This document is an excerpt from the EUR-Lex website
Document 32022R1426
Commission Implementing Regulation (EU) 2022/1426 of 5 August 2022 laying down rules for the application of Regulation (EU) 2019/2144 of the European Parliament and of the Council as regards uniform procedures and technical specifications for the type-approval of the automated driving system (ADS) of fully automated vehicles (Text with EEA relevance)
Commission Implementing Regulation (EU) 2022/1426 of 5 August 2022 laying down rules for the application of Regulation (EU) 2019/2144 of the European Parliament and of the Council as regards uniform procedures and technical specifications for the type-approval of the automated driving system (ADS) of fully automated vehicles (Text with EEA relevance)
Commission Implementing Regulation (EU) 2022/1426 of 5 August 2022 laying down rules for the application of Regulation (EU) 2019/2144 of the European Parliament and of the Council as regards uniform procedures and technical specifications for the type-approval of the automated driving system (ADS) of fully automated vehicles (Text with EEA relevance)
C/2022/5402
OJ L 221, 26.8.2022, p. 1–64
(BG, ES, CS, DA, DE, ET, EL, EN, FR, GA, HR, IT, LV, LT, HU, MT, NL, PL, PT, RO, SK, SL, FI, SV)
In force
26.8.2022 |
EN |
Official Journal of the European Union |
L 221/1 |
COMMISSION IMPLEMENTING REGULATION (EU) 2022/1426
of 5 August 2022
laying down rules for the application of Regulation (EU) 2019/2144 of the European Parliament and of the Council as regards uniform procedures and technical specifications for the type-approval of the automated driving system (ADS) of fully automated vehicles
(Text with EEA relevance)
THE EUROPEAN COMMISSION,
Having regard to the Treaty on the Functioning of the European Union,
Having regard to Regulation (EU) 2019/2144 of the European Parliament and of the Council of 27 November 2019 on type-approval requirements for motor vehicles and their trailers, and systems, components and separate technical units intended for such vehicles, as regards their general safety and the protection of vehicle occupants and vulnerable road users, amending Regulation (EU) 2018/858 of the European Parliament and of the Council and repealing Regulations (EC) No 78/2009, (EC) No 79/2009 and (EC) No 661/2009 of the European Parliament and of the Council and Commission Regulations (EC) No 631/2009, (EU) No 406/2010, (EU) No 672/2010, (EU) No 1003/2010, (EU) No 1005/2010, (EU) No 1008/2010, (EU) No 1009/2010, (EU) No 19/2011, (EU) No 109/2011, (EU) No 458/2011, (EU) No 65/2012, (EU) No 130/2012, (EU) No 347/2012, (EU) No 351/2012, (EU) No 1230/2012 and (EU) 2015/166 (1), and in particular Article 11(2) thereof,
Whereas:
(1) |
It is necessary to adopt the implementing legislation for the type-approval of the automated driving system of fully automated vehicles in particular systems listed in points (a), (b), (d) and (f) of Article 11(1) of Regulation (EU) 2019/2144. Driver availability monitoring systems should not apply to fully automated vehicles in accordance with Article 11(1) of Regulation (EU) 2019/2144. In addition, the harmonised format for the exchange of data for instance for multi-brand vehicle platooning is still subject to standardisation activities and shall not be included in this regulation at this stage. Finally the approval of the automated driving systems of automated vehicles should not be covered by this regulation as it is intended to cover them with a reference to UN Regulation 157 on automated lane keeping systems (2) in Annex I to Regulation (EU) 2019/2144 listing the UN regulations that shall apply on a compulsory basis in the EU. |
(2) |
For the whole-vehicle type-approval of fully automated vehicles, the type-approval of their automated driving system under this Regulation should be complemented with the requirements set out in Annex II, Part I, Appendix 1 of Regulation (EU) 2018/858 of the European Parliament and of the Council (3). As next stage, the Commission will continue the work to further develop and adopt by July 2024 the necessary requirements for the EU whole vehicle type approval of fully automated vehicles produced in unlimited series. |
(3) |
The assessment of the automated driving system of fully automated vehicles, as proposed by this regulation, relies heavily on the traffic scenarios that are relevant for the different use cases of fully automated vehicles. It is therefore necessary to define those different use cases. The review of such use cases, and their amendment if required, to cover additional use cases should be conducted on a regular basis. |
(4) |
The information document, referred to in 24(1) (a) of Regulation (EU) 2018/858 to be provided by the manufacturer for the type-approval of the automated driving system of fully automated vehicles should be based on the template laid down for the whole vehicle type-approval in Annex II to Commission Implementing Regulation (EU) 2020/683 (4). However to ensure a consistent approach, it is necessary to extract the entries of the information document that are relevant for type-approval of automated driving system of the fully automated vehicle. |
(5) |
Given the complexity of automated driving systems, it is necessary to supplement the performance requirements and tests of this Regulation by manufacturer documentation demonstrating that the automated driving system is free of unreasonable safety risks to vehicle occupants and other road users in the relevant scenarios and during the ADS lifetime. In this respect, it is necessary to lay down the safety management system to be put in place by the manufacturers, to set for manufacturers and authorities the parameters to be used for the traffic scenarios relevant for automated driving system, to lay down criteria to assess whether the safety concept of the manufacturer addresses the relevant traffic scenarios, hazard and risks, and to set out criteria to assess the validation results from the manufacturer in particular validation results from virtual toolchains. Finally it is necessary to specify the relevant in-use data that shall be reported by the manufacturer to the type-approval authorities. |
(6) |
The EU type-approval certificate and its addendum, referred to in Article 28(1) of Regulation (EU) 2018/858, to be issued for the automated driving system of fully automated vehicles, should be based on the respective templates laid down in Annex III to Implementing Regulation (EU) 2020/683. However to ensure a consistent approach, it is necessary to extract the entries of the EU type-approval certificate and its addendum that are relevant for type-approval of the automated driving system of the fully automated vehicles. |
(7) |
Subject to the provisions of Regulation (EU) 2018/858 and any relevant EU legislation, this regulation is without prejudice to the right of Member States to regulate the circulation and the safety of operation of fully automated vehicles in traffic and the safety of operation of those vehicles in local transport services. Member States are not obliged to predefine areas, routes or parking facilities under this regulation. Motor vehicles covered by this Regulation can only operate within the scope of Article 1. |
(8) |
The measures provided for in this Regulation are in accordance with the opinion of the Technical Committee – Motor Vehicles, |
HAS ADOPTED THIS REGULATION:
Article 1
Scope
This Regulation applies to the type-approval of fully automated vehicles of category M and N, with regard to their automated driving system, for the following use cases:
(a) |
Fully automated vehicles, including dual mode vehicles, designed and constructed for the carriage of passengers or carriage of goods on a predefined area. |
(b) |
‘Hub-to-hub’: fully automated vehicles, including dual mode vehicles, designed and constructed for the carriage of passengers or carriage of goods on a predefined route with fixed start and end points of a journey/trip. |
(c) |
‘Automated valet parking’: dual mode vehicles with a fully automated driving mode for parking applications within predefined parking facilities. The system may use or not external infrastructure (e.g. localization markers, perception sensors, etc.) of the parking facility to perform the dynamic driving task. |
The manufacturer may apply for the individual or the type-approval under this Regulation of the automated driving system of vehicles defined in Article 2(3) of Regulation (EU) 2018/858, provided that those vehicles fulfil the requirements of this Regulation.
Article 2
Definitions
In addition to the definitions in Regulation (EU) 2018/858 and Regulation (EU) 2019/2144, for the purpose of this regulation, the following definitions shall apply:
1. |
‘Automated Driving System’ (ADS) means the hardware and software that are collectively capable of performing the entire DDT on a sustained basis in a specific operational design domain (ODD). |
2. |
‘ADS feature’ means an application of ADS hardware and software designed for a specific use within an ODD. |
3. |
‘ADS function’ means an application of ADS hardware and software designed to perform a specific portion of the DDT. |
4. |
‘dynamic driving task (‘DDT’)’ means all real time operational functions and tactical functions required to operate the vehicle, excluding strategic functions such as trip scheduling and selection of destinations and waypoints and including without limitation the following subtasks:
|
5. |
‘operational functions’ of the DDT means functions delivered over a time constant of milliseconds and which include tasks such as steering inputs to keep within a lane or braking to avoid an emerging hazard. |
6. |
‘tactical functions’ of the DDT means functions delivered over a time constant of seconds and including tasks such as lane choice, gap acceptance and overtaking. |
7. |
‘fault’ means an abnormal condition that can cause a failure. This can concern hardware or software. |
8. |
‘failure’ means the termination of an intended behaviour of a component or a system of the ADS due to a fault manifestation. |
9. |
‘in-service monitoring’ means data collected by the manufacturer and data from other sources, to get evidence on the in-service safety performance of the ADS in the field. |
10. |
‘in-service reporting’ means data reported by the manufacturer to demonstrate evidence on the in-service safety performance of the ADS in the field. |
11. |
‘lifetime of the ADS’ means the period of time during which the ADS system is available on the vehicle. |
12. |
‘lifecycle of the ‘ADS’ means the period of time that consists of the design, development, production, field operation, service and decommissioning phases. |
13. |
‘malfunctioning behaviour’ means a failure or unintended behaviour of a component or a system of the ADS with respect to its design intent. |
14. |
‘minimal risk manoeuvre (‘MRM’)’ means a manoeuvre aimed at minimising risks in traffic by stopping the vehicle in a safe condition (i.e. minimal risk conditions). |
15. |
‘minimal risk condition (‘MRC’)’ means stable and stopped state of the vehicle that reduces the risk of a crash. |
16. |
‘operational design Domain (‘ODD’)’ means operating conditions under which a given ADS is specifically designed to function, including, but not limited to, environmental, geographical, and time-of-day restrictions, and/or the requisite presence or absence of certain traffic or roadway characteristics. |
17. |
‘object and event detection and response’ (‘OEDR’) means subtasks of the dynamic driving task that include monitoring the driving environment and executing an appropriate response. It includes detecting, recognizing, and classifying objects and events and preparing and executing responses as needed. |
18. |
‘scenario’ means a sequence or combination of situations used to assess the safety requirements for an ADS. |
19. |
‘nominal traffic scenarios’ means reasonably foreseeable situations encountered by the ADS when operating within its ODD. These scenarios represent the non-critical interactions of the ADS with other traffic participants and generate normal operation of the ADS. |
20. |
‘critical scenarios’ means scenarios related to edge-cases (e.g. unexpected conditions with an exceptionally low probability of occurrence) and operational insufficiencies, not limited to traffic conditions but also including environmental conditions (e.g. heavy rain or low sunlight glaring cameras), human factors, connectivity and miscommunication leading to emergency operation of the ADS. |
21. |
‘failure scenarios’ means the scenarios related to ADS and/or vehicle components failure which may lead to normal or emergency operation of the ADS depending on whether or not the minimum safety level is preserved. |
22. |
‘normal operation’ means the ADS operation within specified operational limits and conditions to perform the designed activity. |
23. |
‘emergency operation’ means the ADS operation due to the occurrence of events requiring prompt action to mitigate adverse consequences on human health or property damage. |
24. |
‘on-board operator’ means, where applicable to the ADS safety concept, a person located inside the fully automated vehicle who may:
In the above situations, the on-board operator shall not drive the fully automated vehicle and the ADS shall continue to perform the DDT. |
25. |
‘remote intervention operator’ means, where applicable to the ADS safety concept, person(s) located outside the fully automated vehicle who may remotely achieve the tasks of the on-board operator provided it is safe to do so. The remote intervention operator shall not drive the fully automated vehicle and the ADS shall continue to perform the DDT. |
26. |
‘remote capabilities’ mean capabilities specifically designed to support remote intervention. |
27. |
‘R2022/1426 Software Identification Number (R2022/1426SWIN)’ means a dedicated identifier, defined by the manufacturer, representing information about the type approval relevant software of the ADS contributing to the type approval relevant characteristics of the ADS. |
28. |
‘unreasonable risk’ means the overall level of risk for the vehicle occupants and other road users which is increased compared to a manually driven vehicle in comparable transportation services and situations within the operational design domain. |
29. |
‘functional safety’: absence of unreasonable risks under the occurrence of hazards caused by malfunctioning behaviour. |
30. |
‘operational safety’ means the absence of unreasonable risk under the occurrence of hazards resulting from functional insufficiencies of the intended functionality (e.g. false/missed detection), operational disturbances (e.g. environmental conditions like fog, rain, shadows, sunlight, infrastructure) or by reasonably foreseeable misuse/errors by the vehicle occupants and other road users (i.e. safety hazards – without system faults). |
31. |
‘control strategy’ means a strategy to ensure robust and safe operation of the ADS in response to a specific set of ambient and/or operating conditions (such as road surface condition, other road users, adverse weather conditions, imminent collision risk, failures, reaching ODD boundaries, etc.). This may include temporary performance restrictions (e.g. a reduction in the maximum operating speed, etc.), MRM manoeuvres, collision avoidance or mitigation, remote intervention, etc. |
32. |
‘Time to Collision’ (TTC) means the time before a collision happens between involved vehicles/objects/subjects if their speeds would not change and taking into account their paths. For pure longitudinal situations with constant speeds, unless differently specified in the text, the TTC is obtained by dividing the longitudinal distance (in the direction of travel of the subject vehicle) between the subject vehicle and the other vehicles/objects/subjects by the longitudinal relative speed of the subject vehicle and the other vehicles/objects/subjects. For pure crossing situations with constant speeds, unless differently specified in the text, this is obtained by dividing the longitudinal distance between the subject vehicle and the lateral line of movement of the other vehicles/objects/subjects by the longitudinal velocity of the subject vehicle. |
33. |
‘vehicle type with regard to the ADS’ means fully automated vehicles which do not differ in such essential aspects as:
|
34. |
‘dual mode vehicles’ means fully automated vehicles with a driver seat designed and constructed:
For dual mode vehicles, the transition between the manual driving mode and the fully automated mode, as well the transition between the fully automated mode and the manual mode may only occur when the vehicle is at standstill, not when the vehicle is moving. |
35. |
‘transport service operator’ means the entity providing a transport service using one or more fully automated vehicles. |
Article 3
Administrative provisions and technical specifications for the type-approval of the automated driving system of fully automated vehicles
1. The relevant entries of information document, submitted in accordance with Article 24(1), point (a) of Regulation (EU) 2018/858 with the application for type-approval of the automated driving system of a fully automated vehicle, shall consist of the information relevant for that system as contained in Annex I.
