EUR-Lex Access to European Union law

Back to EUR-Lex homepage

This document is an excerpt from the EUR-Lex website

Document 32022R1426

Commission Implementing Regulation (EU) 2022/1426 of 5 August 2022 laying down rules for the application of Regulation (EU) 2019/2144 of the European Parliament and of the Council as regards uniform procedures and technical specifications for the type-approval of the automated driving system (ADS) of fully automated vehicles (Text with EEA relevance)

C/2022/5402

OJ L 221, 26.8.2022, p. 1–64 (BG, ES, CS, DA, DE, ET, EL, EN, FR, GA, HR, IT, LV, LT, HU, MT, NL, PL, PT, RO, SK, SL, FI, SV)

Legal status of the document In force

ELI: http://data.europa.eu/eli/reg_impl/2022/1426/oj

26.8.2022   

EN

Official Journal of the European Union

L 221/1


COMMISSION IMPLEMENTING REGULATION (EU) 2022/1426

of 5 August 2022

laying down rules for the application of Regulation (EU) 2019/2144 of the European Parliament and of the Council as regards uniform procedures and technical specifications for the type-approval of the automated driving system (ADS) of fully automated vehicles

(Text with EEA relevance)

THE EUROPEAN COMMISSION,

Having regard to the Treaty on the Functioning of the European Union,

Having regard to Regulation (EU) 2019/2144 of the European Parliament and of the Council of 27 November 2019 on type-approval requirements for motor vehicles and their trailers, and systems, components and separate technical units intended for such vehicles, as regards their general safety and the protection of vehicle occupants and vulnerable road users, amending Regulation (EU) 2018/858 of the European Parliament and of the Council and repealing Regulations (EC) No 78/2009, (EC) No 79/2009 and (EC) No 661/2009 of the European Parliament and of the Council and Commission Regulations (EC) No 631/2009, (EU) No 406/2010, (EU) No 672/2010, (EU) No 1003/2010, (EU) No 1005/2010, (EU) No 1008/2010, (EU) No 1009/2010, (EU) No 19/2011, (EU) No 109/2011, (EU) No 458/2011, (EU) No 65/2012, (EU) No 130/2012, (EU) No 347/2012, (EU) No 351/2012, (EU) No 1230/2012 and (EU) 2015/166 (1), and in particular Article 11(2) thereof,

Whereas:

(1)

It is necessary to adopt the implementing legislation for the type-approval of the automated driving system of fully automated vehicles in particular systems listed in points (a), (b), (d) and (f) of Article 11(1) of Regulation (EU) 2019/2144. Driver availability monitoring systems should not apply to fully automated vehicles in accordance with Article 11(1) of Regulation (EU) 2019/2144. In addition, the harmonised format for the exchange of data for instance for multi-brand vehicle platooning is still subject to standardisation activities and shall not be included in this regulation at this stage. Finally the approval of the automated driving systems of automated vehicles should not be covered by this regulation as it is intended to cover them with a reference to UN Regulation 157 on automated lane keeping systems (2) in Annex I to Regulation (EU) 2019/2144 listing the UN regulations that shall apply on a compulsory basis in the EU.

(2)

For the whole-vehicle type-approval of fully automated vehicles, the type-approval of their automated driving system under this Regulation should be complemented with the requirements set out in Annex II, Part I, Appendix 1 of Regulation (EU) 2018/858 of the European Parliament and of the Council (3). As next stage, the Commission will continue the work to further develop and adopt by July 2024 the necessary requirements for the EU whole vehicle type approval of fully automated vehicles produced in unlimited series.

(3)

The assessment of the automated driving system of fully automated vehicles, as proposed by this regulation, relies heavily on the traffic scenarios that are relevant for the different use cases of fully automated vehicles. It is therefore necessary to define those different use cases. The review of such use cases, and their amendment if required, to cover additional use cases should be conducted on a regular basis.

(4)

The information document, referred to in 24(1) (a) of Regulation (EU) 2018/858 to be provided by the manufacturer for the type-approval of the automated driving system of fully automated vehicles should be based on the template laid down for the whole vehicle type-approval in Annex II to Commission Implementing Regulation (EU) 2020/683 (4). However to ensure a consistent approach, it is necessary to extract the entries of the information document that are relevant for type-approval of automated driving system of the fully automated vehicle.

(5)

Given the complexity of automated driving systems, it is necessary to supplement the performance requirements and tests of this Regulation by manufacturer documentation demonstrating that the automated driving system is free of unreasonable safety risks to vehicle occupants and other road users in the relevant scenarios and during the ADS lifetime. In this respect, it is necessary to lay down the safety management system to be put in place by the manufacturers, to set for manufacturers and authorities the parameters to be used for the traffic scenarios relevant for automated driving system, to lay down criteria to assess whether the safety concept of the manufacturer addresses the relevant traffic scenarios, hazard and risks, and to set out criteria to assess the validation results from the manufacturer in particular validation results from virtual toolchains. Finally it is necessary to specify the relevant in-use data that shall be reported by the manufacturer to the type-approval authorities.

(6)

The EU type-approval certificate and its addendum, referred to in Article 28(1) of Regulation (EU) 2018/858, to be issued for the automated driving system of fully automated vehicles, should be based on the respective templates laid down in Annex III to Implementing Regulation (EU) 2020/683. However to ensure a consistent approach, it is necessary to extract the entries of the EU type-approval certificate and its addendum that are relevant for type-approval of the automated driving system of the fully automated vehicles.

(7)

Subject to the provisions of Regulation (EU) 2018/858 and any relevant EU legislation, this regulation is without prejudice to the right of Member States to regulate the circulation and the safety of operation of fully automated vehicles in traffic and the safety of operation of those vehicles in local transport services. Member States are not obliged to predefine areas, routes or parking facilities under this regulation. Motor vehicles covered by this Regulation can only operate within the scope of Article 1.

(8)

The measures provided for in this Regulation are in accordance with the opinion of the Technical Committee – Motor Vehicles,

HAS ADOPTED THIS REGULATION:

Article 1

Scope

This Regulation applies to the type-approval of fully automated vehicles of category M and N, with regard to their automated driving system, for the following use cases:

(a)

Fully automated vehicles, including dual mode vehicles, designed and constructed for the carriage of passengers or carriage of goods on a predefined area.

(b)

‘Hub-to-hub’: fully automated vehicles, including dual mode vehicles, designed and constructed for the carriage of passengers or carriage of goods on a predefined route with fixed start and end points of a journey/trip.

(c)

‘Automated valet parking’: dual mode vehicles with a fully automated driving mode for parking applications within predefined parking facilities. The system may use or not external infrastructure (e.g. localization markers, perception sensors, etc.) of the parking facility to perform the dynamic driving task.

The manufacturer may apply for the individual or the type-approval under this Regulation of the automated driving system of vehicles defined in Article 2(3) of Regulation (EU) 2018/858, provided that those vehicles fulfil the requirements of this Regulation.

Article 2

Definitions

In addition to the definitions in Regulation (EU) 2018/858 and Regulation (EU) 2019/2144, for the purpose of this regulation, the following definitions shall apply:

1.

‘Automated Driving System’ (ADS) means the hardware and software that are collectively capable of performing the entire DDT on a sustained basis in a specific operational design domain (ODD).

2.

‘ADS feature’ means an application of ADS hardware and software designed for a specific use within an ODD.

3.

‘ADS function’ means an application of ADS hardware and software designed to perform a specific portion of the DDT.

4.

‘dynamic driving task (‘DDT’)’ means all real time operational functions and tactical functions required to operate the vehicle, excluding strategic functions such as trip scheduling and selection of destinations and waypoints and including without limitation the following subtasks:

(a)

Lateral vehicle motion control via steering (operational);

(b)

Longitudinal vehicle motion control via acceleration and deceleration (operational);

(c)

Monitoring the driving environment via object and event detection, recognition, classification, and response preparation (operational and tactical);

(d)

Object and event response execution (operational and tactical);

(e)

Manoeuvre planning (tactical);

(f)

Enhancing conspicuity via lighting, sounding the horn, signalling, gesturing, etc. (tactical).

5.

‘operational functions’ of the DDT means functions delivered over a time constant of milliseconds and which include tasks such as steering inputs to keep within a lane or braking to avoid an emerging hazard.

6.

‘tactical functions’ of the DDT means functions delivered over a time constant of seconds and including tasks such as lane choice, gap acceptance and overtaking.

7.

‘fault’ means an abnormal condition that can cause a failure. This can concern hardware or software.

8.

‘failure’ means the termination of an intended behaviour of a component or a system of the ADS due to a fault manifestation.

9.

‘in-service monitoring’ means data collected by the manufacturer and data from other sources, to get evidence on the in-service safety performance of the ADS in the field.

10.

‘in-service reporting’ means data reported by the manufacturer to demonstrate evidence on the in-service safety performance of the ADS in the field.

11.

‘lifetime of the ADS’ means the period of time during which the ADS system is available on the vehicle.

12.

‘lifecycle of the ‘ADS’ means the period of time that consists of the design, development, production, field operation, service and decommissioning phases.

13.

‘malfunctioning behaviour’ means a failure or unintended behaviour of a component or a system of the ADS with respect to its design intent.

14.

‘minimal risk manoeuvre (‘MRM’)’ means a manoeuvre aimed at minimising risks in traffic by stopping the vehicle in a safe condition (i.e. minimal risk conditions).

15.

‘minimal risk condition (‘MRC’)’ means stable and stopped state of the vehicle that reduces the risk of a crash.

16.

‘operational design Domain (‘ODD’)’ means operating conditions under which a given ADS is specifically designed to function, including, but not limited to, environmental, geographical, and time-of-day restrictions, and/or the requisite presence or absence of certain traffic or roadway characteristics.

17.

‘object and event detection and response’ (‘OEDR’) means subtasks of the dynamic driving task that include monitoring the driving environment and executing an appropriate response. It includes detecting, recognizing, and classifying objects and events and preparing and executing responses as needed.

