defined in this regulation.
|
|
The verification results shall correspond with the documented summary of the hazard analysis, to a level of overall effect such that the safety concept and execution are confirmed as being adequate and in compliance with the requirements of this regulation.
|
|
Simulation tool and mathematical models to verify of the safety concept may be used in accordance with Annex VIII to Regulation (EU) 2018/858, in particular for scenarios that are difficult on a test track or in real driving conditions. Manufacturers shall demonstrate the scope of the simulation tool, its validity for the scenario concerned as well as the validation performed for the simulation tool chain (correlation of the outcome with physical tests).To demonstrate the validity of the simulation toolchain, the principles of Part 4 of this Annex shall apply. Simulation shall not be a substitute for physical tests in Part 3 of this Annex.
|
|
The manufacturer shall have a valid certificate of compliance for the safety management system (SMS) relevant to the vehicle type being approved.
|
|
Safety management system (SMS)
|
|
In respect of the ADS, the manufacturer shall demonstrate to the type-approval authority in terms of a safety management system (SMS) that effective processes, methodologies, training and tools are in place, up to date and being followed within the organization to manage the safety and continued compliance throughout the ADS lifecycle.
|
|
The design and development process shall be established and documented including safety management system, requirements management, requirements’ implementation, testing, failure tracking, remedy and release
|
|
The manufacturer shall ensure effective communication channels between manufacturer departments responsible for functional/operational safety, cybersecurity and any other relevant disciplines related to the achievement of vehicle safety.
|
|
The manufacturer shall have processes aimed at collecting vehicle data, and data from other sources to monitor to analyse safety-relevant incidents/accidents caused by the engaged automated driving system. The manufacturer shall report to type-approval authorities, market surveillance authorities and the Commission the relevant occurrences in accordance with part 5 of this Annex.
|
|
The manufacturer shall have processes to manage potential safety-relevant gaps post-registration and to update the vehicles if necessary.
|
|
The manufacturer shall demonstrate that periodic independent internal process audits (e.g. every 2 years) are carried out to ensure that the processes established in accordance with points 5.1 to 5.5. are implemented consistently.
|
|
Manufacturers shall put in place suitable arrangements (e.g. contractual arrangements, clear interfaces, quality management system) with suppliers to ensure that the supplier safety management system comply with the requirements of points 5.1. (except for vehicle related aspects like ‘operation’ and ‘decommissioning’), 5.2, 5.3 and 5.6.
|
5.8.
|
Certificate of compliance for safety management system
|
5.8.1.
|
An application for a Certificate of Compliance for Safety Management System shall be submitted by the manufacturer or by their duly accredited representative to the type-approval authority.
|
5.8.2.
|
It shall be accompanied by the undermentioned documents in triplicate, and by the following particular:
(a) Documents describing the Safety Management System.
(b) A signed Declaration of Compliance of the SMS with all the requirements for safety management according to this Regulation, using the model as defined in Appendix 3 to this Annex.
|
5.8.3.
|
When this audit of the SMS has been satisfactorily completed and in receipt of a signed declaration from the manufacturer according to the model as defined in Appendix 3, a certificate named Certificate of Compliance for SMS as described in Appendix 4 (hereinafter the Certificate of Compliance for SMS) shall be granted to the manufacturer.
|
5.8.4.
|
The Certificate of Compliance for SMS shall remain valid for a maximum of three years from the date of deliverance of the certificate unless it is withdrawn.
|
5.8.5.
|
The type-approval authority may at any time verify that the requirements for the Certificate of Compliance for SMS continue to be met. The type-approval authority shall withdraw the Certificate of Compliance for SMS if major non-conformities in the compliance with the requirements laid down in this Regulation are discovered and not immediately addressed.
|
5.8.6.
|
The manufacturer shall inform the type-approval authority or its technical service of any change that will affect the relevance of the certificate of compliance for SMS. After consultation with the manufacturer, the type-approval authority or its Technical Service shall decide whether new checks are necessary.
|
5.8.7.
|
In due time, the manufacturer shall apply for a new or for the extension of the existing Certificate of Compliance for SMS. The type-approval authority shall, subject to a positive audit, issue a new Certificate of Compliance for SMS or extend its validity for a further period of three years. The type-approval authority shall verify that the SMS continue to comply with the requirements of this Regulation. The type-approval authority shall issue a new certificate in cases where changes have been brought to the attention of the type-approval authority or its Technical Service and the changes have been positively re-assessed.
|
5.8.8.
|
The expiry or withdrawal of the manufacturer’s Certificate of Compliance for SMS shall be considered, with regard to the vehicle types to which the SMS concerned was relevant, as modification of approval, which may include the withdrawal of the approval if the conditions for granting the approval are not met anymore.
|
|
Reporting provision
|
|
The reporting of the safety assessment of the ADS safety concept as well as the audit of the safety management system of the manufacturer shall be performed in such a manner that allows traceability, e.g. versions of documents inspected are coded and listed in the records of the Technical Service.
|
|
An example of layout for the report on the assessment of the ADS safety concept from the Technical Service to the type-approval authority is provided in Appendix 1 to this part. The listed items in this Appendix are outlined as minimum set of items that need to be covered.
|
|
The granting type-approval authority shall issue the safety assessment results to be annexed to the type-approval certificate based on the documentation provided by the manufacturer, the report of the assessment of the ADS safety concept by the technical service and on the outcomes of the verification and test campaigns performed in accordance with Part 3 of this Annex. An example of a possible layout for the safety assessment results is given in Appendix 4.
|
|
Competence of the auditors/assessors
|
|
The assessment of the ADS safety concept and the audit of the safety management system under this part shall only be conducted by assessors/auditors with the technical and administrative knowledge necessary for such purposes. They shall in particular be competent as auditor/assessor for ISO 26262-2018 (Functional Safety - Road Vehicles), and ISO/PAS 21448 (Safety of the Intended Functionality of road vehicles); and shall be able to make the necessary link with cybersecurity aspects in accordance with UN Regulation No 155 and ISO/SAE 21434). This competence shall be demonstrated by appropriate qualifications or other equivalent training records.
|