2. The type-approval of the automated driving systems of fully automated vehicles shall be subject to the technical specifications set out in Annex II. Those specifications shall be assessed by the approval authorities or their technical services in accordance with Annex III.
3. The EU type-approval certificate for a type of the automated driving system of a fully automated vehicle, as referred to in Article 28(1) of Regulation (EU) 2018/858, shall be drawn up in accordance with Annex IV.
Article 4
Entry into force
This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.
This Regulation shall be binding in its entirety and directly applicable in all Member States.
Done at Brussels, 5 August 2022.
For the Commission
The President
Ursula VON DER LEYEN
(1) OJ L 325, 16.12.2019, p. 1.
(3) Regulation (EU) 2018/858 of the European Parliament and of the Council of 30 May 2018 on the approval and market surveillance of motor vehicles and their trailers, and of systems, components and separate technical units intended for such vehicles, amending Regulations (EC) No 715/2007 and (EC) No 595/2009 and repealing Directive 2007/46/EC (OJ L 151, 14.6.2018, p. 1).
(4) Commission Implementing Regulation (EU) 2020/683 of 15 April 2020 implementing Regulation (EU) 2018/858 of the European Parliament and of the Council with regards to the administrative requirements for the approval and market surveillance of motor vehicles and their trailers, and of systems, components and separate technical units intended for such vehicles (OJ L 163, 26.5.2020, p. 1).
ANNEX I
Information document for EU type-approval of fully automated vehicles with regard to their automated driving system
MODEL
Information document No … relating to the EU type-approval of a type of a fully automated vehicle with regard to the automated driving system (ADS).
The following information shall be supplied in triplicate and include a list of contents. Any drawings or pictures shall be supplied in appropriate scale and in sufficient detail on size A4 or on a folder of A4 format. Photographs, if any, shall show sufficient detail.
0. |
GENERAL |
0.1. |
Make (trade name of manufacturer): |
0.2. |
Type: |
0.2.1. |
Commercial name(s) (if available): |
0.2.2 |
For multi-stage approved vehicles, type-approval information of the base/previous stage vehicle, list the information for each stage. (This can be done with a matrix)
Type: Variant(s): Version(s): Number of the type-approval certificate including extension number … |
0.3. |
Means of identification of type, if marked on the vehicle/component/separate technical unit: |
0.3.1. |
Location of that marking: |
0.4. |
Category of vehicle: |
0.5. |
Company name and address of manufacturer: |
0.5.1 |
For multi-stage approved vehicles, company name and address of the manufacturer of the base/previous stage(s) vehicle: … |
0.6 |
Location and method of attachment of statutory plates and location of vehicle identification number: … |
0.6.1. |
On the chassis: … |
0.6.2. |
On the bodywork: … |
0.8. |
Name(s) and address(es) of assembly plant(s): |
0.9. |
Name and address of the manufacturer’s representative (if any): |
17. |
AUTOMATED DRIVING SYSTEM (ADS) |
17.1. |
General ADS description |
17.1.1. |
Operational design domain/Boundary conditions |
17.1.2. |
Basic Performance (e.g. Object and Event Detection and Response, planning, etc.) |
17.2. |
Description of the functions of the ADS |
17.2.1. |
Main ADS Functions (functional architecture) |
17.2.1.1. |
Vehicle-internal functions |
17.2.1.2. |
Vehicle-external functions (e.g. backend, off-board infrastructure needed, operational measures needed) |
17.3. |
Overview of the major components of the ADS |
17.3.1. |
Control units |
17.3.2. |
Sensors and installation of the sensors on the vehicle |
17.3.3. |
Actuators |
17.3.4. |
Maps and positioning |
17.3.5. |
Other hardware |
17.4. |
ADS layout and schematics |
17.4.1. |
Schematic system layout (e.g. block diagram) |
17.4.2. |
List and schematic overview of interconnections |
17.5. |
Specifications |
17.5.1. |
Specifications in normal operation |
17.5.2. |
Specifications in emergency operation |
17.5.3. |
Acceptance criteria |
17.5.4 |
Demonstration of compliance |
17.6. |
Safety concept |
17.6.1. |
Manufacturer Statement that the vehicle is free from unreasonable risks |
17.6.2. |
Outline of the software architecture(e.g. block diagram) |
17.6.3. |
Means by which the realization of ADS logic is determined |
17.6.4. |
General explanation of the main design provisions built into the ADS so as to generate safe operation under fault conditions, under operational disturbances and the occurrence of conditions that would exceed the ODD |
17.6.5 |
General description of failure handling main principles, fall-back level strategy including risk mitigation strategy (minimal risk manoeuvre) |
17.6.6. |
Conditions for triggering a request to the on-board operator or the remote intervention operator |
17.6.7. |
Human machine interaction concept with vehicle occupants, on-board operator and remote intervention operator including protection against simple unauthorised activation/operation and Interventions |
17.7. |
Verification and validation by the manufacturer of the performance requirements including the OEDR, the HMI, the respect of traffic rules and the conclusion that the system is designed in such a way that it is free from unreasonable risks for vehicle occupants and other road users |
17.7.1. |
Description of the adopted approach |
17.7.2. |
Selection of nominal, critical and failure scenarios |
17.7.3. |
Description of the used methods and tools (software, laboratory, others) and summary of the credibility assessment |
17.7.4. |
Description of the results |
17.7.5. |
Uncertainty of the results |
17.7.6. |
Interpretation of the results |
17.7.7. |
Manufacturer’s declaration:
The manufacturer(s) … affirm(s) that the ADS is free of unreasonable safety risks to the vehicle occupants and other road users. |
17.8. |
ADS data elements |
17.8.1. |
Type of data stored |
17.8.2. |
Storage location |
17.8.3. |
Recorded occurrences and data elements |
17.8.4. |
Means to ensure data security and data protection |
17.8.5. |
Means to access the data |
17.9. |
Cyber security and software update |
17.9.1. |
Cyber Security type-approval number: |
17.9.2. |
Number of the certificate of compliance for cyber-security management system: |
17.9.3. |
Software update type-approval number: |
17.9.4. |
Number of the certificate of compliance for software-update management system |
17.9.5. |
Software Identification of the ADS |
17.9.5.1. |
Information on how to read the RxSWIN or software version(s) in case the RxSWIN is not held on the vehicle. |
17.9.5.2. |
If applicable, list the relevant parameters that will allow the identification of those vehicles that can be updated with the software represented by the RxSWIN under item 17.9.4.1. |
17.10. |
Operating manual (to be annexed to the information document) |
17.10.1. |
Functional description of the ADS and expected role of the owner, transport service operator, on board operator, remote intervention operator, etc. |
17.10.2. |
Technical measures for safe operation (e.g. description of the necessary off-board infrastructure, timing, frequency and template of maintenance operations); |
17.10.3. |
Operational and environment restrictions |
17.10.4. |
Operational measures (e.g. if on-board operator or remote intervention operator needed) |
17.10.5. |
Instructions in case of failures and ADS request (safety measures by vehicle occupants, transport service operator, on board operator and remote intervention operator and public authorities to be taken in the event of malfunctioning of the operation) |
17.11. |
Means to enable periodic road worthiness tests
List of Figures/Tables Acronyms Annex I – Simulation Handbook Annex II – Operating Manual Explanatory note This information document comprises the information relevant for the automated driving system and shall be completed in accordance with the template laid down in Annex I to Commission Implementing Regulation (EU) 2020/683. |
ANNEX II
Performance requirements
1. DDT under nominal traffic scenarios.
1.1. |
The ADS shall be capable of performing the entire DDT. |
1.1.1. |
The capability of the ADS to perform the entire DDT shall be determined in the context of the ODD of the ADS. |
1.1.2. |
As part of the DDT, the ADS shall be able to:
|
1.1.3. |
The system shall demonstrate anticipatory behaviour in interaction with other road user(s), in order to ensure stable, low-dynamic, longitudinal behaviour and risk minimising behaviour when critical situations could become imminent, e.g. with unobstructed and obstructed vulnerable road users (pedestrians, cyclist, etc.) or with other vehicles crossing or cutting-in in front of the fully automated vehicle. |
1.1.4. |
The requirements related to the DDT shall be fulfilled in the reverse direction if the reverse gear is required by or declared in the ODD, |
1.2 |
The ADS shall detect and respond appropriately to objects and events relevant for the DDT within the ODD.
Objects and events might include, but are not limited, to:
|
1.3. |
The ADS shall comply with traffic rules of the country of operation |
1.3.1. |
The ADS shall interact safely with other road users in accordance with traffic rules, such as via:
|
1.3.2. |
In the absence of specific traffic rules, vehicles with ADS intended to carry standing or unrestrained vehicle occupants shall not exceed a combined horizontal acceleration of 2,4 m/s2 (in absolute value and calculated as the combination of lateral and longitudinal acceleration), and an acceleration rate of change of 5 m/s3.
Depending on the factors influencing the risk to occupants and other road users, it might be appropriate to exceed these limits, such as emergency operations. |
2. DDT under critical traffic scenarios (emergency operation).
2.1 |
The ADS shall be able to perform the DDT for all reasonably foreseeable critical traffic scenarios in the ODD. |
2.1.1. |
The ADS shall be able to detect the risk of collision with other road users, or a suddenly appearing obstacle (debris, lost load) and shall be able to automatically perform appropriate emergency operation (braking, evasive steering) to avoid reasonably foreseeable collisions and minimise risks to safety of the vehicle occupants and other road users. |
2.1.1.1. |
In the event of an unavoidable alternative risk to human life, the ADS shall not provide for any weighting on the basis of personal characteristics of humans. |
2.1.1.2. |
The protection of other human life outside the fully automated vehicle shall not be subordinated to the protection of human life inside the fully automated vehicle. |
2.1.2. |
The vulnerability of road users involved should be taken into account by the avoidance/mitigation strategy. |
2.1.3. |
After the evasive manoeuvre the vehicle shall aim to resume a stable motion as soon as technically possible. |
2.1.4. |
The signal to activate the hazard warning lights shall be generated automatically in accordance with traffic rules. If the fully automated vehicle automatically drives off again, the signal to deactivate the hazard warning lights shall be generated automatically. |
2.1.5. |
In the event of a traffic accident involving the fully automated vehicle, the ADS shall aim to stop the fully automated vehicle and aim to perform a Minimal risk Manoeuvre to reach the Minimal risk Condition. ADS resuming normal operation shall not be possible until the safe operational state of the fully automated vehicles has been confirmed by self-checks of the ADS or/and the on- board operator (if applicable) or the remote intervention operator (if applicable). |
3. DDT at ODD boundaries
3.1. |
The ADS shall recognise its ODD conditions and boundaries of the ODD. |
3.1.1. |
The ADS shall be able to determine if the conditions for ADS activation are met. |
3.1.2. |
The ADS shall detect and respond when one or more ODD conditions are not fulfilled or no longer fulfilled. |
3.1.3. |
The ADS shall be able to anticipate exits from the ODD |
3.1.4. |
The ODD conditions and boundaries shall be established by the manufacturer. |
3.1.4.1. |
The ODD conditions to be recognised by the ADS include:
|
3.1.5. |
When the ADS reaches the ODD boundaries, it shall perform a MRM to reach a MRC and shall warn the on board operator (if applicable)/remote operator accordingly (if applicable). |
4. DDT under failure scenarios
4.1. |
The ADS shall detect and respond to ADS or/and vehicle malfunctioning behaviour. |
4.1.1. |
The ADS shall self-diagnose faults and failures. |
4.1.2. |
The ADS shall evaluate its ability to fulfil the entire DDT. |
4.1.2.1. |
The ADS shall respond safely to a fault/failure in the ADS that does not significantly compromise ADS performance. |
4.1.2.2. |
The ADS shall execute a MRM to achieve a MRC in the event of a failure of the ADS and/or other vehicle system that prevents the ADS from performing the DDT. |
4.1.2.3. |
The ADS shall immediately upon detection, signal major failures and resulting operational status to vehicle occupants, the on-board operator (if available) or the remote intervention operator (if relevant), as well as to other road users in accordance with traffic rules (e.g. activation of the hazard warning lights). |
4.1.2.4. |
If failures affect the braking or steering performance of the vehicle, the MRM shall be carried out with consideration for the remaining performance. |
5. Minimal risk manoeuvre (MRM) and Minimal risk Condition (MRC)
5.1. |
During the MRM, the fully automated vehicle with the ADS shall be slowed down, with an aim of achieving a deceleration demand not greater than 4,0 m/s2, to a full standstill in the safest possible place taking into account surrounding traffic and road infrastructure. Higher deceleration demand values are permitted in the event of a severe ADS or severe fully automated vehicle failure. |
5.2. |
The ADS shall signal its intention to place the fully automated vehicle in an MRC to occupants of the fully automated vehicle as well as to other road users in accordance with traffic rules (e.g., by activating the hazard warning lights) |
5.3. |
The fully automated vehicle shall only leave the MRC after confirmation by self-checks of the ADS or/and by the on-board operator (if applicable) or remote intervention operator (if applicable) that the cause(s) of the MRM is no longer present. |
6. Human machine interaction
6.1. |
Adequate information shall be given to the occupants of the fully automated vehicle wherever needed for safe operation and with regard to safety hazards, |
6.2. |
If a remote intervention operator is part of the ADS safety concept, the fully automated vehicle shall provide means for vehicle occupants to call a remote intervention operator through an audiovisual interface in the fully automated vehicle. Unambiguous signs shall be used for the audiovisual interface (e.g. ISO 7010 E004) |
6.3. |
The ADS shall provide vehicle occupants with means to request a minimal risk manoeuvre to stop the fully automated vehicle. In case of emergency:
|
6.4. |
If a remote intervention operator is part of the ADS safety concept, the fully automated vehicle shall provide vision systems (e.g. cameras in accordance with chapter 6 of ISO16505:2019) of the occupant space inside the vehicle and of the surrounding of the vehicle to allow the remote intervention operator to assess the situation inside and outside of the vehicle. |
6.5. |
If a remote intervention operator is part of the ADS safety concept, it shall be possible for the remote intervention operator to open the power operated service door remotely. |
6.6. |
The ADS shall activate the relevant vehicle systems when necessary and applicable (e.g. opening doors, activate wipers in case of rain, heating system, etc.) |
7. Functional and operational safety
7.1. |
The manufacturer shall demonstrate that an acceptable degree of consideration has been given to the functional and operational safety for the ADS during its design and development processes. The measures put in place by the manufacturer shall ensure that the fully automated vehicle is free of unreasonable safety risks to vehicle occupants and other road users during the vehicle lifetime when compared with comparable transport services and situations within the operational domain. |
7.1.1. |
The manufacturer shall define the acceptance criteria from which the validation targets of the ADS are derived to evaluate the residual risk for the ODD taking into account, where available, existing accident data (1), data on performances from competently and carefully driven manual vehicles and technology state-of-the-art. |
7.2. |
The manufacturer shall have processes to manage the safety and continued compliance of the ADS over lifetime (wear and tear of components especially for sensors, new traffic scenarios, etc.). |
8. Cyber security and software updates
8.1. |
The ADS shall be protected from unauthorised access in accordance with UN Regulation No 155 (2). |
8.2. |
The ADS shall support software updates. The effectiveness of the software update procedures and processes concerning the ADS shall be demonstrated by compliance with UN Regulation No 156 (3). |
8.2.1 |
As specified in the Software Update and Software Update Management System Regulation, for the purpose of ensuring the software of the System can be identified, an R2022/1426SWIN shall be used. The R2022/1426SWIN may be held on the vehicle or, if R2022/1426SWIN is not held on the vehicle, the manufacturer shall declare the software version(s) of the vehicle or single ECUs with the connection to the relevant type-approvals to the type-approval authority. |
8.2.2 |
The manufacturer shall provide the following information in the information document:
|
8.2.3. |
The manufacturer may provide in the information document a list of the relevant parameters that will allow the identification of those vehicles that can be updated with the software represented by the R2022/1426SWIN. The information provided shall be declared by the manufacturer and may not be verified by a type-approval authority. |
8.2.4. |
The manufacturer may obtain a new vehicle type-approval for the purpose of differentiating software versions intended to be used on vehicles already registered in the market from the software versions that are used on new vehicles. This may cover the situations where type-approval regulations are updated, or hardware changes are made to vehicles in series production. In agreement with the type-approval authority, duplication of tests shall be avoided where possible. |
9. ADS data requirements and specific data elements for event data recorder for fully automated vehicles
9.1. |
The ADS shall record the following occurrences whenever the ADS is activated: |
9.1.1. |
Activation/re-initialisation of the ADS (if applicable) |
9.1.2. |
Deactivation of the ADS (if applicable) |
9.1.3. |
Request sent by the ADS to the remote intervention operator (if applicable) |
9.1.4. |
Request/Input sent by the remote intervention operator (if applicable) |
9.1.5. |
Start of emergency operation |
9.1.6. |
End of emergency operation |
9.1.7. |
Involved in a detected collision |
9.1.8. |
Event data recorder (EDR) trigger input |
9.1.9. |
Minimal risk manoeuvre engagement by the ADS |
9.1.10. |
Minimal risk condition reached by the fully automated vehicle |
9.1.11. |
ADS failure (Description) |
9.1.12. |
Vehicle failure |
9.1.13. |
Start of lane change procedure |
9.1.14. |
End of lane change procedure |
9.1.15. |
Abortion of lane change procedure |
9.1.16. |
Start of intentional lane crossing |
9.1.17. |
End of intentional lane crossing |
9.2 |
Occurrences flags for points 9.1.13., 9.1.14., 9.1.16. and 9.1.17. are only required to be stored if they happen within 30 seconds before the occurrences in points 9.1.5., 9.1.7., 9.1.15. or 9.1.8.: |
9.3. |
ADS Data elements |
9.3.1. |
For each occurrence listed in point 9.1., the following data elements shall be recorded in a clearly identifiable way: |
9.3.2. |
The recorded occurrence flag |
9.3.3. |
Reason for the occurrence, as appropriate, |
9.3.4. |
Date (resolution: yyyy/mm/dd); |
9.3.5. |
Position (GPS coordinates) |
9.3.6. |
Timestamp:
|
9.4. |
For each recorded occurrence, the RXSWIN, or the software versions, indicating the software that was present when the event occurred, shall be clearly identifiable. |
9.5. |
A single timestamp may be allowed for multiple elements recorded simultaneously within the timing resolution of the specific data elements. If more than one element is recorded with the same timestamp, the information from the individual elements shall indicate the chronological order. |
9.6. |
Data availability |
9.6.1. |
The ADS data elements shall be available subject to requirements specified in the Union or national law (4). |
9.6.2. |
Once the storage capacity reaches its limit, existing data shall only be overwritten following a first in first out procedure with the principle of respecting the relevant data availability requirements.
Documented evidence on the storage capacity shall be provided by the manufacturer. |
9.6.3. |
For vehicles of category M1 and N1, the data elements shall be retrievable even after an impact of a severity level set by UN Regulations Nos 94 (5), 95 (6) or 137 (7). |
9.6.4. |
For vehicles of categories M2, M3, N2 and N3, the data elements listed in point 9.2. shall be retrievable even after an impact. To demonstrate that capability, the following applies:
Either:
|
9.6.5. |
If the main on-board vehicle power supply is not available, it shall still be possible to retrieve all data recorded. |
9.6.6. |
Data stored shall be easily readable in a standardised way via the use of an electronic communication interface, at least through the standard interface (OBD port). |
9.7 |
Specific data elements for event data recorder for fully automated vehicles |
9.7.1. |
For vehicles fitted with an Event Data Recorders in accordance with Article 6 of Regulation (EU) 2019/2144, it shall be possible to retrieve through the standard interface (OBD port) the ADS data elements as referred to in points 9.3.1. and 9.3.2. recorded for at least the last 30 seconds before the last setting of the occurrence flag ‘Event Data Recorder (EDR) trigger input’, alongside the data elements specified in UN Regulation 160 (9), Annex 4 (EDR data). |
9.7.2. |
In the absence of any occurrence referred to in point 9.1. within the last 30 seconds before the last setting of the occurrence flag ‘Event Data Recorder (EDR) trigger input’, it shall be possible to retrieve, alongside the EDR data, the data element corresponding to the last occurrences within the same power cycle referred to in points 9.1.1. and 9.1.2., as a minimum. |
9.7.3. |
The data elements retrieved in accordance with point 9.7.1. or 9.7.2. shall not include the date and the timestamp or any other information allowing for identification of the vehicle, its user or owner. Instead the time stamp shall be replaced with information representing the time difference between the occurrence flag ‘Event Data Recorder (EDR) trigger input’ and the occurrence flag of the respective ADS data element. |
9.8. |
The manufacturer shall provide instructions on how to access the data. |
9.9. |
Protection against manipulation |
9.9.1. |
An adequate protection against manipulation (e.g. data erasure) of stored data shall be ensured for example by way of an anti-tampering design |
10. Manual driving mode
10.1. |
If the ADS allows manual driving for the purpose of maintenance or to take over after a minimal risk manoeuvre is provided in the fully automated vehicle, the vehicle shall be limited to 6 km/h and shall be provided with means to enable the person driving the vehicle to perform the driving task safely in accordance with the safety concept of the manufacturer. Except in case of failure, the ADS shall continue detecting an obstacle (e.g. vehicles, pedestrian) in the manoeuvring area and shall support the driver in bringing the vehicle immediately to a stop to avoid a collision. |
10.2. |
If manual driving is limited to 6 km/h, it is not necessary for the driver to stay within the fully automated vehicle. The control can be performed via a remote control located in the vicinity of the vehicle provided that the vehicles stays in the direct line of sight of the driver. The maximum distance over which control is possible by a remote control shall not exceed 10 metres. |
10.3. |
If, in manual driving, the vehicle is intended to be driven at speeds higher than 6 km/h, the vehicle shall be considered as dual mode vehicle. |
11. Operating manual
11.1. |
The manufacturer shall draw up an operating manual. The purpose of the operating manual is to ensure the safe operation of the fully automated vehicle by means of detailed instructions to the owner, vehicle occupants, transport service operator, on-board operator, remote intervention operator and any relevant national authorities.
When the fully automated vehicle includes the possibility of manual driving for the purpose of maintenance or to take over after a minimal risk manoeuvre, it shall also be covered by the operating manual. |
11.2. |
The operating manual shall include the functional description of the ADS. |
11.3. |
The operating manual shall include the technical measures (e.g. checks and maintenance works of vehicle and off-board infrastructure, transport and physical infrastructure requirements such as localization marker and perception sensors), operational restrictions (e.g. speed limit, dedicated lane, physical separation with oncoming traffic), environmental conditions (e.g. no snow) and operational measures (e.g. on-board operator or remote intervention operator needed) necessary to ensure safety during the fully automated vehicle operation. |
11.4. |
The operating manual shall describe the instructions for vehicle occupants, transport service operator, on board operator (where applicable) and remote intervention operator (where applicable) and public authorities in case of failures and ADS request. |
11.5. |
The operating manual shall set out rules to ensure proper performance of maintenance, overall tests and further examinations. |
11.6. |
The Operating Manual shall be submitted to the type-approval authority together with the application for a type-approval and shall be annexed to the type-approval certificate. |
11.7. |
The Operating Manual shall be made available to the owner and, where applicable, to the transport service operator, on-board operator (where applicable), remote intervention operator (where applicable) and any relevant national authorities. |
12. Provisions for periodic roadworthiness tests
12.1. |
For the purpose of periodic roadworthiness tests, it shall be possible to verify the following features of the ADS: |
(a) |
Its correct operational status, by visible observation of the failure warning signal status following the activation of the vehicle master control switch and any bulb check. Where the failure warning signal is displayed in a common space (the area on which two or more information functions/symbols may be displayed, but not simultaneously), it must be checked first that the common space must be observed to be functional prior to the failure warning signal status check; |
(b) |
Its correct functionality and the software integrity, by the use of an electronic vehicle interface, such as the one laid down in point I. (14) of Annex III to Directive 2014/45/EU of the European Parliament and of the Council (10), where the technical characteristics of the vehicle allow for it and the necessary data is made available. Manufacturers shall ensure to make available the technical information for the use of the electronic vehicle interface in accordance with Article 6 of Commission Implementing Regulation (EU) 2019/621 (11). |
(1) For instance based on current accident data on buses, coaches, trucks and cars in the EU, an indicative aggregated acceptance criteria of 10-7 fatalities per hour of operation could be considered for market introduction of ADSs for comparable transport services and situations. The manufacturer may use other metrics and method provided it can demonstrate that it leads to an absence of unreasonable safety risk when compared with comparable transport services and situations within the operational domain.
(4) A storage capacity of 2 500 timestamps to correspond with a period of 6 months of use is recommended.
(5) OJ L 392, 5.11.2021, p. 1.
(6) OJ L 392, 5.11.2021, p. 62.
(7) OJ L 392, 5.11.2021, p. 130.
(8) OJ L 449, 15.12.2021, p. 1.
(9) OJ L 265, 26.7.2021, p. 3.
(10) Directive 2014/45/EU of the European Parliament and of the Council of 3 April 2014 on periodic roadworthiness tests for motor vehicles and their trailers and repealing Directive 2009/40/EC (OJ L 127, 29.4.2014, p. 51).
(11) Commission Implementing Regulation (EU) 2019/621 of 17 April 2019 on the technical information necessary for roadworthiness testing of the items to be tested, on the use of the recommended test methods, and establishing detailed rules concerning the data format and the procedures for accessing the relevant technical information (OJ L 108, 23.4.2019, p. 5).
ANNEX III
Compliance assessment
The overall compliance assessment of the ADS is based on:
— |
Part 1: The traffic scenarios to consider |
— |
Part 2: The assessment of the ADS safety concept and the audit of the manufacturer safety management system. |
— |
Part 3: The tests for the most relevant traffic scenarios. |
— |
Part 4: The principles to be used for the credibility assessment for using virtual toolchain to ADS validation |
— |
Part 5: The system established by the manufacturer to ensure in-service reporting. |
Any requirement in Annex II may be checked by means of tests performed by the type-approval authority (or its technical service).
PART 1
TRAFFIC SCENARIOS TO CONSIDER
1. |
Minimum set of traffic scenarios |
1.1. |
Scenarios and parameters listed in point 1 shall be used, when these scenarios are relevant for the ODD of the ADS.