18.

‘scenario’ means a sequence or combination of situations used to assess the safety requirements for an ADS.

19.

‘nominal traffic scenarios’ means reasonably foreseeable situations encountered by the ADS when operating within its ODD. These scenarios represent the non-critical interactions of the ADS with other traffic participants and generate normal operation of the ADS.

20.

‘critical scenarios’ means scenarios related to edge-cases (e.g. unexpected conditions with an exceptionally low probability of occurrence) and operational insufficiencies, not limited to traffic conditions but also including environmental conditions (e.g. heavy rain or low sunlight glaring cameras), human factors, connectivity and miscommunication leading to emergency operation of the ADS.

21.

‘failure scenarios’ means the scenarios related to ADS and/or vehicle components failure which may lead to normal or emergency operation of the ADS depending on whether or not the minimum safety level is preserved.

22.

‘normal operation’ means the ADS operation within specified operational limits and conditions to perform the designed activity.

23.

‘emergency operation’ means the ADS operation due to the occurrence of events requiring prompt action to mitigate adverse consequences on human health or property damage.

24.

‘on-board operator’ means, where applicable to the ADS safety concept, a person located inside the fully automated vehicle who may:

(a)

activate, re-initialise, deactivate the ADS,

(b)

request the ADS to start an MRM,

(c)

confirm a manoeuvre proposed by the ADS while the vehicle is at standstill,

(d)

after an MRM, while the fully automated vehicle is at standstill, request the ADS to perform safely a low speed manoeuvre limited to 6 km/h with the remaining performance to evacuate the fully automated vehicle to a nearby preferable location.

(e)

select or modify the planning of an itinerary or stopping points for the users; or

(f)

provides assistance in duly identified situations to the passengers of the fully automated vehicle.

In the above situations, the on-board operator shall not drive the fully automated vehicle and the ADS shall continue to perform the DDT.

25.

‘remote intervention operator’ means, where applicable to the ADS safety concept, person(s) located outside the fully automated vehicle who may remotely achieve the tasks of the on-board operator provided it is safe to do so.

The remote intervention operator shall not drive the fully automated vehicle and the ADS shall continue to perform the DDT.

26.

‘remote capabilities’ mean capabilities specifically designed to support remote intervention.

27.

‘R2022/1426 Software Identification Number (R2022/1426SWIN)’ means a dedicated identifier, defined by the manufacturer, representing information about the type approval relevant software of the ADS contributing to the type approval relevant characteristics of the ADS.

28.

‘unreasonable risk’ means the overall level of risk for the vehicle occupants and other road users which is increased compared to a manually driven vehicle in comparable transportation services and situations within the operational design domain.

29.

‘functional safety’: absence of unreasonable risks under the occurrence of hazards caused by malfunctioning behaviour.

30.

‘operational safety’ means the absence of unreasonable risk under the occurrence of hazards resulting from functional insufficiencies of the intended functionality (e.g. false/missed detection), operational disturbances (e.g. environmental conditions like fog, rain, shadows, sunlight, infrastructure) or by reasonably foreseeable misuse/errors by the vehicle occupants and other road users (i.e. safety hazards – without system faults).

31.

‘control strategy’ means a strategy to ensure robust and safe operation of the ADS in response to a specific set of ambient and/or operating conditions (such as road surface condition, other road users, adverse weather conditions, imminent collision risk, failures, reaching ODD boundaries, etc.). This may include temporary performance restrictions (e.g. a reduction in the maximum operating speed, etc.), MRM manoeuvres, collision avoidance or mitigation, remote intervention, etc.

32.

‘Time to Collision’ (TTC) means the time before a collision happens between involved vehicles/objects/subjects if their speeds would not change and taking into account their paths.

For pure longitudinal situations with constant speeds, unless differently specified in the text, the TTC is obtained by dividing the longitudinal distance (in the direction of travel of the subject vehicle) between the subject vehicle and the other vehicles/objects/subjects by the longitudinal relative speed of the subject vehicle and the other vehicles/objects/subjects.

For pure crossing situations with constant speeds, unless differently specified in the text, this is obtained by dividing the longitudinal distance between the subject vehicle and the lateral line of movement of the other vehicles/objects/subjects by the longitudinal velocity of the subject vehicle.

33.

‘vehicle type with regard to the ADS’ means fully automated vehicles which do not differ in such essential aspects as:

(a)

vehicle features which significantly influence the performances of ADS;

(b)

the system characteristics and design of ADS.

34.

‘dual mode vehicles’ means fully automated vehicles with a driver seat designed and constructed:

(a)

to be driven by the driver in the ‘manual driving mode’ and

(b)

to be driven by the ADS without any driver supervision in the ‘fully automated driving mode’.

For dual mode vehicles, the transition between the manual driving mode and the fully automated mode, as well the transition between the fully automated mode and the manual mode may only occur when the vehicle is at standstill, not when the vehicle is moving.

35.

‘transport service operator’ means the entity providing a transport service using one or more fully automated vehicles.

Article 3

Administrative provisions and technical specifications for the type-approval of the automated driving system of fully automated vehicles

1.   The relevant entries of information document, submitted in accordance with Article 24(1), point (a) of Regulation (EU) 2018/858 with the application for type-approval of the automated driving system of a fully automated vehicle, shall consist of the information relevant for that system as contained in Annex I.

2.   The type-approval of the automated driving systems of fully automated vehicles shall be subject to the technical specifications set out in Annex II. Those specifications shall be assessed by the approval authorities or their technical services in accordance with Annex III.

3.   The EU type-approval certificate for a type of the automated driving system of a fully automated vehicle, as referred to in Article 28(1) of Regulation (EU) 2018/858, shall be drawn up in accordance with Annex IV.

Article 4

Entry into force

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

This Regulation shall be binding in its entirety and directly applicable in all Member States.

Done at Brussels, 5 August 2022.

For the Commission

The President

Ursula VON DER LEYEN


(1)   OJ L 325, 16.12.2019, p. 1.

(2)   OJ L 82, 9.3.2021, p. 75.

(3)  Regulation (EU) 2018/858 of the European Parliament and of the Council of 30 May 2018 on the approval and market surveillance of motor vehicles and their trailers, and of systems, components and separate technical units intended for such vehicles, amending Regulations (EC) No 715/2007 and (EC) No 595/2009 and repealing Directive 2007/46/EC (OJ L 151, 14.6.2018, p. 1).

(4)  Commission Implementing Regulation (EU) 2020/683 of 15 April 2020 implementing Regulation (EU) 2018/858 of the European Parliament and of the Council with regards to the administrative requirements for the approval and market surveillance of motor vehicles and their trailers, and of systems, components and separate technical units intended for such vehicles (OJ L 163, 26.5.2020, p. 1).


ANNEX I

Information document for EU type-approval of fully automated vehicles with regard to their automated driving system

MODEL

Information document No … relating to the EU type-approval of a type of a fully automated vehicle with regard to the automated driving system (ADS).

The following information shall be supplied in triplicate and include a list of contents. Any drawings or pictures shall be supplied in appropriate scale and in sufficient detail on size A4 or on a folder of A4 format. Photographs, if any, shall show sufficient detail.

0.

GENERAL

0.1.

Make (trade name of manufacturer):

0.2.

Type:

0.2.1.

Commercial name(s) (if available):

0.2.2

For multi-stage approved vehicles, type-approval information of the base/previous stage vehicle, list the information for each stage. (This can be done with a matrix)

Type:

Variant(s):

Version(s):

Number of the type-approval certificate including extension number …

0.3.

Means of identification of type, if marked on the vehicle/component/separate technical unit:

0.3.1.

Location of that marking:

0.4.

Category of vehicle:

0.5.

Company name and address of manufacturer:

0.5.1

For multi-stage approved vehicles, company name and address of the manufacturer of the base/previous stage(s) vehicle: …

0.6

Location and method of attachment of statutory plates and location of vehicle identification number: …

0.6.1.

On the chassis: …

0.6.2.

On the bodywork: …

0.8.

Name(s) and address(es) of assembly plant(s):

0.9.

Name and address of the manufacturer’s representative (if any):

17.

AUTOMATED DRIVING SYSTEM (ADS)

17.1.

General ADS description

17.1.1.

Operational design domain/Boundary conditions

17.1.2.

Basic Performance (e.g. Object and Event Detection and Response, planning, etc.)

17.2.

Description of the functions of the ADS

17.2.1.

Main ADS Functions (functional architecture)

17.2.1.1.

Vehicle-internal functions

17.2.1.2.

Vehicle-external functions (e.g. backend, off-board infrastructure needed, operational measures needed)

17.3.

Overview of the major components of the ADS

17.3.1.

Control units

17.3.2.

Sensors and installation of the sensors on the vehicle

17.3.3.

Actuators

17.3.4.

Maps and positioning

17.3.5.

Other hardware

17.4.

ADS layout and schematics

17.4.1.

Schematic system layout (e.g. block diagram)

17.4.2.

List and schematic overview of interconnections

17.5.

Specifications

17.5.1.

Specifications in normal operation

17.5.2.

Specifications in emergency operation

17.5.3.

Acceptance criteria

17.5.4

Demonstration of compliance

17.6.

Safety concept

17.6.1.

Manufacturer Statement that the vehicle is free from unreasonable risks

17.6.2.

Outline of the software architecture(e.g. block diagram)

17.6.3.

Means by which the realization of ADS logic is determined

17.6.4.

General explanation of the main design provisions built into the ADS so as to generate safe operation under fault conditions, under operational disturbances and the occurrence of conditions that would exceed the ODD

17.6.5

General description of failure handling main principles, fall-back level strategy including risk mitigation strategy (minimal risk manoeuvre)

17.6.6.

Conditions for triggering a request to the on-board operator or the remote intervention operator

17.6.7.

Human machine interaction concept with vehicle occupants, on-board operator and remote intervention operator including protection against simple unauthorised activation/operation and Interventions

17.7.

Verification and validation by the manufacturer of the performance requirements including the OEDR, the HMI, the respect of traffic rules and the conclusion that the system is designed in such a way that it is free from unreasonable risks for vehicle occupants and other road users

17.7.1.

Description of the adopted approach

17.7.2.

Selection of nominal, critical and failure scenarios

17.7.3.

Description of the used methods and tools (software, laboratory, others) and summary of the credibility assessment

17.7.4.

Description of the results

17.7.5.

Uncertainty of the results

17.7.6.

Interpretation of the results

17.7.7.

Manufacturer’s declaration:

The manufacturer(s)affirm(s) that the ADS is free of unreasonable safety risks to the vehicle occupants and other road users.

17.8.

ADS data elements

17.8.1.

Type of data stored

17.8.2.

Storage location

17.8.3.

Recorded occurrences and data elements

17.8.4.

Means to ensure data security and data protection

17.8.5.

Means to access the data

17.9.

Cyber security and software update

17.9.1.

Cyber Security type-approval number:

17.9.2.

Number of the certificate of compliance for cyber-security management system:

17.9.3.

Software update type-approval number:

17.9.4.

Number of the certificate of compliance for software-update management system

17.9.5.

Software Identification of the ADS

17.9.5.1.

Information on how to read the RxSWIN or software version(s) in case the RxSWIN is not held on the vehicle.

17.9.5.2.

If applicable, list the relevant parameters that will allow the identification of those vehicles that can be updated with the software represented by the RxSWIN under item 17.9.4.1.

17.10.

Operating manual (to be annexed to the information document)

17.10.1.

Functional description of the ADS and expected role of the owner, transport service operator, on board operator, remote intervention operator, etc.

17.10.2.

Technical measures for safe operation (e.g. description of the necessary off-board infrastructure, timing, frequency and template of maintenance operations);

17.10.3.

Operational and environment restrictions

17.10.4.

Operational measures (e.g. if on-board operator or remote intervention operator needed)

17.10.5.

Instructions in case of failures and ADS request (safety measures by vehicle occupants, transport service operator, on board operator and remote intervention operator and public authorities to be taken in the event of malfunctioning of the operation)

17.11.

Means to enable periodic road worthiness tests

List of Figures/Tables

Acronyms

Annex I – Simulation Handbook

Annex II – Operating Manual

Explanatory note

This information document comprises the information relevant for the automated driving system and shall be completed in accordance with the template laid down in Annex I to Commission Implementing Regulation (EU) 2020/683.


ANNEX II

Performance requirements

1.   DDT under nominal traffic scenarios.

1.1.

The ADS shall be capable of performing the entire DDT.

1.1.1.

The capability of the ADS to perform the entire DDT shall be determined in the context of the ODD of the ADS.

1.1.2.

As part of the DDT, the ADS shall be able to:

(a)

operate at safe speeds and respect speed limitations applicable to the vehicle;

(b)

maintain appropriate distances from other road users by controlling the longitudinal and lateral motion of the vehicle;

(c)

adapt its behaviour to the surrounding traffic conditions (e.g., by avoiding disruption to the flow of traffic) in an appropriate safety oriented way;

(d)

adapt its behaviour in line with safety risks and give the highest priority to the protection of human life;

1.1.3.

The system shall demonstrate anticipatory behaviour in interaction with other road user(s), in order to ensure stable, low-dynamic, longitudinal behaviour and risk minimising behaviour when critical situations could become imminent, e.g. with unobstructed and obstructed vulnerable road users (pedestrians, cyclist, etc.) or with other vehicles crossing or cutting-in in front of the fully automated vehicle.

1.1.4.

The requirements related to the DDT shall be fulfilled in the reverse direction if the reverse gear is required by or declared in the ODD,

1.2

The ADS shall detect and respond appropriately to objects and events relevant for the DDT within the ODD.

Objects and events might include, but are not limited, to:

(a)

motor vehicles and other road user such as motorcycles, bicycles, scooters, wheelchair users, pedestrians, and obstacles (e.g. debris, lost cargo);

(b)

road accidents;

(c)

traffic congestions;

(d)

road works;

(e)

road safety officers and law enforcement agents;

(f)

emergency vehicles;

(g)

traffic signs, road markings;

(h)

environmental conditions (e.g. lower speed due to rain, snow).

1.3.

The ADS shall comply with traffic rules of the country of operation

1.3.1.

The ADS shall interact safely with other road users in accordance with traffic rules, such as via:

(a)

signalling manoeuvre intentions (e.g. direction indicator).

(b)

using the audible warning device where appropriate.

(c)

interacting safely with road safety officers/law enforcement agents, road maintenance workers, emergency service personnel, road inspectors, etc.

(d)

for dual mode vehicles, the ADS status (manual driving mode or fully automated driving mode) shall be recognizable for road safety officers/law enforcement agents

1.3.2.

In the absence of specific traffic rules, vehicles with ADS intended to carry standing or unrestrained vehicle occupants shall not exceed a combined horizontal acceleration of 2,4 m/s2 (in absolute value and calculated as the combination of lateral and longitudinal acceleration), and an acceleration rate of change of 5 m/s3.

Depending on the factors influencing the risk to occupants and other road users, it might be appropriate to exceed these limits, such as emergency operations.

2.   DDT under critical traffic scenarios (emergency operation).

2.1

The ADS shall be able to perform the DDT for all reasonably foreseeable critical traffic scenarios in the ODD.

2.1.1.

The ADS shall be able to detect the risk of collision with other road users, or a suddenly appearing obstacle (debris, lost load) and shall be able to automatically perform appropriate emergency operation (braking, evasive steering) to avoid reasonably foreseeable collisions and minimise risks to safety of the vehicle occupants and other road users.

2.1.1.1.

In the event of an unavoidable alternative risk to human life, the ADS shall not provide for any weighting on the basis of personal characteristics of humans.

2.1.1.2.

The protection of other human life outside the fully automated vehicle shall not be subordinated to the protection of human life inside the fully automated vehicle.

2.1.2.

The vulnerability of road users involved should be taken into account by the avoidance/mitigation strategy.

2.1.3.

After the evasive manoeuvre the vehicle shall aim to resume a stable motion as soon as technically possible.

2.1.4.

The signal to activate the hazard warning lights shall be generated automatically in accordance with traffic rules. If the fully automated vehicle automatically drives off again, the signal to deactivate the hazard warning lights shall be generated automatically.

2.1.5.

In the event of a traffic accident involving the fully automated vehicle, the ADS shall aim to stop the fully automated vehicle and aim to perform a Minimal risk Manoeuvre to reach the Minimal risk Condition. ADS resuming normal operation shall not be possible until the safe operational state of the fully automated vehicles has been confirmed by self-checks of the ADS or/and the on- board operator (if applicable) or the remote intervention operator (if applicable).

3.   DDT at ODD boundaries

3.1.

The ADS shall recognise its ODD conditions and boundaries of the ODD.

3.1.1.

The ADS shall be able to determine if the conditions for ADS activation are met.

3.1.2.

The ADS shall detect and respond when one or more ODD conditions are not fulfilled or no longer fulfilled.

3.1.3.

The ADS shall be able to anticipate exits from the ODD

3.1.4.

The ODD conditions and boundaries shall be established by the manufacturer.

3.1.4.1.

The ODD conditions to be recognised by the ADS include:

(a)

precipitation (rain, snow);

(b)

time of day;

(c)

light intensity, including when lighting devices are used;

(d)

Fog, mist;

(e)

Road and lane markings;

(f)

Road category (e.g. number of driving lanes, separated lanes;

(g)

Geographical area (if applicable).

3.1.5.

When the ADS reaches the ODD boundaries, it shall perform a MRM to reach a MRC and shall warn the on board operator (if applicable)/remote operator accordingly (if applicable).

4.   DDT under failure scenarios

4.1.

The ADS shall detect and respond to ADS or/and vehicle malfunctioning behaviour.

4.1.1.

The ADS shall self-diagnose faults and failures.

4.1.2.

The ADS shall evaluate its ability to fulfil the entire DDT.

4.1.2.1.

The ADS shall respond safely to a fault/failure in the ADS that does not significantly compromise ADS performance.

4.1.2.2.

The ADS shall execute a MRM to achieve a MRC in the event of a failure of the ADS and/or other vehicle system that prevents the ADS from performing the DDT.

4.1.2.3.

The ADS shall immediately upon detection, signal major failures and resulting operational status to vehicle occupants, the on-board operator (if available) or the remote intervention operator (if relevant), as well as to other road users in accordance with traffic rules (e.g. activation of the hazard warning lights).

4.1.2.4.

If failures affect the braking or steering performance of the vehicle, the MRM shall be carried out with consideration for the remaining performance.

5.   Minimal risk manoeuvre (MRM) and Minimal risk Condition (MRC)

5.1.

During the MRM, the fully automated vehicle with the ADS shall be slowed down, with an aim of achieving a deceleration demand not greater than 4,0 m/s2, to a full standstill in the safest possible place taking into account surrounding traffic and road infrastructure. Higher deceleration demand values are permitted in the event of a severe ADS or severe fully automated vehicle failure.

5.2.

The ADS shall signal its intention to place the fully automated vehicle in an MRC to occupants of the fully automated vehicle as well as to other road users in accordance with traffic rules (e.g., by activating the hazard warning lights)

5.3.

The fully automated vehicle shall only leave the MRC after confirmation by self-checks of the ADS or/and by the on-board operator (if applicable) or remote intervention operator (if applicable) that the cause(s) of the MRM is no longer present.

6.   Human machine interaction

6.1.

Adequate information shall be given to the occupants of the fully automated vehicle wherever needed for safe operation and with regard to safety hazards,

6.2.

If a remote intervention operator is part of the ADS safety concept, the fully automated vehicle shall provide means for vehicle occupants to call a remote intervention operator through an audiovisual interface in the fully automated vehicle. Unambiguous signs shall be used for the audiovisual interface (e.g. ISO 7010 E004)

6.3.