If the manufacturer deviates from the parameters proposed in point 1, the safety performance metrics and inherent assumptions used by the manufacturer shall be documented in the documentation package. The safety performance metrics and inherent assumptions chosen shall demonstrate that the fully automated vehicle is free of unreasonable safety risks. The validity of such safety performance metrics and inherent assumptions shall be supported by in-service monitoring data. |
1.2. |
Parameters to be used for the lane change scenarios by the fully automated vehicle |
1.2.1. |
The scenarios and parameters, with regard to lane change, shall be applied as specified in UN Regulation No 157 (1). |
1.3. |
Parameters to be used for the turning and crossing scenario by the fully automated vehicle. |
1.3.1. |
In the absence of more specific traffic rules, the following requirements shall be taken into account with regard to interaction with other road users involved in the movement when turning and crossing (see Figure 1) in dry and proper road pavement conditions. |
1.3.2. |
In the case of merging with privileged traffic during turning with and without crossing the opposite traffic direction, privileged traffic in the target lane should not have to decelerate. However, it must be ensured that the TTC of the approaching privileged traffic in the target road (case (a) in Figure 1) never falls below the threshold TTC
dyn
defined as:
With:
|
1.3.3. |
In the case of a turning manoeuvre crossing the opposite traffic direction, when considering oncoming traffic, privileged traffic in the target lane should not have to decelerate. However, if justified by the traffic density, it must be ensured – in addition to the distance from the approaching privileged traffic in the target road – that the TTC of the privileged crossing traffic to the fictitious collision point (point of intersection of the trajectories, case (b) in Figure 1) never falls below the threshold TTC
int
defined as:
With:
The same applies to crossing with privileged traffic (case (c) in Figure 1): The TTC of privileged traffic to the imaginary collision point (point of intersection of the trajectories) shall never fall below the threshold TTC int defined in the present point.
Figure 1: Visualisation of the distances during turning and crossings. Case (a): Distance to the approaching privileged traffic in the target lane to be observed during turning-in and merging with privileged traffic. Case (b): Distance to the oncoming privileged traffic to be observed when turning by crossing the opposite traffic direction. Case (c): distance to the privileged crossing traffic to be respected when crossing. |
1.4. |
Parameters to be used for the emergency manoeuvre scenarios by the fully automated vehicle (DDT under critical scenarios) |
1.4.1. |
The ADS shall avoid a collision with a leading vehicle which decelerates up to its full braking performance provided that there was no cut-in by another vehicle. |
1.4.2. |
Collisions with cutting in vehicles, pedestrians and cyclists travelling in the same direction, as well as with pedestrians who can start to cross the street, shall be avoided at least within the conditions determined by the following equation.
With: being the time to-collision at the moment of the cut-in of the vehicle or cyclist by more than 30 cm in the lane of the fully automated vehicle. v rel being the relative speed in metres per second [m/s] between the fully automated vehicle and the cutting-in vehicle (positive if the ADS is faster than the cutting-in vehicle). β being the maximum deceleration of the fully automated vehicle and assumed to be equal to:
The compliance with this equation is required only for road users cutting in, and only if the inserting road users were visible at least 0,72 seconds before cut-in: This results in a required collision avoidance when another road user enters ego lane above the following TTC values (for example shown for speeds in 10 km/h steps). These requirements shall be met independently of environmental conditions.
If a lane change with a lower TTC is carried out to the lane of the fully automated vehicle, it can no longer be assumed that there will be no collision avoidance. The control strategy of the ADS may change between collision avoidance and mitigation only if the manufacturer can demonstrate that this increases the safety of the vehicle occupants and the other road users (e.g. by prioritising braking over an alternative manoeuvre). |
1.4.3. |
The ADS shall avoid a collision with a crossing pedestrian or a cyclist in front of the vehicle. |
1.4.3.1. |
Urban and rural driving conditions |
1.4.3.1.1. |
The ADS shall avoid a collision, up to a speed of 60 km/h, with an unobstructed pedestrian crossing with a lateral speed component of not more than 5 km/h or an unobstructed cyclist crossing with a lateral speed component of not more than 15 km/h in front of the vehicle. This shall be ensured independently from the specific manoeuvre the ADS is undertaking. |
1.4.3.1.2. |
In the case the pedestrian or the cyclist proceed with higher speed than the aforementioned values and the ADS can no longer avoid collision, the control strategy of the ADS may change between collision avoidance and mitigation only if the manufacturer can demonstrate that this increases the safety of the vehicle occupants and the other road users (e.g. by prioritizing braking over an alternative manoeuvre). |
1.4.3.1.3. |
The ADS shall mitigate a collision with an obstructed pedestrian or cyclist crossing in front of the vehicle by reducing its speed at impact by at least 20 km/h. This shall be ensured independently from the specific manoeuvre the ADS is undertaking. |
1.4.3.1.4. |
For the purpose of demonstrating fulfilment of the previous requirements related to crossing of pedestrians and cyclists in front of the vehicle, test and assessment scenarios developed under the European New Car Assessment Programme (Euro NCAP) may be taken as guidance. |
1.4.3.2. |
Motorway driving conditions |
1.4.3.2.1. |
The relevant scenarios, with regard to pedestrian crossing, shall be applied as specified in UN Regulation No 157. |
1.4.3.2.2. |
In the case the pedestrian crosses with parameter values outside the boundaries specified in UN Regulation 157 and the ADS can no longer avoid collision, the control strategy of the ADS may change between collision avoidance and mitigation only if the manufacturer can demonstrate that this increases the safety of the vehicle occupants and the other road users (e.g. by prioritizing braking over an alternative manoeuvre). |
1.5. |
Motorway entry
The fully automated vehicle shall be able to safely enter the motorway by adapting the speed to the traffic flow, and activate the relevant direction indicator according to the traffic rules. The direction indicator shall be deactivated once the vehicle has performed the lane change manoeuvre (LCM). The parameters used in the lane change scenario shall be applied. |
1.6. |
Motorway exit
The fully automated vehicle shall be able to anticipate the targeted motorway exit by driving on the adjacent lane to the exit lane and shall not unnecessarily decelerate before the LCM into the exit lane starts. The fully automated vehicle shall apply the direction indicator in accordance with the traffic rules, and perform the LCM into the exit lane without undue delay. The direction indicator shall be deactivated once the LCM has been completed in compliance with the traffic rules in the country of operation. |
1.7. |
Passing a toll station
Depending on the ODD, the fully automated vehicle shall be able to select the proper passing gate, and adapt its speed to that permitted limits within the toll area while considering the traffic flow. |
1.8. |
Operation on other road types than motorways
Depending on the ODD, the relevant scenario defined in points 1.2. to 1.4. above shall be applied. |
1.9. |
Parameters to be used for Automated valet parking |
1.9.1. |
Depending on the ODD, the relevant scenarios defined in points 1.3. to 1.5 above shall be applied. The parameters to be used for these scenarios may need to be adapted to take into account of the limited driving speed and the general lack of visibility that may occur in a parking facility. Special attention shall be given to avoiding of collision with pedestrians and in particular with children and prams. |
2. |
Scenarios not covered by point 1. |
2.1. |
Scenarios that are not listed in point 1 shall be generated to cover reasonably foreseeable critical situations, including failures and traffic hazards within the operational design domain. |
2.2. |
When ADS capabilities depend on remote capabilities, scenarios shall include failures and traffic hazards stemming from the corresponding remote capabilities. |
2.3. |
The method to generate scenarios that are not listed in Section 1, shall follow the principles set in Appendix 1 to Part 1 of this Annex. |
2.4. |
The method used by the manufacturer to generate scenarios that are not listed in point 1 shall be documented in the documentation package to be provided for the ADS assessment.
Appendix 1 Principles to be followed to derive scenarios relevant for the ODD of the ADS
1. Generation and classification of scenarios From a qualitative perspective, scenarios can be classified into Nominal/Critical/Failure and correspond to normal or emergency operation. For each of these categories, a data-based approach and a knowledge-based approach can be used to generate corresponding traffic scenarios. A knowledge-based approach utilizes expert knowledge to identify hazardous events systematically and create scenarios. A data-based approach utilizes the available data to identify and classify occurring scenarios. Scenarios shall be derived from the ODD of the fully automated vehicle. 2. Nominal scenarios A series of analytical frameworks can help the manufacturer to derive additional nominal scenarios to ensure coverage for the specific application. These frameworks are divided into: 2.1. ODD analysis An ODD consists of scenery elements (e.g., physical infrastructure), environmental conditions, dynamic elements (e.g., traffic, vulnerable road users) and operational constraints to the specific ADS application. The aim of this analysis is to identify the characteristics of the ODD, allocate properties and define interactions between the objects. Here the effect of ODD on the behaviour competencies of the ADS is explored. An example of the analysis is provided in Table 1. Table 1 Dynamic elements and their properties
2.2. OEDR Analysis: Behaviour competency identification Once the objects and relevant properties have been identified, it is possible to map the appropriate ADS response. The ADS response is modelled on applicable functional requirements and by applying the performance requirements of this regulation and the traffic rules of the country of operation. The outcome of the OEDR analysis is also a set of competences that can be mapped to the behavioural competences applicable to the ODD, to ensure compliance with the relevant regulatory and legal requirements. Table 2 provides a qualitative example of a matching event – response. The combination of objects, events, and their potential interaction, as a function within the ODD, constitute the set of nominal scenarios pertinent to the ADS under analysis. The identification of nominal scenarios can benefit from an enhanced combination of scenario descriptors covering, within the ODD, e.g. infrastructure attributes, objects and events characteristics, hazards affecting responses (e.g. weather, visibility). The identification of nominal scenarios is not limited to traffic conditions but also covers environmental conditions, human factors, connectivity and miscommunication. As parameters (assumptions) for the events are yet to be defined, the nominal scenarios derived from the application of the analysis are to be considered in their functional and logical abstraction layer. Table 2 Behaviour competences for given events
3. Critical scenarios Critical scenarios can be derived by either considering edge-case assumptions on nominal traffic scenarios (data-based) or applying standardised methods (knowledge-based) for the evaluation of operational insufficiencies (see example of methods in point 3.5.5. of Part 2). The identification of critical scenarios can benefit from an enhanced combination of scenario descriptors and edge values covering, within the ODD, e.g. infrastructure attributes, objects and events characteristics, hazards affecting responses (e.g. weather, visibility masks, interactions with other road users than the triggered object or event). The identification of critical scenarios is not limited to traffic conditions but also covers environmental conditions, human factors, connectivity and miscommunication. Critical scenarios correspond to emergency operation of the ADS. 4. Failure scenarios These scenarios aim to assess how the ADS responds to a failure. Different methods are available in literature (see example of methods in point 3.5.5. of Part 2). For each of the behaviour failures and consequential effects identified, the manufacturer shall put in place relevant strategies when developing the ADS (i.e., fail-safe). When applying the failure scenarios, the objective is to assess the ability of the ADS to comply with requirements for safety-critical situations, including for example ‘The ADS shall manage safety-critical driving situations’ and ‘The ADS shall safely manage failure modes’ and their respective sub-requirements. 5. Assumptions: Logical to concrete scenarios To ensure that the scenarios identified in the previous points are ready to be assessed through simulation or physical testing, the manufacturer may need to coherently parametrise them by applying assumptions. The manufacturer shall provide evidence supporting the assumptions made such as data collection campaigns performed during the development phase, real-world accidentology and realistic driving behaviour evaluations. Parameters used to characterise critical scenarios should cover reasonably foreseeable values in scenario descriptors, but shouldn’t be limited to values already observed in documented data bases. |
PART 2
ASSESSMENT OF THE ADS SAFETY CONCEPT AND AUDIT OF THE MANUFACTURER SAFETY MANAGEMENT SYSTEM
1. General
1.1. |
The type-approval authority granting the type-approval or the technical service acting on its behalf shall verify through targeted spot checks and tests, in particular as specified in point 4 of this annex, that the safety argumentation provided by the documentation complies with the requirements of Annex II and that the design and processes described in documentation are actually implemented by the manufacturer. |
1.2. |
While based on the provided documentation, evidences provided for the audit of the safety management system and the assessment of the ADS safety concept carried out to the satisfaction of the type-approval authority in accordance with this regulation, the residual level of safety risk of the type-approved ADS is deemed to be acceptable for the entry into service of the vehicle type, the overall ADS safety during the ADS lifetime in accordance with the requirements of this regulation remains the responsibility of the manufacturer requesting the type-approval. |
2. Definitions
For the purposes of this annex,
2.1. |
‘safety concept’ means a description of the measures designed into the ADS, so that the fully automated vehicle operates for the scenarios and events relevant to the ODD in such a way that it is free of unreasonable safety risks to the vehicle occupants and other road users under fault (functional safety) and non-fault conditions (operational safety). The possibility of a fall-back to partial operation or even to a back-up system for vital ADS functions shall be a part of the safety concept. |
2.2. |
‘units’ means the smallest divisions of system components which will be considered in this annex, since these combinations of components will be treated as single entities for purposes of identification, analysis or replacement. |
2.3. |
‘transmission links’ means the means used for inter-connecting distributed units for the purpose of conveying signals, operating data or an energy supply. This equipment is generally electrical but may, in some part, be mechanical, pneumatic or hydraulic. |
2.4. |
‘range of control’ means an output variable and defines the range over which the system is likely to exercise control. |
2.5. |
‘boundary of functional operation’ means the boundaries of the external physical limits within which the ADS is able to perform the dynamic driving tasks. |
3. Documentation on the ADS
3.1. Requirements
The manufacturer shall provide a documentation package which gives access to the basic design of the ADS and the means by which it is linked to other vehicle systems or by which it directly controls output variables as well as off-board hardware/software and remote capabilities.
The function(s) of the ADS, including the control strategies, and the safety concept, as laid down by the manufacturer, shall be explained.
Documentation shall be brief, yet provide evidence that the design and development has had the benefit of expertise from all the ADS fields which are involved.
For periodic road worthiness tests, the documentation shall describe how the current operational status of the ADS and the functionality and software integrity can be checked.