The ADS shall provide vehicle occupants with means to request a minimal risk manoeuvre to stop the fully automated vehicle. In case of emergency:

(a)

for vehicles equipped with automatically operated doors, the unlocking of the doors shall be conducted automatically when it safe to do so,

(b)

a mean shall be given to passengers to exit a vehicle at standstill (opening the doors or via an emergency exit).

6.4.

If a remote intervention operator is part of the ADS safety concept, the fully automated vehicle shall provide vision systems (e.g. cameras in accordance with chapter 6 of ISO16505:2019) of the occupant space inside the vehicle and of the surrounding of the vehicle to allow the remote intervention operator to assess the situation inside and outside of the vehicle.

6.5.

If a remote intervention operator is part of the ADS safety concept, it shall be possible for the remote intervention operator to open the power operated service door remotely.

6.6.

The ADS shall activate the relevant vehicle systems when necessary and applicable (e.g. opening doors, activate wipers in case of rain, heating system, etc.)

7.   Functional and operational safety

7.1.

The manufacturer shall demonstrate that an acceptable degree of consideration has been given to the functional and operational safety for the ADS during its design and development processes. The measures put in place by the manufacturer shall ensure that the fully automated vehicle is free of unreasonable safety risks to vehicle occupants and other road users during the vehicle lifetime when compared with comparable transport services and situations within the operational domain.

7.1.1.

The manufacturer shall define the acceptance criteria from which the validation targets of the ADS are derived to evaluate the residual risk for the ODD taking into account, where available, existing accident data (1), data on performances from competently and carefully driven manual vehicles and technology state-of-the-art.

7.2.

The manufacturer shall have processes to manage the safety and continued compliance of the ADS over lifetime (wear and tear of components especially for sensors, new traffic scenarios, etc.).

8.   Cyber security and software updates

8.1.

The ADS shall be protected from unauthorised access in accordance with UN Regulation No 155 (2).

8.2.

The ADS shall support software updates. The effectiveness of the software update procedures and processes concerning the ADS shall be demonstrated by compliance with UN Regulation No 156 (3).

8.2.1

As specified in the Software Update and Software Update Management System Regulation, for the purpose of ensuring the software of the System can be identified, an R2022/1426SWIN shall be used. The R2022/1426SWIN may be held on the vehicle or, if R2022/1426SWIN is not held on the vehicle, the manufacturer shall declare the software version(s) of the vehicle or single ECUs with the connection to the relevant type-approvals to the type-approval authority.

8.2.2

The manufacturer shall provide the following information in the information document:

(a)

The R2022/1426SWIN;

(b)

How to read the R2022/1426SWIN or software version(s) in case the R2022/1426SWIN is not held on the vehicle.

8.2.3.

The manufacturer may provide in the information document a list of the relevant parameters that will allow the identification of those vehicles that can be updated with the software represented by the R2022/1426SWIN. The information provided shall be declared by the manufacturer and may not be verified by a type-approval authority.

8.2.4.

The manufacturer may obtain a new vehicle type-approval for the purpose of differentiating software versions intended to be used on vehicles already registered in the market from the software versions that are used on new vehicles. This may cover the situations where type-approval regulations are updated, or hardware changes are made to vehicles in series production. In agreement with the type-approval authority, duplication of tests shall be avoided where possible.

9.   ADS data requirements and specific data elements for event data recorder for fully automated vehicles

9.1.

The ADS shall record the following occurrences whenever the ADS is activated:

9.1.1.

Activation/re-initialisation of the ADS (if applicable)

9.1.2.

Deactivation of the ADS (if applicable)

9.1.3.

Request sent by the ADS to the remote intervention operator (if applicable)

9.1.4.

Request/Input sent by the remote intervention operator (if applicable)

9.1.5.

Start of emergency operation

9.1.6.

End of emergency operation

9.1.7.

Involved in a detected collision

9.1.8.

Event data recorder (EDR) trigger input

9.1.9.

Minimal risk manoeuvre engagement by the ADS

9.1.10.

Minimal risk condition reached by the fully automated vehicle

9.1.11.

ADS failure (Description)

9.1.12.

Vehicle failure

9.1.13.

Start of lane change procedure

9.1.14.

End of lane change procedure

9.1.15.

Abortion of lane change procedure

9.1.16.

Start of intentional lane crossing

9.1.17.

End of intentional lane crossing

9.2

Occurrences flags for points 9.1.13., 9.1.14., 9.1.16. and 9.1.17. are only required to be stored if they happen within 30 seconds before the occurrences in points 9.1.5., 9.1.7., 9.1.15. or 9.1.8.:

9.3.

ADS Data elements

9.3.1.

For each occurrence listed in point 9.1., the following data elements shall be recorded in a clearly identifiable way:

9.3.2.

The recorded occurrence flag

9.3.3.

Reason for the occurrence, as appropriate,

9.3.4.

Date (resolution: yyyy/mm/dd);

9.3.5.

Position (GPS coordinates)

9.3.6.

Timestamp:

(a)

resolution: hh/mm/ss time zone e.g. 12:59:59 UTC

(b)

accuracy: +/– 1,0 second.

9.4.

For each recorded occurrence, the RXSWIN, or the software versions, indicating the software that was present when the event occurred, shall be clearly identifiable.

9.5.

A single timestamp may be allowed for multiple elements recorded simultaneously within the timing resolution of the specific data elements. If more than one element is recorded with the same timestamp, the information from the individual elements shall indicate the chronological order.

9.6.

Data availability

9.6.1.

The ADS data elements shall be available subject to requirements specified in the Union or national law (4).

9.6.2.

Once the storage capacity reaches its limit, existing data shall only be overwritten following a first in first out procedure with the principle of respecting the relevant data availability requirements.

Documented evidence on the storage capacity shall be provided by the manufacturer.

9.6.3.

For vehicles of category M1 and N1, the data elements shall be retrievable even after an impact of a severity level set by UN Regulations Nos 94 (5), 95 (6) or 137 (7).

9.6.4.

For vehicles of categories M2, M3, N2 and N3, the data elements listed in point 9.2. shall be retrievable even after an impact. To demonstrate that capability, the following applies:

Either:

(a)

A mechanical shock shall be applied to on-board data storage device(s), if any, at a severity level as specified in the component test of Annex 9C to the 03 series of amendment to UN Regulation No 100 (8), and

(b)

On-board data storage device(s) shall be mounted in the vehicle cab/passenger compartment or in a position of sufficient structural integrity to protect against physical damage that would prevent the retrieval of data. This shall be demonstrated to the technical service together with appropriate documentation (e.g. calculations or simulations);

Or,

(c)

The manufacturer demonstrates fulfilling the requirements of point 9.6.3. (e.g. for M2/N2 vehicles derived from M1/N1).

9.6.5.

If the main on-board vehicle power supply is not available, it shall still be possible to retrieve all data recorded.

9.6.6.

Data stored shall be easily readable in a standardised way via the use of an electronic communication interface, at least through the standard interface (OBD port).

9.7

Specific data elements for event data recorder for fully automated vehicles

9.7.1.

For vehicles fitted with an Event Data Recorders in accordance with Article 6 of Regulation (EU) 2019/2144, it shall be possible to retrieve through the standard interface (OBD port) the ADS data elements as referred to in points 9.3.1. and 9.3.2. recorded for at least the last 30 seconds before the last setting of the occurrence flag ‘Event Data Recorder (EDR) trigger input’, alongside the data elements specified in UN Regulation 160 (9), Annex 4 (EDR data).

9.7.2.

In the absence of any occurrence referred to in point 9.1. within the last 30 seconds before the last setting of the occurrence flag ‘Event Data Recorder (EDR) trigger input’, it shall be possible to retrieve, alongside the EDR data, the data element corresponding to the last occurrences within the same power cycle referred to in points 9.1.1. and 9.1.2., as a minimum.

9.7.3.

The data elements retrieved in accordance with point 9.7.1. or 9.7.2. shall not include the date and the timestamp or any other information allowing for identification of the vehicle, its user or owner. Instead the time stamp shall be replaced with information representing the time difference between the occurrence flag ‘Event Data Recorder (EDR) trigger input’ and the occurrence flag of the respective ADS data element.

9.8.

The manufacturer shall provide instructions on how to access the data.

9.9.

Protection against manipulation

9.9.1.

An adequate protection against manipulation (e.g. data erasure) of stored data shall be ensured for example by way of an anti-tampering design

10.   Manual driving mode

10.1.

If the ADS allows manual driving for the purpose of maintenance or to take over after a minimal risk manoeuvre is provided in the fully automated vehicle, the vehicle shall be limited to 6 km/h and shall be provided with means to enable the person driving the vehicle to perform the driving task safely in accordance with the safety concept of the manufacturer. Except in case of failure, the ADS shall continue detecting an obstacle (e.g. vehicles, pedestrian) in the manoeuvring area and shall support the driver in bringing the vehicle immediately to a stop to avoid a collision.

10.2.

If manual driving is limited to 6 km/h, it is not necessary for the driver to stay within the fully automated vehicle. The control can be performed via a remote control located in the vicinity of the vehicle provided that the vehicles stays in the direct line of sight of the driver. The maximum distance over which control is possible by a remote control shall not exceed 10 metres.

10.3.

If, in manual driving, the vehicle is intended to be driven at speeds higher than 6 km/h, the vehicle shall be considered as dual mode vehicle.

11.   Operating manual

11.1.

The manufacturer shall draw up an operating manual. The purpose of the operating manual is to ensure the safe operation of the fully automated vehicle by means of detailed instructions to the owner, vehicle occupants, transport service operator, on-board operator, remote intervention operator and any relevant national authorities.

When the fully automated vehicle includes the possibility of manual driving for the purpose of maintenance or to take over after a minimal risk manoeuvre, it shall also be covered by the operating manual.

11.2.