The type-approval authority shall assess the documentation package which shall show that the ADS:
(a) |
is designed and was developed to operate in such a way that it is free from unreasonable risks for a vehicle occupants and other road users within the declared ODD and boundaries; |
(b) |
fulfils the performance requirements of Annex II to this Regulation; |
(c) |
was developed according to the development process/method declared by the manufacturer. |
3.1.1. |
Documentation shall be made available in three parts:
|
3.2. General description of the ADS
3.2.1. |
A description shall be provided giving a simple explanation of the operational characteristics of the ADS and ADS features. |
3.2.2. |
The description shall include: |
3.2.2.1 |
the operational design domain such as maximum speed of operation, road type (e.g. dedicated lane), country(ies)/areas of operation, road conditions and environmental conditions required (e.g. no snow), etc.)/Boundary conditions |
3.2.2.2 |
basic performance (e.g. object and event detection and response, off-board infrastructure needed during operation) |
3.2.2.3. |
Interaction with other road users |
3.2.2.4. |
main conditions for minimal risk manoeuvres. |
3.2.2.5. |
interaction concept with vehicle occupants, the on board operator (if applicable) and the remote intervention operator (if applicable). |
3.2.2.6. |
the means to activate or deactivate the ADS by the on-board operator (if relevant) or the remote intervention operator (if relevant), vehicle occupants (if relevant) or other road users (if relevant). |
3.2.2.7. |
operational measures (e.g. on-board operator or remote intervention operator needed) to be met to ensure safety during the fully automated vehicle operation. |
3.2.2.8. |
backend, off-board infrastructure needed to ensure safety during the fully automated vehicle operation. |
3.3. Description of the functions of the ADS
A description shall be provided giving an explanation of all the functions including control strategies to ensure the robust and safe operation of the ADS and the methods used to perform the dynamic driving tasks within the ODD, and the boundaries under which the automated driving system is designed to operate, including a description on how this is ensured.
Any enabled or disabled automated driving functions for which the hardware and software are present in the vehicle at the time of production, shall be declared and are subject to the requirements of this annex as well as Annex II to this Regulation, prior to their use in the vehicle. The manufacturer shall also document the data processing if continuous learning algorithms are implemented.
3.3.1. |
A list of all input and sensed variables shall be provided and the working range of these defined, along with a description of how each variable affects the ADS behaviour. |
3.3.2. |
A list of all output variables that are controlled by the ADS shall be provided and an explanation given, in each case, of whether the control is direct or via another vehicle system. The range over which the ADS is likely to exercise control on each such variable shall be defined. |
3.3.3. |
Limits defining the boundaries of functional operation including ODD-limits shall be stated where appropriate to ADS performance. |
3.3.4. |
The human machine interaction (HMI) concept with the vehicle occupants/on-board operator/remote intervention operator (if any) when ODD limits are approached and then reached shall be explained. The explanation shall include the list of types of situations in which the ADS will generate a support request to the on board operator/remote intervention operator (if applicable), the way the request is performed, the procedure that handles a failed request and the minimal risk manoeuvre. Signals and information given to the on-board operator/remote intervention operator, vehicle occupants and other road users in each of the above aspects shall also be described. |
3.4. ADS layout and schematics
3.4.1. |
Inventory of components.
A list shall be provided, collating all the units of the ADS and mentioning the other vehicle systems as well as off-board hardware/software and remote capabilities that are needed to achieve specified performance of the ADS to be approved according to its ODD. An outline schematic showing these units in combination, shall be provided with both the equipment distribution and the interconnections made clear. This outline shall include:
|
3.4.2. |
Functions of the units
The function of each unit of the ADS shall be outlined and the signals linking it with other units or with other vehicle systems shall be shown. It shall include off-board systems supporting the ADS and other vehicle systems. This may be provided by a labelled block diagram or other schematic, or by a description aided by such a diagram. |
3.4.3. |
Interconnections within the ADS shall be shown by a circuit diagram for the electric transmission links, by a piping diagram for pneumatic or hydraulic transmission equipment and by a simplified diagrammatic layout for mechanical linkages. The transmission links both to and from other systems shall also be shown. |
3.4.4. |
There shall be a clear correspondence between transmission links and the signals carried between units. Priorities of signals on multiplexed data paths shall be stated wherever priority may be an issue affecting performance or safety. |
3.4.5. |
Identification of units |
3.4.5.1. |
Each unit shall be clearly and unambiguously identifiable (e.g. by marking for hardware, and by marking or software output for software content) to provide corresponding hardware and documentation association. Where a software version can be changed without requiring the replacement of the marking or component, the software identification must be by software output only. |
3.4.5.2. |
Where functions are combined within a single unit or indeed within a single computer, but shown in multiple blocks in the block diagram for clarity and ease of explanation, only a single hardware identification marking shall be used. The manufacturer shall, by the use of this identification, affirm that the equipment supplied conforms to the corresponding document. |
3.4.5.3. |
The identification defines the hardware and software version and, where the latter changes such as to alter the function of the unit as far as this Regulation is concerned, this identification shall also be changed. |
3.4.6. |
Installation of sensing system components
The manufacturer shall provide information on the installation options for the individual components that comprise the sensing system. These options shall include, but are not limited to, the location of the component in/on the vehicle, the material(s) surrounding the component, the dimensioning and geometry of the material surrounding the component, and the surface finish of the materials surrounding the component, once installed in the vehicle. The information shall also include installation specifications that are critical to the ADS’s performance, e.g. tolerances on installation angle. Changes to the individual components of the sensing system, or the installation options, shall be notified to the type-approval authority and be subject to further assessment. |
3.5. Safety concept of the manufacturer and validation of the safety concept by the manufacturer
3.5.1. |
The manufacturer shall provide a statement which affirms that the ADS is free from unreasonable risks for the vehicle occupants and other road users. |
3.5.2. |
In respect of software employed in the ADS, the outline architecture shall be explained and the design methods and tools used shall be identified (see 3.5.1). The manufacturer shall show evidence of the means by which they determined the realisation of the ADS logic, during the design and development process. |
3.5.3. |
The manufacturer shall provide the type-approval authority with an explanation of the design provisions built into the ADS so as to ensure functional and operational safety. Possible design provisions in the ADS are for example:
|
3.5.3.1. |
If the chosen provision selects a partial performance mode of operation under certain fault conditions (e.g. in case of severe failures), then these conditions shall be stated (e.g. type of failure) and the resulting limits of effectiveness defined (e.g. immediate initiation of a minimal risk manoeuvre) as well as the warning strategy to the operator/remote operator, occupants and other road users (when applicable). |
3.5.3.2. |
If the chosen design provision selects a second (back-up) or diverse means to realise the performance affected by the fault, the principles of the change-over mechanism, the logic and level of redundancy and any built-in checking features shall be explained and the resulting limits of effectiveness defined. |
3.5.3.3. |
If the chosen design provision selects the removal of the automated driving function(s), this shall be done in compliance with the relevant provisions of this regulation. All the corresponding output control signals associated with this function shall be inhibited. |
3.5.4. |
The manufacturer shall also provide the type-approval authority with an explanation of the operational safety measures to be put in place for the safe operation of the ADS such as an on-board operator or a remote intervention operator, supporting off-board infrastructure, transport and physical infrastructure requirements, maintenance measures, etc. |
3.5.5. |
The documentation shall be supported, by an analysis that shows, how the ADS will behave to mitigate or avoid hazards that can have a bearing on the safety of vehicle occupants and other road users. |
3.5.5.1. |
The chosen analytical approach(es) shall be established and maintained by the manufacturer and shall be made open for inspection by the type-approval authority at the time of the type-approval and afterwards. |
3.5.5.2. |
The type-approval authority shall assess the application of the analytical approach(es):
|
3.5.5.3. |
The analytical approach under 3.5.5.2. shall confirm that at least each of the following items is covered:
|
3.5.5.4. |
The assessment by the type-approval authority shall consist of spot checks to establish that argumentation supporting the safety concept is understandable and logical and implemented in the different functions of the ADS. The assessment shall also check that validation plans are robust enough to demonstrate safety (e.g. reasonable coverage of chosen scenarios testing by the validation tool chosen) and have been properly completed. |
3.5.5.4.1. |
It shall demonstrate that the operation of fully automated vehicle is free from unreasonable risks for the vehicle occupants and other road users in the operational design domain, i.e. through:
|
3.5.5.5. |
The type-approval authority shall perform or shall require to perform tests as specified in point 4. of this Annex to verify the safety concept. |
3.5.5.6. |
This documentation shall itemize the parameters being monitored and shall set out, for each failure condition of the type defined in point 3.5.4. of this annex, the warning signal to be given to the operator/remote operator/vehicle occupants/other road users and/or to service/technical inspection personnel. |
3.5.5.7. |
This documentation shall also describe the measures in place to ensure the ADS is free from unreasonable risks to vehicle occupants, and other road users when the performance of the ADS is affected by environmental conditions e.g. climatic, temperature, dust ingress, water ingress, ice packing, inclement weather. |
4. Verification and tests
Taking into account the results of the analysis of the manufacturer’s documentation package, the type-approval authority shall request the tests to be performed or witnessed by the Technical Service to check specific points arising from the assessment.
4.1. |
The functional operation of the ADS, as laid out in the documents required in point 3., shall be tested as follows: |
4.1.1. |
Verification of the function of the ADS
The type-approval authority shall verify the ADS under non-failure conditions by testing on a track a number of selected functions, as deemed necessary by the type-approval authority, from those described by the manufacturer, and by checking the overall behaviour of the ADS in real driving conditions including compliance with traffic rules. These tests shall include scenarios whereby the ADS is overridden by the remote intervention operator (if applicable). These tests can be based on test scenarios listed in Part 3 of this Annex and/or on additional scenarios not covered by Part 3. |
4.1.1.1. |
The test results shall correspond with the description, including the control strategies, provided by the manufacturer in point 3.2. and shall comply with the performance requirements of this regulation. |
4.1.2. |
Verification of the ADS safety concept
The reaction of the ADS shall be checked under the influence of a fault in any individual unit by applying corresponding output signals to electrical units or mechanical elements in order to simulate the effects of internal failure within the unit. The type-approval authority shall verify that these tests include aspects that may have an impact on vehicle controllability and user information (HMI aspects e.g. interaction with the operator/remote operator). |
4.1.2.1. |
The type-approval authorities shall also check a number of scenarios that are critical for the Object and Event Detection and Response (OEDR) and Characterisation of the decision-making and HMI functions of the ADS (e.g. object difficult to detect, when the ADS reaches the ODD boundaries, traffic disturbance scenarios, connectivity issue, problem with off-board systems, remote capabilities issues e.g. the absence of the remote intervention operator) as defined in this regulation. |
4.1.2.2. |
The verification results shall correspond with the documented summary of the hazard analysis, to a level of overall effect such that the safety concept and execution are confirmed as being adequate and in compliance with the requirements of this regulation. |
4.2. |
Simulation tool and mathematical models to verify of the safety concept may be used in accordance with Annex VIII to Regulation (EU) 2018/858, in particular for scenarios that are difficult on a test track or in real driving conditions. Manufacturers shall demonstrate the scope of the simulation tool, its validity for the scenario concerned as well as the validation performed for the simulation tool chain (correlation of the outcome with physical tests). To demonstrate the validity of the simulation toolchain, the principles of Part 4 of this Annex shall apply. Simulation shall not be a substitute for physical tests in Part 3 of this Annex. |
4.3 |
The manufacturer shall have a valid certificate of compliance for the safety management system (SMS) relevant to the vehicle type being approved. |
5. Safety management system (SMS)
5.1. |
In respect of the ADS, the manufacturer shall demonstrate to the type-approval authority in terms of a safety management system (SMS) that effective processes, methodologies, training and tools are in place, up to date and being followed within the organization to manage the safety and continued compliance throughout the ADS lifecycle. |
5.2. |
The design and development process shall be established and documented including safety management system, requirements management, requirements’ implementation, testing, failure tracking, remedy and release. |
5.3. |
The manufacturer shall ensure effective communication channels between manufacturer departments responsible for functional/operational safety, cybersecurity and any other relevant disciplines related to the achievement of vehicle safety. |
5.4. |
The manufacturer shall have processes aimed at collecting vehicle data, and data from other sources to monitor and analyse safety-relevant incidents/accidents caused by the engaged automated driving system. The manufacturer shall report to type-approval authorities, market surveillance authorities and the Commission the relevant occurrences in accordance with Part 5 of this Annex. |
5.4.1. |
The manufacturer must enable the transport service operator to provide the type-approval authorities, market surveillance authorities or other authorities designated by the Member States with the vehicle data in accordance with paragraph 5.4 above, as well as with the ADS data and the specific data elements for event data recorder collected in accordance with Section 9 of Annex II. |
5.5. |
The manufacturer shall have processes to manage potential safety-relevant gaps post-registration and to update the vehicles if necessary. |
5.6. |
The manufacturer shall demonstrate that periodic independent internal process audits (e.g. every 2 years) are carried out to ensure that the processes established in accordance with points 5.1 to 5.5. are implemented consistently. |
5.7. |
Manufacturers shall put in place suitable arrangements (e.g. contractual arrangements, clear interfaces, quality management system) with suppliers to ensure that the supplier safety management system comply with the requirements of points 5.1. (except for vehicle related aspects like ‘operation’ and ‘decommissioning’), 5.2, 5.3 and 5.6. |
5.8. |
Certificate of compliance for safety management system |
5.8.1. |
An application for a Certificate of Compliance for Safety Management System shall be submitted by the manufacturer or by their duly accredited representative to the type-approval authority. |
5.8.2. |
It shall be accompanied by the undermentioned documents in triplicate, and by the following particular:
|
5.8.3. |
When this audit of the SMS has been satisfactorily completed and in receipt of a signed declaration from the manufacturer according to the model as defined in Appendix 3, a certificate named Certificate of Compliance for SMS as described in Appendix 4 (hereinafter the Certificate of Compliance for SMS) shall be granted to the manufacturer. |
5.8.4. |
The Certificate of Compliance for SMS shall remain valid for a maximum of three years from the date of deliverance of the certificate unless it is withdrawn. |
5.8.5. |
The type-approval authority may at any time verify that the requirements for the Certificate of Compliance for SMS continue to be met. The type-approval authority shall withdraw the Certificate of Compliance for SMS if major non-conformities in the compliance with the requirements laid down in this Regulation are discovered and not immediately addressed. |
5.8.6. |
The manufacturer shall inform the type-approval authority or its technical service of any change that will affect the relevance of the certificate of compliance for SMS. After consultation with the manufacturer, the type-approval authority or its Technical Service shall decide whether new checks are necessary. |
5.8.7. |
In due time, the manufacturer shall apply for a new or for the extension of the existing Certificate of Compliance for SMS. The type-approval authority shall, subject to a positive audit, issue a new Certificate of Compliance for SMS or extend its validity for a further period of three years. The type-approval authority shall verify that the SMS continue to comply with the requirements of this Regulation. The type-approval authority shall issue a new certificate in cases where changes have been brought to the attention of the type-approval authority or its Technical Service and the changes have been positively re-assessed. |
5.8.8. |
The expiry or withdrawal of the manufacturer’s Certificate of Compliance for SMS shall be considered, with regard to the vehicle types to which the SMS concerned was relevant, as modification of approval, which may include the withdrawal of the approval if the conditions for granting the approval are not met anymore. |
6. Reporting provision
6.1. |
The reporting of the safety assessment of the ADS safety concept as well as the audit of the safety management system of the manufacturer shall be performed in such a manner that allows traceability, e.g. versions of documents inspected are coded and listed in the records of the Technical Service. |
6.2. |
An example of layout for the report on the assessment of the ADS safety concept from the Technical Service to the type-approval authority is provided in Appendix 1 to this part. The listed items in this Appendix are outlined as minimum set of items that need to be covered. |
6.3. |
The granting type-approval authority shall issue the safety assessment results to be annexed to the type-approval certificate based on the documentation provided by the manufacturer, the report of the assessment of the ADS safety concept by the technical service and on the outcomes of the verification and test campaigns performed in accordance with Part 3 of this Annex. An example of a possible layout for the safety assessment results is given in Appendix 4. |
7. Competence of the auditors/assessors
7.1. |
The assessment of the ADS safety concept and the audit of the safety management system under this part shall only be conducted by assessors/auditors with the technical and administrative knowledge necessary for such purposes. They shall in particular be competent as auditor/assessor for ISO 26262-2018 (Functional Safety – Road Vehicles), and ISO/PAS 21448 (Safety of the Intended Functionality of road vehicles); and shall be able to make the necessary link with cybersecurity aspects in accordance with UN Regulation No 155 and ISO/SAE 21434). This competence shall be demonstrated by appropriate qualifications or other equivalent training records.
Appendix 1 Model for the assessment report of the ADS safety concept Safety assessment report No: 1. Identification 1.1. Vehicle make 1.2. Vehicle type 1.3. Means of identification of vehicle type if marked on the vehicle 1.4. Location of that marking 1.5. Manufacturer’s name and address 1.6. If applicable, name and address of manufacturer’s representative 1.7. Manufacturer’s formal documentation packageDocumentation reference No: Date of original issue: Date of latest update: 2. Assessment method 2.1. Description of the assessment processes and methodologies 2.2. Acceptability criteria 3. Results of the review of the documentation package 3.1. Review of the ADS description 3.2. Review of Manufacturer’s safety concept and the manufacturer safety analysis 3.3. Review of the Verification and Validation performed by the manufacturer in particular coverage of the different tests and setting minimum coverage thresholds for various metrics 3.4. Review of the methods and tools (software, laboratory, others) and the credibility assessment 3.5. Review of ADS data requirements and specific data elements for event data recorder for fully automated vehicles 3.6. Checks of the Cyber Security and Software Updates certificates are covering he ADS 3.7. Review of the information provided in the Operating Manual 3.8. Review of the provisions for the periodic roadworthiness tests of the ADS 3.9. Review of additional information not included in the Information Document 4. Verification of ADS functions under non-failure conditions (referred to in point 4.1.1. of Annex III Part 2 to Commission Implementing Regulation (EU) 2022/1426 of 5 August 2022 laying down rules for the application of Regulation (EU) 2019/2144 of the European Parliament and of the Council as regards uniform procedures and technical specifications for the type-approval of the automated driving system (ADS) of fully automated vehicles (2) 4.1. Rationale for the selection of test scenarios 4.2. Selected test scenarios 4.3. Test reports 4.3.1. Test No (add as many as the tests performed) 4.3.1.1. Objectives of the test 4.3.1.2. Test conditions 4.3.1.3. Measured quantities and measuring devices 4.3.1.4. Acceptability criteria 4.3.1.5. Test results 4.3.1.6. Comparison with the manufacturer’s supplied documentation 5. Verification of ADS safety concept under failure (referred to in point 4.1.2. of Annex III Part 2 to Implementing Regulation (EU) 2022/1426 5.1. Rationale for the selection of test scenarios 5.2. Selected test scenarios 5.3. Test reports 5.3.1. Test No (add as many as the tests performed) 5.3.1.1. Objectives of the test 5.3.1.2. Test conditions 5.3.1.3. Measured quantities and measuring devices 5.3.1.4. Acceptability criteria 5.3.1.5. Test results 5.3.1.6. Comparison with the manufacturer’s supplied documentation 6. Safety management system certificate (shall be appended to this test report) 7. Date of the assessment 8. Final judgement on the safety assessment outcome 9. This assessment has been carried out and the results reported in accordance with Implementing Regulation (EU) 2022/1426Technical Service carrying out the assessment
10. Comments: Appendix 2 Model of the ADS assessment results to be annexed to the type-approval certificate 1. Identification 1.1. Vehicle make 1.2. Vehicle Type 1.3. Means of identification of vehicle type if marked on the vehicle 1.4. Location of that marking 1.5. Manufacturer’s name and address 1.6. If applicable, name and address of manufacturer’s representative 1.7. Manufacturer’s formal documentation packageDocumentation reference No: Date of original issue: Date of latest update: 2. Assessment method 2.1. Description of the assessment processes and methodologies 2.2. Acceptability criteria 3. Verification of ADS functions under non-failure conditions (referred to in point 4.1.1. of Annex III Part 2 to Implementing Regulation (EU) 2022/1426 3.1. Rationale for the selection of test scenarios 3.2. Selected test scenarios 4. Verification of ADS safety concept under single failure (referred to in point 4.1.2. of Annex III Part 2 to Implementing Regulation (EU) 2022/1426 4.1. Rationale for the selection of test scenarios 4.2. Selected test scenarios 5. Assessment results 5.1. Results of the review of the Information Document 5.2. Results of the verification of ADS functions under non-failure conditions 5.3. Results of the verification of ADS safety concept under single failure 5.4. Results of the assessment of the Safety Management System 5.5. Results of the verification of provisions for the periodic roadworthiness tests 6. Final judgement on the safety assessment outcome Appendix 3 Model of Manufacturer’s Declaration of Compliance for SMS Manufacturer’s declaration of compliance with the requirements for the Safety Management System Manufacturer’s Name: Manufacturer’s Address: …(Manufacturer’s Name) attests that the necessary processes to comply with the requirements for the Safety Management System laid down in Implementing Regulation (EU) 2022/1426 are installed and will be maintained. Done at: … (place) Date: Name of the signatory: Function of the signatory: (Stamp and signature of the manufacturer’s representative) Appendix 4 Model of Certificate of Compliance for SMS Certificate of Compliance for Safety Management System With Implementing Regulation (EU) 2022/1426 Certificate number [Reference number] [… Type-approval authority] Certifies that Manufacturer: ... Address of the manufacturer: complies with the provisions of Implementing Regulation (EU) 2022/1426 Checks have been performed on: by (name and address of the type-approval authority or Technical Service): Number of report:... The certificate is valid until [...Date] Done at [...Place] On [...Date] [...Signature] Attachments: description of the Safety Management System by the manufacturer. |
PART 3
TESTS
1. General provisions
Pass- and fail-criteria to assess ADS safety shall be based on the requirements set out in Annex II and the scenario described in Part 1 of this annex. The requirements are defined in such a way that the pass/fail criteria can be derived not only for a specific set of test parameters, but also for all safety-relevant combinations of parameters that may occur in the operating conditions covered by the type approval and the specified operating range (e.g., speed range, longitudinal and transverse acceleration range, radii of curvature, brightness, number of lanes). For conditions not tested but that may occur within the defined ODD of the system, the manufacturer shall demonstrate as part of the assessment described in Part 2 to the satisfaction of the type-approval authority, that the vehicle is safely controlled.
These tests shall confirm the minimum performance requirements described in Annex II and the functionality of the ADS and the safety concept of the manufacturer as described in Part 2 of this Annex. Test results shall be documented and reported in accordance with point 6 of Part 2 of this annex.
These tests shall also confirm, that the ADS complies with the traffic rules, adapts its operations to environmental conditions, avoids disruption to the flow of traffic (e.g. blocking the lane because of too many MRMs), does not show unpredictable behaviour and shows reasonable cooperative and anticipatory behaviour in relevant situations (i.e. merging in dense traffic or in vicinity of vulnerable road users).
2. Test site
The test site shall comprise characteristics (example: friction value) that correspond to the specified ODD of the ADS. As necessary to apply the specific conditions of the ODD of the ADS, physical tests will be performed within the actual ODD (on-road) or at any test facility that replicates the ODD conditions and shall be determined by the manufacturer and the type approval authority. The ADS shall be tested on-road in accordance with the applicable law of the Member States and provided that tests can be carried out safely and without any risk to other road users.
3. Environmental conditions
Tests shall be carried out under different environmental conditions, within the limits of the defined ODD for the ADS. For environmental conditions not tested that may occur within the defined ODD, the manufacturer shall demonstrate as part of the assessment to the satisfaction of the type-approval authority that the vehicle is safely controlled.
To test the requirements for failure of functions, self-testing of the ADS and initiation and implementation of a minimal risk manoeuvre, errors may be artificially induced and the vehicle may be artificially brought into situations where it reaches the limits of the defined operating range (e.g., environmental conditions).
4. System modifications for testing purposes
If ADS modifications are required in order to allow testing, e.g. road type assessment criteria or road type information (map data), it shall be ensured that these modifications do not affect the test results. These modifications shall in principle be documented and annexed to the test report. The description and the evidence of influence (if any) of these modifications shall be documented and annexed to the test report.
5. Vehicle conditions
5.1. |
Test mass
The subject vehicle shall be tested with any permissible vehicle load. No load alteration shall be made once the test procedure has begun. The manufacturer shall demonstrate, through the use of documentation, that the ADS works at all load conditions. |
5.2. |
The subject vehicle shall be tested at the tyre pressure recommended by the manufacturer. |
5.3. |
It shall be verified, that the condition of the system is according to the intended testing purpose (e.g. in a fault-free condition or with the specific faults to be tested). |
6. Test tools
In addition to real vehicles, state-of-the-art test tools may be used to carry out the tests, replacing real vehicles and other road users (e.g., soft targets, mobile platforms, etc.). The replacement test tools shall comply with the characteristics relevant for sensory performance assessment, real vehicles and other traffic participants. Tests shall not be carried out in a way that would endanger the personnel involved, and significant damage of the vehicle being tested must be avoided where other means of validation are available.
7. Test parameter variation
The manufacturer shall declare the system boundaries to the type-approval authority. The type-approval authority shall define different combinations of test parameters (e.g. present speed of the vehicle, type and offset of target, curvature of lane, etc.) in order to test the ADS. The selected test cases shall provide sufficient test coverage for all scenarios, test parameters and environmental influences. Adequate robustness of the perceptions systems for the ADS against input/sensor data malfunction and adverse environmental conditions shall be demonstrated.
Test parameters selected by the type-approval authority shall be recorded in a test report in a manner that allows traceability and repeatability of the test setup.
8. Tests scenarios to assess the performance of the ADS on a test track (points 8.1., 8.2., 8.5, 8.6, 8.7, 8.8, 8.9.) and on-road (8.3., 8.4., 8.10.)
The scenarios included in the following points have to be considered a minimum set of tests. At the request of the type-approval authority, additional scenarios that are part of the ODD can be executed. If a scenario described in point 8 of this annex does not belong to the ODD of the vehicle, it shall not be taken into consideration.
Depending on the ODD, test scenarios shall be selected as part of the type-approval test. The test scenarios shall be selected in accordance with Part 1 of this annex. Type-approval testing may be carried out on the basis of simulations, manoeuvres on the test track and driving tests on real road traffic. However, it may not be based solely on computer simulations and at the time of type-approval, the type-approval authority shall conduct or shall witness at least the following tests to assess the behaviour of the ADS.
8.1. Lane keeping
The test shall demonstrate that the fully automated vehicle does not leave its lane and maintains a stable motion inside its lane across the speed range and different curvatures within its system boundaries.
8.1.1. |
The test shall be based on the ODD of the ADS and shall be executed at least:
|
8.2. Lane changing manoeuvre (LCM)
The tests shall demonstrate that the fully automated vehicle does not cause an unreasonable risk to safety of the vehicle occupants and other road users during a lane change procedure, and that the ADS is able to assess the criticality of the situation before starting the lane change manoeuvre (LCM) throughout the entire operational speed range. These tests are only required if the fully automated vehicle is capable of performing lane changes either during a Minimal risk manoeuvre or during regular operation.
8.2.1. |
The following tests shall be executed:
|
8.2.2. |
The tests shall be executed at least:
|
8.3. Response to different road geometries
These tests shall ensure, that the fully automated vehicle detects and adapts to a variation of different road geometries which can occur within the intended ODD across its whole speed range.
8.3.1. |
The test shall be executed with at least the list of scenarios below based on the ODD of the ADS:
|
8.3.2. |
Each test shall be executed at least:
|
8.4. Response to national traffic rules and road infrastructure
These tests shall ensure that the fully automated vehicle complies with national traffic rules and that it adapts to a various permanent and temporary changes of the road infrastructure (e.g. road construction sites) in the entire speed range.
8.4.1. |
The tests shall be executed with at least with the list of scenarios below that are relevant for the ODD of the ADS:
|
8.4.2. |
Each test shall be executed at least:
|
8.5. Collision avoidance: Avoid a collision with road users or objects blocking the lane
The test shall demonstrate that the fully automated vehicle avoids a collision with a stationary vehicle, road user or fully or partially blocked lane up to the maximum specified speed of the ADS.