The operating manual shall include the functional description of the ADS.

11.3.

The operating manual shall include the technical measures (e.g. checks and maintenance works of vehicle and off-board infrastructure, transport and physical infrastructure requirements such as localization marker and perception sensors), operational restrictions (e.g. speed limit, dedicated lane, physical separation with oncoming traffic), environmental conditions (e.g. no snow) and operational measures (e.g. on-board operator or remote intervention operator needed) necessary to ensure safety during the fully automated vehicle operation.

11.4.

The operating manual shall describe the instructions for vehicle occupants, transport service operator, on board operator (where applicable) and remote intervention operator (where applicable) and public authorities in case of failures and ADS request.

11.5.

The operating manual shall set out rules to ensure proper performance of maintenance, overall tests and further examinations.

11.6.

The Operating Manual shall be submitted to the type-approval authority together with the application for a type-approval and shall be annexed to the type-approval certificate.

11.7.

The Operating Manual shall be made available to the owner and, where applicable, to the transport service operator, on-board operator (where applicable), remote intervention operator (where applicable) and any relevant national authorities.

12.   Provisions for periodic roadworthiness tests

12.1.

For the purpose of periodic roadworthiness tests, it shall be possible to verify the following features of the ADS:

(a)

Its correct operational status, by visible observation of the failure warning signal status following the activation of the vehicle master control switch and any bulb check. Where the failure warning signal is displayed in a common space (the area on which two or more information functions/symbols may be displayed, but not simultaneously), it must be checked first that the common space must be observed to be functional prior to the failure warning signal status check;

(b)

Its correct functionality and the software integrity, by the use of an electronic vehicle interface, such as the one laid down in point I. (14) of Annex III to Directive 2014/45/EU of the European Parliament and of the Council (10), where the technical characteristics of the vehicle allow for it and the necessary data is made available. Manufacturers shall ensure to make available the technical information for the use of the electronic vehicle interface in accordance with Article 6 of Commission Implementing Regulation (EU) 2019/621 (11).


(1)  For instance based on current accident data on buses, coaches, trucks and cars in the EU, an indicative aggregated acceptance criteria of 10-7 fatalities per hour of operation could be considered for market introduction of ADSs for comparable transport services and situations. The manufacturer may use other metrics and method provided it can demonstrate that it leads to an absence of unreasonable safety risk when compared with comparable transport services and situations within the operational domain.

(2)   OJ L 82, 9.3.2021, p. 30.

(3)   OJ L 82, 9.3.2021, p. 60.

(4)  A storage capacity of 2 500 timestamps to correspond with a period of 6 months of use is recommended.

(5)   OJ L 392, 5.11.2021, p. 1.

(6)   OJ L 392, 5.11.2021, p. 62.

(7)   OJ L 392, 5.11.2021, p. 130.

(8)   OJ L 449, 15.12.2021, p. 1.

(9)   OJ L 265, 26.7.2021, p. 3.

(10)  Directive 2014/45/EU of the European Parliament and of the Council of 3 April 2014 on periodic roadworthiness tests for motor vehicles and their trailers and repealing Directive 2009/40/EC (OJ L 127, 29.4.2014, p. 51).

(11)  Commission Implementing Regulation (EU) 2019/621 of 17 April 2019 on the technical information necessary for roadworthiness testing of the items to be tested, on the use of the recommended test methods, and establishing detailed rules concerning the data format and the procedures for accessing the relevant technical information (OJ L 108, 23.4.2019, p. 5).


ANNEX III

Compliance assessment

The overall compliance assessment of the ADS is based on:

Part 1: The traffic scenarios to consider

Part 2: The assessment of the ADS safety concept and the audit of the manufacturer safety management system.

Part 3: The tests for the most relevant traffic scenarios.

Part 4: The principles to be used for the credibility assessment for using virtual toolchain to ADS validation

Part 5: The system established by the manufacturer to ensure in-service reporting.

Any requirement in Annex II may be checked by means of tests performed by the type-approval authority (or its technical service).

PART 1

TRAFFIC SCENARIOS TO CONSIDER

1.

Minimum set of traffic scenarios

1.1.

Scenarios and parameters listed in point 1 shall be used, when these scenarios are relevant for the ODD of the ADS.

If the manufacturer deviates from the parameters proposed in point 1, the safety performance metrics and inherent assumptions used by the manufacturer shall be documented in the documentation package. The safety performance metrics and inherent assumptions chosen shall demonstrate that the fully automated vehicle is free of unreasonable safety risks. The validity of such safety performance metrics and inherent assumptions shall be supported by in-service monitoring data.

1.2.

Parameters to be used for the lane change scenarios by the fully automated vehicle

1.2.1.

The scenarios and parameters, with regard to lane change, shall be applied as specified in UN Regulation No 157 (1).

1.3.

Parameters to be used for the turning and crossing scenario by the fully automated vehicle.

1.3.1.

In the absence of more specific traffic rules, the following requirements shall be taken into account with regard to interaction with other road users involved in the movement when turning and crossing (see Figure 1) in dry and proper road pavement conditions.

1.3.2.

In the case of merging with privileged traffic during turning with and without crossing the opposite traffic direction, privileged traffic in the target lane should not have to decelerate. However, it must be ensured that the TTC of the approaching privileged traffic in the target road (case (a) in Figure 1) never falls below the threshold TTC dyn defined as:

Formula

With:

 

v e equal to the speed of the fully automated vehicle

 

v a equal to the speed of the privileged approaching traffic

 

β equal to 3 m/s2 being the maximum admissible deceleration for the privileged approaching traffic.

 

ρ equal to 1,5 s being the reaction time of the privileged approaching

1.3.3.

In the case of a turning manoeuvre crossing the opposite traffic direction, when considering oncoming traffic, privileged traffic in the target lane should not have to decelerate. However, if justified by the traffic density, it must be ensured – in addition to the distance from the approaching privileged traffic in the target road – that the TTC of the privileged crossing traffic to the fictitious collision point (point of intersection of the trajectories, case (b) in Figure 1) never falls below the threshold TTC int defined as:

Formula

With:

 

v c equal to the speed of the privileged conflicting traffic

 

β equal to 3 m/s2 being the maximum admissible deceleration for the privileged crossing traffic.

 

ρ equal to 1,5 s being the reaction time of the privileged crossing traffic

The same applies to crossing with privileged traffic (case (c) in Figure 1): The TTC of privileged traffic to the imaginary collision point (point of intersection of the trajectories) shall never fall below the threshold TTC int defined in the present point.

Image 1

Figure 1: Visualisation of the distances during turning and crossings.

Case (a): Distance to the approaching privileged traffic in the target lane to be observed during turning-in and merging with privileged traffic.

Case (b): Distance to the oncoming privileged traffic to be observed when turning by crossing the opposite traffic direction.

Case (c): distance to the privileged crossing traffic to be respected when crossing.

1.4.

Parameters to be used for the emergency manoeuvre scenarios by the fully automated vehicle (DDT under critical scenarios)

1.4.1.

The ADS shall avoid a collision with a leading vehicle which decelerates up to its full braking performance provided that there was no cut-in by another vehicle.

1.4.2.

Collisions with cutting in vehicles, pedestrians and cyclists travelling in the same direction, as well as with pedestrians who can start to cross the street, shall be avoided at least within the conditions determined by the following equation.

Formula

With:

Formula
being the time to-collision at the moment of the cut-in of the vehicle or cyclist by more than 30 cm in the lane of the fully automated vehicle.

v rel being the relative speed in metres per second [m/s] between the fully automated vehicle and the cutting-in vehicle (positive if the ADS is faster than the cutting-in vehicle).

β being the maximum deceleration of the fully automated vehicle and assumed to be equal to:

 

2,4 m/s2 if it is transporting standing or not fastened vehicle occupants and there is a cutting in vehicle scenario;

 

6 m/s2 if it is transporting standing or not fastened vehicle occupants for other scenarios with pedestrians or cyclists.

 

6 m/s2 for other fully automated vehicles.

 

ρ being the time required by the fully automated vehicle to initiate an emergency braking and assumed to be equal to 0,1 s

 

τ being the time to reach the maximum deceleration β and assumed to be equal to

 

0,12 s for fully automated vehicles transporting standing or not fastened vehicle occupants;

 

0,3 s for other fully automated vehicles

The compliance with this equation is required only for road users cutting in, and only if the inserting road users were visible at least 0,72 seconds before cut-in:

This results in a required collision avoidance when another road user enters ego lane above the following TTC values (for example shown for speeds in 10 km/h steps). These requirements shall be met independently of environmental conditions.

v rel [km/h]

Formula

[s] for vehicles with standing or unfastened vehicle occupants

Formula

[s] for other vehicles

10

0,74

0,48

20

1,32

0,71

30

1,9

0,94

40

2,47

1,18

50

3,05

1,41

60

3,63

1,64

If a lane change with a lower TTC is carried out to the lane of the fully automated vehicle, it can no longer be assumed that there will be no collision avoidance. The control strategy of the ADS may change between collision avoidance and mitigation only if the manufacturer can demonstrate that this increases the safety of the vehicle occupants and the other road users (e.g. by prioritising braking over an alternative manoeuvre).

1.4.3.

The ADS shall avoid a collision with a crossing pedestrian or a cyclist in front of the vehicle.

1.4.3.1.

Urban and rural driving conditions

1.4.3.1.1.

The ADS shall avoid a collision, up to a speed of 60 km/h, with an unobstructed pedestrian crossing with a lateral speed component of not more than 5 km/h or an unobstructed cyclist crossing with a lateral speed component of not more than 15 km/h in front of the vehicle. This shall be ensured independently from the specific manoeuvre the ADS is undertaking.

1.4.3.1.2.

In the case the pedestrian or the cyclist proceed with higher speed than the aforementioned values and the ADS can no longer avoid collision, the control strategy of the ADS may change between collision avoidance and mitigation only if the manufacturer can demonstrate that this increases the safety of the vehicle occupants and the other road users (e.g. by prioritizing braking over an alternative manoeuvre).

1.4.3.1.3.

The ADS shall mitigate a collision with an obstructed pedestrian or cyclist crossing in front of the vehicle by reducing its speed at impact by at least 20 km/h. This shall be ensured independently from the specific manoeuvre the ADS is undertaking.

1.4.3.1.4.

For the purpose of demonstrating fulfilment of the previous requirements related to crossing of pedestrians and cyclists in front of the vehicle, test and assessment scenarios developed under the European New Car Assessment Programme (Euro NCAP) may be taken as guidance.

1.4.3.2.

Motorway driving conditions

1.4.3.2.1.

The relevant scenarios, with regard to pedestrian crossing, shall be applied as specified in UN Regulation No 157.

1.4.3.2.2.

In the case the pedestrian crosses with parameter values outside the boundaries specified in UN Regulation 157 and the ADS can no longer avoid collision, the control strategy of the ADS may change between collision avoidance and mitigation only if the manufacturer can demonstrate that this increases the safety of the vehicle occupants and the other road users (e.g. by prioritizing braking over an alternative manoeuvre).

1.5.

Motorway entry

The fully automated vehicle shall be able to safely enter the motorway by adapting the speed to the traffic flow, and activate the relevant direction indicator according to the traffic rules.

The direction indicator shall be deactivated once the vehicle has performed the lane change manoeuvre (LCM). The parameters used in the lane change scenario shall be applied.

1.6.

Motorway exit

The fully automated vehicle shall be able to anticipate the targeted motorway exit by driving on the adjacent lane to the exit lane and shall not unnecessarily decelerate before the LCM into the exit lane starts.

The fully automated vehicle shall apply the direction indicator in accordance with the traffic rules, and perform the LCM into the exit lane without undue delay.

The direction indicator shall be deactivated once the LCM has been completed in compliance with the traffic rules in the country of operation.

1.7.

Passing a toll station

Depending on the ODD, the fully automated vehicle shall be able to select the proper passing gate, and adapt its speed to that permitted limits within the toll area while considering the traffic flow.

1.8.

Operation on other road types than motorways

Depending on the ODD, the relevant scenario defined in points 1.2. to 1.4. above shall be applied.

1.9.

Parameters to be used for Automated valet parking

1.9.1.

Depending on the ODD, the relevant scenarios defined in points 1.3. to 1.5 above shall be applied. The parameters to be used for these scenarios may need to be adapted to take into account of the limited driving speed and the general lack of visibility that may occur in a parking facility. Special attention shall be given to avoiding of collision with pedestrians and in particular with children and prams.

2.

Scenarios not covered by point 1.

2.1.

Scenarios that are not listed in point 1 shall be generated to cover reasonably foreseeable critical situations, including failures and traffic hazards within the operational design domain.

2.2.

When ADS capabilities depend on remote capabilities, scenarios shall include failures and traffic hazards stemming from the corresponding remote capabilities.

2.3.

The method to generate scenarios that are not listed in Section 1, shall follow the principles set in Appendix 1 to Part 1 of this Annex.

2.4.

The method used by the manufacturer to generate scenarios that are not listed in point 1 shall be documented in the documentation package to be provided for the ADS assessment.

Appendix 1

Principles to be followed to derive scenarios relevant for the ODD of the ADS

Image 2

1.   Generation and classification of scenarios

From a qualitative perspective, scenarios can be classified into Nominal/Critical/Failure and correspond to normal or emergency operation. For each of these categories, a data-based approach and a knowledge-based approach can be used to generate corresponding traffic scenarios. A knowledge-based approach utilizes expert knowledge to identify hazardous events systematically and create scenarios. A data-based approach utilizes the available data to identify and classify occurring scenarios. Scenarios shall be derived from the ODD of the fully automated vehicle.

2.   Nominal scenarios

A series of analytical frameworks can help the manufacturer to derive additional nominal scenarios to ensure coverage for the specific application. These frameworks are divided into:

2.1.   ODD analysis

An ODD consists of scenery elements (e.g., physical infrastructure), environmental conditions, dynamic elements (e.g., traffic, vulnerable road users) and operational constraints to the specific ADS application. The aim of this analysis is to identify the characteristics of the ODD, allocate properties and define interactions between the objects. Here the effect of ODD on the behaviour competencies of the ADS is explored. An example of the analysis is provided in Table 1.

Table 1

Dynamic elements and their properties

Objects

Events/Interactions

Vehicles (e.g. cars, light trucks, heavy trucks, buses, motorcycles)

Lead vehicle decelerating (frontal)

Lead vehicle stopped (frontal)

Lead vehicle accelerating (frontal)

Changing lanes (frontal/side)

Cutting in (adjacent)

Turning (frontal)

Encroaching opposing vehicle (frontal/side)

Encroaching adjacent vehicle (frontal/side)

Entering roadway (frontal/side)

Cutting out (frontal)

Pedestrians

Crossing road – inside crosswalk (frontal)

Crossing road – outside crosswalk (frontal)

Walking on side walk/shoulder

Cyclists

Riding in lane (frontal)

Riding in adjacent lane (frontal/side)

Riding in dedicated lane (frontal/side)

Riding on sidewalk/shoulder

Crossing road – inside crosswalk (frontal/side)

Crossing road – outside crosswalk (frontal/side)

Animals

Static in lane (frontal)

Moving into/out of lane (frontal/side)

Static/moving in adjacent lane (frontal)

Static/moving on shoulder

Debris

Static in lane (frontal)

Other dynamic objects (e.g. shopping carts)

Static in lane (frontal/side)

Moving into/out of lane (frontal/side)

Traffic signs

Stop, yield, speed limit, crosswalk, railroad, crossing, school zone

Traffic signals

Intersection, railroad crossing, school zone

Vehicle signals

Turn signals (direction indicator)

2.2.   OEDR Analysis: Behaviour competency identification

Once the objects and relevant properties have been identified, it is possible to map the appropriate ADS response. The ADS response is modelled on applicable functional requirements and by applying the performance requirements of this regulation and the traffic rules of the country of operation.

The outcome of the OEDR analysis is also a set of competences that can be mapped to the behavioural competences applicable to the ODD, to ensure compliance with the relevant regulatory and legal requirements. Table 2 provides a qualitative example of a matching event – response.

The combination of objects, events, and their potential interaction, as a function within the ODD, constitute the set of nominal scenarios pertinent to the ADS under analysis. The identification of nominal scenarios can benefit from an enhanced combination of scenario descriptors covering, within the ODD, e.g. infrastructure attributes, objects and events characteristics, hazards affecting responses (e.g. weather, visibility). The identification of nominal scenarios is not limited to traffic conditions but also covers environmental conditions, human factors, connectivity and miscommunication. As parameters (assumptions) for the events are yet to be defined, the nominal scenarios derived from the application of the analysis are to be considered in their functional and logical abstraction layer.

Table 2

Behaviour competences for given events

Event

Response

Lead vehicle decelerating

Follow vehicle, decelerate, stop

Lead vehicle stopped

Decelerate, stop

Lead vehicle accelerating

Accelerate, follow vehicle

Lead vehicle turning

Decelerate, stop

Other vehicle changing lanes

Yield, decelerate, follow vehicle

Other vehicle cutting-in

Yield, decelerate, stop, follow vehicle

Vehicle entering roadway

Follow vehicle, decelerate, stop

Opposing vehicle encroaching

Decelerate, stop, shift within lane, shift outside lane

Adjacent vehicle encroaching

Yield, decelerate, stop

Lead vehicle cutting out

Accelerate, decelerate, stop

Pedestrian crossing road – inside crosswalk

Yield, decelerate, stop

Pedestrian crossing road – outside crosswalk

Yield, decelerate, stop

Cyclists riding in lane

Yield, follow

Cyclists riding in dedicated lane

Shift within lane

Cyclists crossing road – inside crosswalk

Yield, decelerate, stop

Cyclists crossing road – outside crosswalk

Yield, decelerate, stop

3.   Critical scenarios

Critical scenarios can be derived by either considering edge-case assumptions on nominal traffic scenarios (data-based) or applying standardised methods (knowledge-based) for the evaluation of operational insufficiencies (see example of methods in point 3.5.5. of Part 2). The identification of critical scenarios can benefit from an enhanced combination of scenario descriptors and edge values covering, within the ODD, e.g. infrastructure attributes, objects and events characteristics, hazards affecting responses (e.g. weather, visibility masks, interactions with other road users than the triggered object or event). The identification of critical scenarios is not limited to traffic conditions but also covers environmental conditions, human factors, connectivity and miscommunication. Critical scenarios correspond to emergency operation of the ADS.

4.   Failure scenarios

These scenarios aim to assess how the ADS responds to a failure. Different methods are available in literature (see example of methods in point 3.5.5. of Part 2).

For each of the behaviour failures and consequential effects identified, the manufacturer shall put in place relevant strategies when developing the ADS (i.e., fail-safe).

When applying the failure scenarios, the objective is to assess the ability of the ADS to comply with requirements for safety-critical situations, including for example ‘The ADS shall manage safety-critical driving situations’ and ‘The ADS shall safely manage failure modes’ and their respective sub-requirements.

5.   Assumptions: Logical to concrete scenarios

To ensure that the scenarios identified in the previous points are ready to be assessed through simulation or physical testing, the manufacturer may need to coherently parametrise them by applying assumptions.

The manufacturer shall provide evidence supporting the assumptions made such as data collection campaigns performed during the development phase, real-world accidentology and realistic driving behaviour evaluations.

Parameters used to characterise critical scenarios should cover reasonably foreseeable values in scenario descriptors, but shouldn’t be limited to values already observed in documented data bases.

PART 2

ASSESSMENT OF THE ADS SAFETY CONCEPT AND AUDIT OF THE MANUFACTURER SAFETY MANAGEMENT SYSTEM

1.   General

1.1.