8.5.1. |
This test shall be executed at least with the following scenarios, where relevant in the ODD:
|
8.6. Avoid emergency braking before a passable object in the lane. A ‘passable object’ is such an object, that may be rolled over without causing an unreasonable risk to the vehicle occupants or other road users.
The test shall demonstrate that the fully automated vehicle is not initiating an Emergency Braking with a deceleration demand greater than 5 m/s2 due to a passable object in the lane relevant for the ODD (e.g., a manhole lid or a small branch) up to the maximum specified speed of the ADS.
8.6.1. |
This test shall be executed at least with the following scenarios, where relevant in the ODD:
|
8.7. Following a lead vehicle
The test shall demonstrate that the fully automated vehicle is able to maintain and restore a stable motion and a safety distance to a vehicle in front and is able to avoid a collision with a lead vehicle which decelerates up to its maximum deceleration.
8.7.1. |
This test shall be executed at least with the following scenarios, where relevant in the ODD:
|
8.8. Lane change of another vehicle into lane (cut-in)
The test shall demonstrate that the fully automated vehicle is capable of avoiding a collision with a vehicle or other road user cutting into the lane of the fully automated vehicle up to a certain criticality of the cut-in manoeuvre.
8.8.1. |
The criticality of the cut-in manoeuvre shall be determined according to the provisions introduced Part 1 of this annex and depending on the distance between the rear-most point of the cutting-in vehicle and front-most point of the fully automated vehicle. |
8.8.2. |
The test shall be executed at least with the following scenarios, where relevant for the ODD:
|
8.9. Stationary obstacle after lane change of the lead vehicle (cut-out)
The test shall demonstrate that the fully automated vehicle is capable of avoiding a collision with a stationary vehicle, road user or blocked lane that becomes visible after a preceding vehicle avoided a collision by an evasive manoeuvre. The test shall be based on the requirements set out in Annex II and scenario parameters in Part 1 of this annex. For conditions not tested that may occur within the defined operating range of the vehicle, the manufacturer shall demonstrate as part of the assessment described in Annex III, Part 2 to the satisfaction of the relevant authorities that the vehicle is safely controlled.
8.9.1. |
The test shall be executed at least with the following scenarios, where relevant for the ODD:
|
8.10. Parking
The test shall demonstrate that the ADS is able to park in different parking spaces and parking layouts under different conditions; and that during the parking manoeuvre it is not causing damage to the surrounding objects, road users and itself.
8.10.1. |
The test shall be executed at least with the following scenarios, where relevant for the ODD:
|
8.11. Navigating in a parking facility
The test shall demonstrate that the ADS is able to handle the low driving speed and the general lack of visibility that may occur in a parking.
8.11.1. |
The test shall be executed at least with the following scenarios, where relevant for the ODD:
|
8.12. Specific scenarios for motorway
8.12.1. |
Motorway entry
The test shall demonstrate that the ADS is able to safely enter the motorway. |
8.12.1.1. |
The test shall be executed at least with the following scenarios, where relevant for the ODD:
|
8.12.2. |
Motorway exit
The test shall demonstrate that the ADS is able to safely exit the motorway. |
8.12.2.1. |
The test shall be executed at least with the following scenarios, where relevant for the ODD:
|
8.12.3. |
Toll station
The test shall demonstrate that the ADS is able to select the proper passing gate, and adapt its speed to that permitted within the toll area. |
8.12.3.1. |
The test shall be executed at least with the following scenarios, where relevant for the ODD:
|
8.13. For dual mode vehicles, transition between the manual driving mode and the fully automated mode.
The test shall demonstrate that the ADS takes over the DDT in a safe manner and only when the vehicle is standstill.
8.13.1. |
The test shall be executed at least with the following scenarios, where relevant for the ODD:
|
8.13.2. |
The test shall be executed at least with the following scenarios, where relevant for the ODD:
|
PART 4
PRINCIPLES FOR CREDIBILITY ASSESSMENT FOR USING VIRTUAL TOOLCHAIN IN ADS VALIDATION
1. General
1.1. |
The credibility can be achieved by investigating and assessing five properties of Modelling and Simulation (M&S):
|
1.2. |
At the same time, the credibility assessment framework shall be general enough to be used for different M&S types and applications. However, the goal is complicated by the broad differences between ADS features and the variety of M&S types and applications. These considerations require a (risk-based/informed) credibility assessment framework relevant and appropriate to all M&S applications. |
1.3. |
The credibility assessment framework provides a general description of the main aspects considered for assessing the credibility of an M&S solution together with principles on the role of third parties assessors in the validation process with respect to credibility. Concerning the latter point, the type-approval authority shall investigate the produced documentation supporting credibility at the assessment phase, whereas the actual validation tests occur once the manufacturer has developed the integrated simulation systems. |
1.4. |
Ultimately, the outcome of the current credibility assessment shall define the envelope in which the virtual tool can be used to support the ADS assessment. |
1.5. |
The requirements of this part are therefore intended to demonstrate the credibility of any simulation model or virtual toolchain for its use in ADS validation. |
2. Definitions
For the purpose of this annex
2.1. |
‘abstraction’ means the process of selecting the essential aspects of a source system or referent system to be represented in a model or simulation, while ignoring non-relevant aspects. Any modelling abstraction carries with it the assumption that shall not significantly affect the intended uses of the simulation tool. |
2.2. |
‘closed loop testing’ means a virtual environment that takes the actions of the element-in-the loop into account. Simulated objects respond to the actions of the system (e.g. system interacting with a traffic model). |
2.3. |
‘deterministic’ means a term describing a system whose evolution over time can be predicted exactly and a given set of input stimuli will always produce the same output. |
2.4. |
‘driver-in-the-loop (DIL)’ is typically conducted in a driving simulator used for testing the human–automation interaction design. DIL has components for the driver to operate and communicate with the virtual environment. |
2.5. |
‘Hardware-In-the-Loop (HIL)’ involves the final hardware of a specific vehicle sub-system running the final software with input and output connected to a simulation environment to perform virtual testing. HIL testing provides a way of replicating sensors, actuators and mechanical components in a way that connects all the I/O of the electronic control units (ECU) being tested, long before the final system is integrated. |
2.6. |
‘model’ is a description or representation of a system, entity, phenomenon, or process. |
2.7. |
‘model calibration’ is the process of adjusting numerical or modelling parameters in the model to improve agreement with a referent. |
2.8. |
‘model Parameter’ are numerical values used to support characterizing a system functionality. A model parameter has a value that cannot be observed directly in the real world but that must be inferred from data collected in the real world (in the model calibration phase). |
2.9. |
‘model-in-the-loop (MIL)’ is an approach which allows quick algorithmic development without involving dedicated hardware. This level of development usually involves high-level abstraction software frameworks running on general-purpose computing systems. |
2.10. |
‘open loop testing’ means a virtual environment that does not take the actions of the element-in-the loop into account (e.g. system interacting with a recorded traffic situation). |
2.11. |
‘probabilistic’ is a term pertaining to non-deterministic events, the outcomes of which are described by a measure of likelihood. |
2.12. |
‘proving ground or test-track’ is a physical testing facility closed to the traffic where the performance of an ADS can be investigated on the real vehicle. Traffic agents can be introduced via sensor stimulation or via dummy devices positioned on the track. |
2.13. |
‘sensor stimulation’ is a technique whereby artificially generated signals are provided to the element under testing in order to trigger it to produce the result required for verification of the real world, training, maintenance, or for research and development. |
2.14. |
‘simulation’ is the imitation of the operation of a real-world process or system over time. |
2.15. |
‘simulation model’ is a model whose input variables vary over time. |
2.16. |
‘simulation toolchain’ is a combination of simulation tools that are used to support the validation of an ADS. |
2.17. |
‘software-in-the-loop (SIL)’ is where the implementation of the developed model will be evaluated on general-purpose computing systems. This step can use a complete software implementation very close to the final one. SIL testing is used to describe a test methodology, where executable code such as algorithms (or even an entire controller strategy), is tested within a modelling environment that can help prove or test the software. |
2.18. |
‘stochastic’ means a process involving or containing a random variable or variables. Pertaining to chance or probability. |
2.19. |
‘validation of the simulation model’ is the process of determining the degree to which a simulation model is an accurate representation of the real world from the perspective of the intended uses of the tool. |
2.20. |
‘vehicle-in-the-loop (VIL)’ is a fusion environment of a real testing vehicle in the real-world and a virtual environment. It can reflect vehicle dynamics at the same level as the real-world and it can be operated on a vehicle test bed or on a test track. |
2.21. |
‘verification of the simulation model’ is the process of determining the extent to which a simulation model or a virtual testing tool is compliant with its requirements and specifications as detailed in its conceptual models, mathematical models, or other constructs. |
2.22. |
‘virtual testing’ is the process of testing a system using one or more simulation models. |
3. Components of the credibility assessment framework and related documentation requirements
3.1. |
The credibility assessment framework introduces a way to assess and report the credibility of M&S based on quality assurance criteria where the levels of confidence in the results can be indicated. In other words, the credibility is established by evaluating the following M&S influencing factors that are considered as main contributors for M&S properties and therefore for the overall M&S credibility: (a) M&S management; (b) team’s experience and expertise; (c) M&S analysis and description; (d) data/input pedigree and (e) verification; validation, uncertainty Characterisation. Each of these factors indicates the level of quality achieved by M&S, and the comparison between the obtained levels and the required levels shall determine whether the M&S is credible and fit to use for virtual testing. A graphical representation of the relationship between the components of the credibility assessment framework is shown below.
|
3.2. |
Models and simulation management. |
3.2.1. |
The M&S lifecycle is a dynamic process with frequent releases that shall be monitored and documented. Management activities shall be established to support the M&S in a work product management fashion. Relevant information on the following aspects shall be provided. |
3.2.2. |
The M&S management process shall:
|
3.2.3. |
Release management. |
3.2.3.1. |
Any M&S toolchain’s version used to release data for certification purposes shall be stored. The virtual models constituting the testing toolchain shall be documented in terms of the corresponding validation methods and acceptance thresholds to support the overall credibility of the toolchain. The developer shall enforce a method to trace generated data to the corresponding M&S version. |
3.2.3.2. |
Quality check of virtual data. Data completeness, accuracy, and consistency shall be ensured throughout the releases and lifetime of an M&S toolchain to support the verification and validation procedures. |
3.2.4. |
Team’s experience and expertise. |
3.2.4.1. |
Even though experience and expertise (E&E) are already covered in a general sense within the organization, it is important to establish the basis for confidence in the specific E&E for M&S activities. |
3.2.4.2. |
The credibility of M&S depends not only on the quality of the simulation models but also on the E&E of the personnel involved in the validation and usage of the M&S. For instance, a proper understanding of the limitations and validation domain will prevent the possible misuse of M&S or misinterpretation of its results. |
3.2.4.3. |
Therefore, it is important to establish the basis for the manufacturer’s confidence on the E&E of:
|
3.2.4.4. |
A proper management of the team’s E&E increases the level of confidence on the credibility of M&S and its outcomes by ensuring that the human factors behind the M&S are taken into consideration and any possible human component risk is controlled, as is expected in any suitable Management System |
3.2.4.5. |
If the manufacturer’s tool chain incorporates or relies upon inputs from organisations or products outside of the manufacturer’s own team, the manufacturer will provide an explanation of measures it has taken to support its confidence in the quality and integrity of those inputs. |
3.2.4.6. |
Team’s E&E consists of two levels. |
3.2.4.6.1. |
Organizational level
The credibility is established by setting up processes and procedures to identify and maintain skills, knowledge, and experience to perform M&S activities. The following processes shall be established, maintained and documented:
|
3.2.4.6.2. |
Team level
Once a M&S has been finalised, its credibility is mainly dictated by the skills and knowledge of the individual/team that will validate the M&S toolchain and use the M&S for the validation of the ADS. Credibility is established by documenting that these teams have received adequate training to fulfil their duties. The manufacturer shall then:
The manufacturer’s demonstration of how it applies the principles of ISO 9001 or a similar best practice or standard to ensure the competence of its M&S organization and the individuals in that organisation will be the basis for this determination. The type-approval authority may not substitute its judgment on the E&E of the organisation or its members with that of the manufacturer. |
3.2.5. |
Data/input pedigree |
3.2.5.1. |
The data/input pedigree contains a record of traceability from the manufacturer’s data used in the validation of the M&S. |
3.2.5.2. |
Description of the data used for the M&S
|
3.2.5.3. |
Effect of the data quality (e.g. data coverage, signal to noise ratio, and sensors’ uncertainty/bias/sampling rate) on model parameters uncertainty.