The type-approval authority granting the type-approval or the technical service acting on its behalf shall verify through targeted spot checks and tests, in particular as specified in point 4 of this annex, that the safety argumentation provided by the documentation complies with the requirements of Annex II and that the design and processes described in documentation are actually implemented by the manufacturer.

1.2.

While based on the provided documentation, evidences provided for the audit of the safety management system and the assessment of the ADS safety concept carried out to the satisfaction of the type-approval authority in accordance with this regulation, the residual level of safety risk of the type-approved ADS is deemed to be acceptable for the entry into service of the vehicle type, the overall ADS safety during the ADS lifetime in accordance with the requirements of this regulation remains the responsibility of the manufacturer requesting the type-approval.

2.   Definitions

For the purposes of this annex,

2.1.

‘safety concept’ means a description of the measures designed into the ADS, so that the fully automated vehicle operates for the scenarios and events relevant to the ODD in such a way that it is free of unreasonable safety risks to the vehicle occupants and other road users under fault (functional safety) and non-fault conditions (operational safety). The possibility of a fall-back to partial operation or even to a back-up system for vital ADS functions shall be a part of the safety concept.

2.2.

‘units’ means the smallest divisions of system components which will be considered in this annex, since these combinations of components will be treated as single entities for purposes of identification, analysis or replacement.

2.3.

‘transmission links’ means the means used for inter-connecting distributed units for the purpose of conveying signals, operating data or an energy supply. This equipment is generally electrical but may, in some part, be mechanical, pneumatic or hydraulic.

2.4.

‘range of control’ means an output variable and defines the range over which the system is likely to exercise control.

2.5.

‘boundary of functional operation’ means the boundaries of the external physical limits within which the ADS is able to perform the dynamic driving tasks.

3.   Documentation on the ADS

3.1.   Requirements

The manufacturer shall provide a documentation package which gives access to the basic design of the ADS and the means by which it is linked to other vehicle systems or by which it directly controls output variables as well as off-board hardware/software and remote capabilities.

The function(s) of the ADS, including the control strategies, and the safety concept, as laid down by the manufacturer, shall be explained.

Documentation shall be brief, yet provide evidence that the design and development has had the benefit of expertise from all the ADS fields which are involved.

For periodic road worthiness tests, the documentation shall describe how the current operational status of the ADS and the functionality and software integrity can be checked.

The type-approval authority shall assess the documentation package which shall show that the ADS:

(a)

is designed and was developed to operate in such a way that it is free from unreasonable risks for a vehicle occupants and other road users within the declared ODD and boundaries;

(b)

fulfils the performance requirements of Annex II to this Regulation;

(c)

was developed according to the development process/method declared by the manufacturer.

3.1.1.

Documentation shall be made available in three parts:

(a)

Application for type-approval: the information document submitted to the type-approval authority at the time of the type-approval application shall contain brief information on the items listed in Annex I. It will become part of the type-approval.

(b)

The formal documentation package for the type-approval, containing the material listed in this Section 3. (with the exception of that of point 3.5.5.) which shall be supplied to the type-approval authority for the purpose of conducting the ADS type-approval. This documentation package shall be used by the type-approval authority as the basic reference for the verification process set out in point 4. of this annex. The type-approval authority shall ensure that this documentation package remains available for a period of at least 10 years counted from the time when production of the vehicle type is definitely discontinued.

(c)

Additional confidential material and analysis data (intellectual property) of point 3.5.5. which shall be retained by the manufacturer, but made open for inspection (e.g. on-site in the engineering facilities of the manufacturer) at the time of the ADS type-approval. The manufacturer shall ensure that this material and analysis data remains available for a period of 10 years counted from the time when production of the vehicle type is definitely discontinued.

3.2.   General description of the ADS

3.2.1.

A description shall be provided giving a simple explanation of the operational characteristics of the ADS and ADS features.

3.2.2.

The description shall include:

3.2.2.1

the operational design domain such as maximum speed of operation, road type (e.g. dedicated lane), country(ies)/areas of operation, road conditions and environmental conditions required (e.g. no snow), etc.)/Boundary conditions

3.2.2.2

basic performance (e.g. object and event detection and response, off-board infrastructure needed during operation)

3.2.2.3.

Interaction with other road users

3.2.2.4.

main conditions for minimal risk manoeuvres.

3.2.2.5.

interaction concept with vehicle occupants, the on board operator (if applicable) and the remote intervention operator (if applicable).

3.2.2.6.

the means to activate or deactivate the ADS by the on-board operator (if relevant) or the remote intervention operator (if relevant), vehicle occupants (if relevant) or other road users (if relevant).

3.2.2.7.

operational measures (e.g. on-board operator or remote intervention operator needed) to be met to ensure safety during the fully automated vehicle operation.

3.2.2.8.

backend, off-board infrastructure needed to ensure safety during the fully automated vehicle operation.

3.3.   Description of the functions of the ADS

A description shall be provided giving an explanation of all the functions including control strategies to ensure the robust and safe operation of the ADS and the methods used to perform the dynamic driving tasks within the ODD, and the boundaries under which the automated driving system is designed to operate, including a description on how this is ensured.

Any enabled or disabled automated driving functions for which the hardware and software are present in the vehicle at the time of production, shall be declared and are subject to the requirements of this annex as well as Annex II to this Regulation, prior to their use in the vehicle. The manufacturer shall also document the data processing if continuous learning algorithms are implemented.

3.3.1.

A list of all input and sensed variables shall be provided and the working range of these defined, along with a description of how each variable affects the ADS behaviour.

3.3.2.

A list of all output variables that are controlled by the ADS shall be provided and an explanation given, in each case, of whether the control is direct or via another vehicle system. The range over which the ADS is likely to exercise control on each such variable shall be defined.

3.3.3.

Limits defining the boundaries of functional operation including ODD-limits shall be stated where appropriate to ADS performance.

3.3.4.

The human machine interaction (HMI) concept with the vehicle occupants/on-board operator/remote intervention operator (if any) when ODD limits are approached and then reached shall be explained. The explanation shall include the list of types of situations in which the ADS will generate a support request to the on board operator/remote intervention operator (if applicable), the way the request is performed, the procedure that handles a failed request and the minimal risk manoeuvre. Signals and information given to the on-board operator/remote intervention operator, vehicle occupants and other road users in each of the above aspects shall also be described.

3.4.   ADS layout and schematics

3.4.1.

Inventory of components.

A list shall be provided, collating all the units of the ADS and mentioning the other vehicle systems as well as off-board hardware/software and remote capabilities that are needed to achieve specified performance of the ADS to be approved according to its ODD.

An outline schematic showing these units in combination, shall be provided with both the equipment distribution and the interconnections made clear.

This outline shall include:

(a)

perception and objects/events detection including mapping and positioning

(b)

Characterisation of Decision-making

(c)

The ADS data elements.

(d)

links and interface with other vehicle systems, off-board hardware/software and remote capabilities

3.4.2.

Functions of the units

The function of each unit of the ADS shall be outlined and the signals linking it with other units or with other vehicle systems shall be shown. It shall include off-board systems supporting the ADS and other vehicle systems. This may be provided by a labelled block diagram or other schematic, or by a description aided by such a diagram.

3.4.3.

Interconnections within the ADS shall be shown by a circuit diagram for the electric transmission links, by a piping diagram for pneumatic or hydraulic transmission equipment and by a simplified diagrammatic layout for mechanical linkages. The transmission links both to and from other systems shall also be shown.

3.4.4.

There shall be a clear correspondence between transmission links and the signals carried between units. Priorities of signals on multiplexed data paths shall be stated wherever priority may be an issue affecting performance or safety.

3.4.5.

Identification of units

3.4.5.1.

Each unit shall be clearly and unambiguously identifiable (e.g. by marking for hardware, and by marking or software output for software content) to provide corresponding hardware and documentation association. Where a software version can be changed without requiring the replacement of the marking or component, the software identification must be by software output only.

3.4.5.2.

Where functions are combined within a single unit or indeed within a single computer, but shown in multiple blocks in the block diagram for clarity and ease of explanation, only a single hardware identification marking shall be used. The manufacturer shall, by the use of this identification, affirm that the equipment supplied conforms to the corresponding document.

3.4.5.3.

The identification defines the hardware and software version and, where the latter changes such as to alter the function of the unit as far as this Regulation is concerned, this identification shall also be changed.

3.4.6.

Installation of sensing system components

The manufacturer shall provide information on the installation options for the individual components that comprise the sensing system. These options shall include, but are not limited to, the location of the component in/on the vehicle, the material(s) surrounding the component, the dimensioning and geometry of the material surrounding the component, and the surface finish of the materials surrounding the component, once installed in the vehicle. The information shall also include installation specifications that are critical to the ADS’s performance, e.g. tolerances on installation angle.

Changes to the individual components of the sensing system, or the installation options, shall be notified to the type-approval authority and be subject to further assessment.

3.5.   Safety concept of the manufacturer and validation of the safety concept by the manufacturer

3.5.1.

The manufacturer shall provide a statement which affirms that the ADS is free from unreasonable risks for the vehicle occupants and other road users.

3.5.2.

In respect of software employed in the ADS, the outline architecture shall be explained and the design methods and tools used shall be identified (see 3.5.1). The manufacturer shall show evidence of the means by which they determined the realisation of the ADS logic, during the design and development process.

3.5.3.

The manufacturer shall provide the type-approval authority with an explanation of the design provisions built into the ADS so as to ensure functional and operational safety. Possible design provisions in the ADS are for example:

(a)

fall-back to operation using a partial system.

(b)

redundancy with a separate system.

(c)

diversity of systems performing the same function.

(d)

removal or limitation of the automated driving function(s).

3.5.3.1.

If the chosen provision selects a partial performance mode of operation under certain fault conditions (e.g. in case of severe failures), then these conditions shall be stated (e.g. type of failure) and the resulting limits of effectiveness defined (e.g. immediate initiation of a minimal risk manoeuvre) as well as the warning strategy to the operator/remote operator, occupants and other road users (when applicable).