The quality of the data used to develop the model will affect the estimation and calibration of the model parameters. Uncertainty in model parameters will be another important aspect in the final uncertainty analysis. |
3.2.6. |
Data/output pedigree |
3.2.6.1. |
The data/output pedigree contains a record of the M&S outputs used for the ADS validation. |
3.2.6.2. |
Description of the data generated by the M&S
|
3.2.6.3. |
Effect of data quality on M&S credibility
|
3.2.6.4. |
Managing stochastic models
|
3.3. |
M&S analysis and description |
3.3.1. |
The M&S analysis and description aim to define the whole M&S and identify the parameter space that can be assessed via virtual testing. It defines the scope and limitations of the models and toolchain and the uncertainty sources that can affect its results. |
3.3.2. |
General description |
3.3.2.1. |
The manufacturer shall provide a description of the complete toolchain along with how the simulation data will be used to support the ADS validation strategy |
3.3.2.2. |
The manufacturer shall provide a clear description of the test objective |
3.3.3. |
Assumptions, known limitations and uncertainty sources |
3.3.3.1. |
The manufacturer shall motivate the modelling assumptions that guided the design of the M&S toolchain |
3.3.3.2. |
The manufacturer shall provide evidence on:
|
3.3.3.3. |
The manufacturer shall provide justification that the tolerance for sim-real correlation is acceptable for the test objective |
3.3.3.4. |
Finally, this section shall include information on the sources of uncertainty in the model. This will represent an important input to final uncertainty analysis, which will define how the model outputs can be affected by the different sources of uncertainty of the model used. |
3.3.4. |
Scope (how the M&S is used in the ADS validation) |
3.3.4.1. |
The credibility of the virtual tool shall be enforced by a clearly-defined scope of utilization the developed models. |
3.3.4.2. |
The matured M&S shall allow a virtualisation of the physical phenomena to a degree of accuracy which matches the fidelity level required for certification. Thus, the M&S will act as a ‘virtual proving ground’ for ADS testing. |
3.3.4.3. |
Simulation models need dedicated scenarios and metrics for validation. The scenario selection used for validation shall be sufficient so that the toolchain will perform in the same manner in scenarios outside of the validation scope. |
3.3.4.4. |
The Manufacturer shall provide a list of validation scenarios together with the limitations of the corresponding parameters. |
3.3.4.5. |
The ODD analysis is a crucial input to derive requirements, scope and effects that the M&S must consider in order to support ADS validation. |
3.3.4.6. |
Parameters generated for the scenarios will define extrinsic and intrinsic data for the toolchain and the simulation models. |
3.3.5. |
Criticality assessment |
3.3.5.1. |
The simulation models and the simulation tools used in the overall tool-chain shall be investigated in terms of their responsibility in case of a safety error in the final product. The proposed approach for criticality analysis is derived from ISO 26262, which requires qualification for some of the tools used in the development process. |
3.3.5.2. |
In order to derive how critical the simulated data are, the criticality assessment shall consider the following parameters:
|
3.3.5.3. |
From the perspective of the criticality assessment, the three possible cases for assessment are:
|
3.4. |
Verification |
3.4.1. |
The verification of an M&S involves analysing the correct implementation of the conceptual/mathematical models building up the M&S toolchain. The verification contributes to the M&S’s credibility by providing assurance that the M&S will not exhibit unrealistic behaviour for a set of inputs that cannot be tested. The procedure is based on a multi-step approach including code verification, calculation verification and sensitivity analysis. |
3.4.2. |
Code verification |
3.4.2.1. |
Code verification involves tests demonstrating that no numerical/logical flaws affect the virtual models |
3.4.2.2. |
The manufacturer shall document the execution of proper code verification techniques, e.g. static/dynamic code verification, convergence analysis and comparison with exact solutions if applicable |
3.4.2.3. |
The manufacturer shall provide documentation showing that the exploration in the domain of the input parameters was sufficiently wide to identify parameters’ combination for which the M&S shows unstable or unrealistic behaviour. Coverage metrics of combinations of parameters may be used to demonstrate the required exploration of the models behaviours. |
3.4.2.4. |
The manufacturer shall adopt sanity/consistency checking procedures whenever data allows. |
3.4.3. |
Calculation verification |
3.4.3.1. |
Calculation verification deals with the estimation of numerical errors affecting the M&S |
3.4.3.2. |
The manufacturer shall document numerical error estimates (e.g. discretization error, rounding error, iterative procedures convergence); |
3.4.3.3. |
The numerical errors shall be kept sufficiently bounded to not affect validation. |
3.4.4. |
Sensitivity analysis |
3.4.4.1. |
Sensitivity analysis aims to quantify how model output values are affected by changes in the model input values and thus to identify the parameters having the greatest impact on the simulation model results. The sensitivity study also helps to determine the extent to which the simulation model satisfies the validation thresholds when it is subjected to small variations of the parameters. It is therefore fundamental to support the credibility of the simulation results. |
3.4.4.2. |
The manufacturer shall provide supporting documentation demonstrating that the most critical parameters influencing the simulation output have been identified by means of sensitivity analysis techniques such as by applying a perturbation of the model’s parameters; |
3.4.4.3. |
The manufacturer shall demonstrate that robust calibration procedures have been adopted when identifying and calibrating the most critical parameters in order to increase the credibility of the developed toolchain. |
3.4.4.4. |
Ultimately, the sensitivity analysis results will also help to define the inputs and parameters whose uncertainty Characterisation needs particular attention in order to properly define the uncertainty of the simulation results. |
3.4.5. |
Validation |
3.4.5.1. |
The quantitative process of determining the degree to which a model or a simulation is an accurate representation of the real world from the perspective of the intended uses of the M&S requires the selection and definition of several elements. |
3.4.5.2. |
Measures of performance (metrics) |
3.4.5.2.1. |
The measures of performance are the metrics used to compare the simulation model with the real world. Measures of performance are defined during the M&S analysis. |
3.4.5.2.2. |
Metrics for validation may include:
|
3.4.5.3. |
Goodness of fit measures |
3.4.5.3.1. |
The analytical frameworks are used to compare real world and simulation metrics. They are generally key performance indicators (KPIs) indicating the statistical comparability between two sets of data. |
3.4.5.3.2. |
The validation shall show that these KPIs are met. |
3.4.5.4. |
Validation methodology |
3.4.5.4.1. |
The manufacturer shall define the logical scenarios used for virtual testing toolchain validation. They shall be able to cover to the maximum possible extent the ODD of virtual testing for ADS validation |
3.4.5.4.2. |
The exact methodology depends on the structure and purpose of the toolchain. The validation may consist of one or more of the following:
|
3.4.5.5. |
Accuracy requirement |
3.4.5.5.1. |
The requirement for the correlation threshold is defined during the M&S analysis. The validation shall show that the KPIs identified in 3.4.5.3.1. of the present part are met. |
3.4.5.6. |
Validation scope (the part of the toolchain to be validated) |
3.4.5.6.1. |
A toolchain consists of multiple tools, and each tool will use a number of models. The validation scope includes all tools and the relevant models subject to validation. |
3.4.5.7. |
Internal validation results |
3.4.5.7.1. |
The documentation shall not only provide evidence of the simulation model validation but shall also be used to obtain sufficient information on the processes and products that provide overall credibility of the toolchain used. |
3.4.5.7.2. |
Documentation/results may be carried over from previous credibility assessments. |
3.4.5.8. |
Independent validation results |
3.4.5.8.1. |
The type-approval authority shall assess the documentation provided by the manufacturer and may carry out physical tests of the complete integrated tool |
3.4.5.9. |
Uncertainty characterisation |
3.4.5.9.1. |
This section is concerned with characterising the expected variability of the virtual toolchain results. The assessment shall be consist of two phases. In a first phase the information collected in the M&S analysis and description and the data/input pedigree sections are used to characterise the uncertainty in the input data, in the model parameters and in the modelling structure. Then, by propagating all the uncertainties through the virtual toolchain, the uncertainty in the model results is quantified. Depending on the uncertainty in the model results, proper safety margins will need to be introduced by the manufacturer in the use of virtual testing for ADS validation. |
3.4.5.9.2. |
Characterisation of the uncertainty in the input data
The manufacturer shall demonstrate to have appropriately estimated the critical model’s inputs by means of robust techniques such as multiple repetitions for the assessment of the quantity; |
3.4.5.9.3. |
Characterisation of the uncertainty in the model parameters (following calibration)
The manufacturer shall demonstrate that the critical model’s parameters that cannot be estimated identically are characterised by means of a distribution and/or confidence intervals; |
3.4.5.9.4. |
Characterisation of the uncertainty in the M&S structure
The manufacturer shall provide evidence that the modelling assumptions are given a quantitative characterisation of the generated uncertainty (e.g. comparing the output of different modelling approaches whenever possible). |
3.4.5.9.5. |
Characterisation of aleatory vs. epistemic uncertainty:
The manufacturer shall aim to distinguish between the aleatory component of the uncertainty (which can only be estimated but not reduced) and the epistemic uncertainty deriving from the lack of knowledge in the virtualisation of the process (that can instead be reduced). |
4. Documentation structure
4.1. |
This section sets out how the above information will be collected and organised in the documentation provided by the manufacturer to the relevant authority. |
4.2. |
The manufacturer shall produce a document (a ‘simulation handbook’) structured in line with the present outline to provide evidence for the topics presented. |
4.3. |
The documentation shall be delivered together with the corresponding release of the M&S and related produced data. |
4.4. |
The manufacturer shall provide clear references that allow the documentation to be traced back to the corresponding M&S/data; |
4.5. |
The documentation shall be maintained throughout the whole lifecycle of the M&S utilization. The type-approval authority may audit the manufacturer by assessing their documentation and/or by conducting physical tests. |
PART 5
IN-SERVICE REPORTING
1. Definitions
For the purpose of this annex,
1.1. |
‘Occurrence’ refers to safety-related situation involving a vehicle equipped with an automated driving system. |
1.2. |
‘Non-critical Occurrence’ means an occurrence involving an operational interruption, defect, fault or other circumstance that has or may have influenced ADS safety and that has not resulted in an accident or serious incident. This category includes for example minor incidents, safety degradation not preventing normal operation, emergency/complex manoeuvres to prevent a collision, and more generally all occurrences relevant to the safety performance of the ADS on-road (like interaction with remote operator, etc.). |
1.3. |
‘Critical Occurrence’ means each occurrence in which the ADS is engaged at the time of a collision event and because of which:
|
2. Notifications and reporting by the manufacturer
2.1. |
The manufacturer shall notify without delay any safety critical occurrences to the type-approval authorities, market surveillance authorities and the Commission. |
2.2. |
The manufacturer shall report within one month any short-term occurrences, as described in Appendix 1, which needs to be remedied by the manufacturer to the type-approval authorities, market surveillance authorities and the Commission. |
2.3. |
The manufacturer shall report every year to the type-approval authority that granted the approval on the occurrences listed in Appendix 1. The report shall provide evidence of the ADS performance on safety relevant occurrences in the field. In particular, it shall demonstrate that:
The granting type-approval authority shall share this information with type-approval authorities, market surveillance authorities and the Commission. |
2.4. |
Type-approval authorities, market surveillance authorities and the Commission may request the manufacturer supporting data used to elaborate the information provided into the in-service reporting and notifications. These data shall be exchanged by means of an agreed data exchange file. Type-approval authorities, market surveillance authorities, and the Commission shall take all necessary steps to secure such data. |
2.5. |
Any pre-processing of data should be notified to the granting type-approval authority in the in-service Data Report.
Appendix 1 List of occurrences for in-service reporting The occurrences have been subdivided into four categories, based on their relevance to the DDT, to the interaction with fully automated vehicle users, and to ADS technical conditions. For each occurrence, its relevance to the short-term and/or periodic reporting has been flagged in the table below. Periodic reporting of occurrences is expected to be submitted in the form of aggregated data (per hour of operation or driven km) for ADS-vehicle type and related to ADS operation (i.e. when ADS is activated).
|
(1) ECE/TRANS/WP.29/2022/59/Rev.1.
(2) See page 1 of this Official Journal.
ANNEX IV
EU Type-Approval Certificate (Vehicle System)
Communication concerning granting/extension/refusal/withdrawal (1) of type-approval of a type of fully automated vehicle with regard to its automated driving system (ADS) in accordance with the requirements laid down in Implementing Regulation (EU) 2022/1426, as last amended by Implementing Regulation (EU) …/…
Number of the EU type-approval certificate:
Reason for extension/refusal/withdrawal (1):
SECTION I
0.1. |
Make (trade name of manufacturer): |
0.2. |
Type: |
0.2.1. |
Commercial name(s) (if available): |
0.3. |
Means of identification of type, if marked on the vehicle: |
0.3.1. |
Location of that marking: |
0.4. |
Category of vehicle: |
0.5. |
Name and address of manufacturer: |
0.8. |
Name(s) and address(es) of assembly plant(s): |
0.9. |
Name and address of the manufacturer’s representative (if any): |
SECTION II
1. |
Additional information (where applicable): see Addendum. |
2. |
Technical service responsible for carrying out the tests: |
3. |
Date of test report: |
4. |
Number of test report: |
5. |
Remarks (if any): see Addendum. |
6. |
Place: |
7. |
Date: |
8. |
Signature: |
Addendum
to EU type-approval certificate number
1.
Description and/or drawing of the ADS including:
1.1.
ODD, system boundaries and specified maximum speed of the ADS declared by the manufacturer:
1.2.
Description of the main functions of the ADS
1.2.1.
Vehicle-internal functions
1.2.2.
Vehicle-external functions (e.g. backend, off-board infrastructure needed, operational measures needed)
1.3.
Sensing system (incl. components):
1.4.
Installation of the ADS sensing system:
1.5.
Software identification of the ADS:
2.
Written description and/or drawing of the ADS human supervision
2.1.
Remote operator and remote intervention on the ADS
2.2.
Means to activate, deactivate of the ADS
2.3.
Monitoring in the inside of the vehicle
2.4.
Any system limitations due to environmental or road conditions
3.
Written description and/or drawing of the information given to vehicle occupants and other road users
3.1.
System status:
3.2.
Request to the on-board operator/remote intervention operator:
3.3.
Minimal risk manoeuvre:
3.4.
Emergency manoeuvre:
4.
ADS data elements
4.1.
ADS data elements verified after the tests performed in accordance with Annex III Part 3:
4.2.
Documentation concerning data retrievability, data integrity self-check and protection against manipulation of stored data verified: yes/no
5.
Cyber security and software updates
5.1.
Cyber security type-approval number:
5.2.
Software update type-approval number:
6.
Assessment on functional and operational safety aspects of the automated driving system
6.1.
Manufacturers document reference for the assessment (including version number):
6.2.
Information document
7.
Technical service responsible for conducting approval tests
7.1.
Date of the test report issued by that service
7.2.
(Reference) Number of the report issued by that service
8.
Annexes
Addendum 1: |
Information document for automated driving systems (refer to Annex I to Implementing Regulation (EU) 2022/1426. |
Addendum 2: |
Member States and specific areas where the manufacturer has declared that the ADS had been assessed to comply with local traffic rules. List of documents in the approval file deposited at the administration services having delivered the approval and which can be obtained upon request. |
Addendum 3: |
ADS Assessment report/test results by the granting type-approval authority. |
Addendum 4: |
Certificate of Compliance for SMS |
(1) Delete where not applicable.