3.5.3.2.

If the chosen design provision selects a second (back-up) or diverse means to realise the performance affected by the fault, the principles of the change-over mechanism, the logic and level of redundancy and any built-in checking features shall be explained and the resulting limits of effectiveness defined.

3.5.3.3.

If the chosen design provision selects the removal of the automated driving function(s), this shall be done in compliance with the relevant provisions of this regulation. All the corresponding output control signals associated with this function shall be inhibited.

3.5.4.

The manufacturer shall also provide the type-approval authority with an explanation of the operational safety measures to be put in place for the safe operation of the ADS such as an on-board operator or a remote intervention operator, supporting off-board infrastructure, transport and physical infrastructure requirements, maintenance measures, etc.

3.5.5.

The documentation shall be supported, by an analysis that shows, how the ADS will behave to mitigate or avoid hazards that can have a bearing on the safety of vehicle occupants and other road users.

3.5.5.1.

The chosen analytical approach(es) shall be established and maintained by the manufacturer and shall be made open for inspection by the type-approval authority at the time of the type-approval and afterwards.

3.5.5.2.

The type-approval authority shall assess the application of the analytical approach(es):

(a)

Inspection of the safety approach at the concept level.

This approach shall be based on a Hazard analysis/Risk assessment appropriate to system safety.

(b)

Inspection of the safety approach at the ADS level including a top down (from possible hazard to design) and bottom-up approach (from design to possible hazards). The safety approach may be based on a failure mode and effect analysis (FMEA), a fault tree analysis (FTA) and a System-theoretic process analysis (STPA) or any similar process appropriate to system functional and operational safety.

(c)

Inspection of the validation/verification plans and results including appropriate acceptance criteria. This shall include testing appropriate for validation, for example, hardware in the Loop (HIL) testing, vehicle on-road operational testing, testing with real end users, or any other testing appropriate for validation/verification. Results of validation and verification may be assessed by analysing coverage of the different tests and setting minimum coverage thresholds for various metrics.

3.5.5.3.

The analytical approach under 3.5.5.2. shall confirm that at least each of the following items is covered:

(i)

Issues linked to interactions with other vehicle systems (e.g. braking, steering);

(ii)

Failures of the automated driving system and system risk mitigation reactions;

(iii)

Situations within the ODD where the ADS may create unreasonable safety risks for the vehicle occupants and other road users due to operational disturbances (e.g. lack of or wrong comprehension of the vehicle environment, lack of understanding of the reaction from the operator/remote operator, vehicle occupants or other road users, inadequate control, challenging scenarios)

(iv)

Identification of the relevant scenarios within the boundary conditions and management method used to select scenarios and validation tool chosen.

(v)

Decision making process resulting in the performance of the dynamic driving tasks (e.g. emergency manoeuvres), for the interaction with other road users and in compliance with national traffic rules

(vi)

Reasonably foreseeable misuse by the vehicle occupants/other road users, mistakes or misunderstanding by the operator/remote operator/occupants/other road users (e.g. unintentional override) and intentional tampering of the ADS.

(vii)

Cybersecurity threats on the safety of the ADS (to be covered by the analysis done in accordance with UN Regulation No 155 on Cyber Security and Cyber Security Management System).

(viii)

Operational safety issues: problems with the supporting off-board infrastructure, problem with the remote intervention operator, loss of connectivity, lack of maintenance, etc.

3.5.5.4.

The assessment by the type-approval authority shall consist of spot checks to establish that argumentation supporting the safety concept is understandable and logical and implemented in the different functions of the ADS. The assessment shall also check that validation plans are robust enough to demonstrate safety (e.g. reasonable coverage of chosen scenarios testing by the validation tool chosen) and have been properly completed.

3.5.5.4.1.

It shall demonstrate that the operation of fully automated vehicle is free from unreasonable risks for the vehicle occupants and other road users in the operational design domain, i.e. through:

(a)

an overall validation target (i.e. overall validation acceptance criteria) supported by validation results, demonstrating that the entry into service of the ADS will overall not increase the level of risk for the vehicle occupants and other road users compared to a manually driven vehicles; and

(b)

a scenario specific approach (i.e. scenario based validation acceptance criteria) showing that the ADS will overall not increase the level of risk for the vehicle occupants and other road users compared to a manually driven vehicles for each of the safety relevant scenarios;

3.5.5.5.

The type-approval authority shall perform or shall require to perform tests as specified in point 4. of this Annex to verify the safety concept.

3.5.5.6.

This documentation shall itemize the parameters being monitored and shall set out, for each failure condition of the type defined in point 3.5.4. of this annex, the warning signal to be given to the operator/remote operator/vehicle occupants/other road users and/or to service/technical inspection personnel.

3.5.5.7.

This documentation shall also describe the measures in place to ensure the ADS is free from unreasonable risks to vehicle occupants, and other road users when the performance of the ADS is affected by environmental conditions e.g. climatic, temperature, dust ingress, water ingress, ice packing, inclement weather.

4.   Verification and tests

Taking into account the results of the analysis of the manufacturer’s documentation package, the type-approval authority shall request the tests to be performed or witnessed by the Technical Service to check specific points arising from the assessment.

4.1.

The functional operation of the ADS, as laid out in the documents required in point 3., shall be tested as follows:

4.1.1.

Verification of the function of the ADS

The type-approval authority shall verify the ADS under non-failure conditions by testing on a track a number of selected functions, as deemed necessary by the type-approval authority, from those described by the manufacturer, and by checking the overall behaviour of the ADS in real driving conditions including compliance with traffic rules.

These tests shall include scenarios whereby the ADS is overridden by the remote intervention operator (if applicable).

These tests can be based on test scenarios listed in Part 3 of this Annex and/or on additional scenarios not covered by Part 3.

4.1.1.1.

The test results shall correspond with the description, including the control strategies, provided by the manufacturer in point 3.2. and shall comply with the performance requirements of this regulation.

4.1.2.

Verification of the ADS safety concept

The reaction of the ADS shall be checked under the influence of a fault in any individual unit by applying corresponding output signals to electrical units or mechanical elements in order to simulate the effects of internal failure within the unit.

The type-approval authority shall verify that these tests include aspects that may have an impact on vehicle controllability and user information (HMI aspects e.g. interaction with the operator/remote operator).

4.1.2.1.

The type-approval authorities shall also check a number of scenarios that are critical for the Object and Event Detection and Response (OEDR) and Characterisation of the decision-making and HMI functions of the ADS (e.g. object difficult to detect, when the ADS reaches the ODD boundaries, traffic disturbance scenarios, connectivity issue, problem with off-board systems, remote capabilities issues e.g. the absence of the remote intervention operator) as defined in this regulation.

4.1.2.2.

The verification results shall correspond with the documented summary of the hazard analysis, to a level of overall effect such that the safety concept and execution are confirmed as being adequate and in compliance with the requirements of this regulation.

4.2.

Simulation tool and mathematical models to verify of the safety concept may be used in accordance with Annex VIII to Regulation (EU) 2018/858, in particular for scenarios that are difficult on a test track or in real driving conditions. Manufacturers shall demonstrate the scope of the simulation tool, its validity for the scenario concerned as well as the validation performed for the simulation tool chain (correlation of the outcome with physical tests). To demonstrate the validity of the simulation toolchain, the principles of Part 4 of this Annex shall apply. Simulation shall not be a substitute for physical tests in Part 3 of this Annex.

4.3

The manufacturer shall have a valid certificate of compliance for the safety management system (SMS) relevant to the vehicle type being approved.

5.   Safety management system (SMS)

5.1.

In respect of the ADS, the manufacturer shall demonstrate to the type-approval authority in terms of a safety management system (SMS) that effective processes, methodologies, training and tools are in place, up to date and being followed within the organization to manage the safety and continued compliance throughout the ADS lifecycle.

5.2.

The design and development process shall be established and documented including safety management system, requirements management, requirements’ implementation, testing, failure tracking, remedy and release.

5.3.

The manufacturer shall ensure effective communication channels between manufacturer departments responsible for functional/operational safety, cybersecurity and any other relevant disciplines related to the achievement of vehicle safety.

5.4.

The manufacturer shall have processes aimed at collecting vehicle data, and data from other sources to monitor and analyse safety-relevant incidents/accidents caused by the engaged automated driving system. The manufacturer shall report to type-approval authorities, market surveillance authorities and the Commission the relevant occurrences in accordance with Part 5 of this Annex.

5.4.1.

The manufacturer must enable the transport service operator to provide the type-approval authorities, market surveillance authorities or other authorities designated by the Member States with the vehicle data in accordance with paragraph 5.4 above, as well as with the ADS data and the specific data elements for event data recorder collected in accordance with Section 9 of Annex II.

5.5.

The manufacturer shall have processes to manage potential safety-relevant gaps post-registration and to update the vehicles if necessary.

5.6.

The manufacturer shall demonstrate that periodic independent internal process audits (e.g. every 2 years) are carried out to ensure that the processes established in accordance with points 5.1 to 5.5. are implemented consistently.

5.7.

Manufacturers shall put in place suitable arrangements (e.g. contractual arrangements, clear interfaces, quality management system) with suppliers to ensure that the supplier safety management system comply with the requirements of points 5.1. (except for vehicle related aspects like ‘operation’ and ‘decommissioning’), 5.2, 5.3 and 5.6.

5.8.

Certificate of compliance for safety management system

5.8.1.

An application for a Certificate of Compliance for Safety Management System shall be submitted by the manufacturer or by their duly accredited representative to the type-approval authority.

5.8.2.

It shall be accompanied by the undermentioned documents in triplicate, and by the following particular:

(a)

Documents describing the Safety Management System.

(b)

A signed Declaration of Compliance of the SMS with all the requirements for safety management according to this Regulation, using the model as defined in Appendix 3 to this Annex.

5.8.3.

When this audit of the SMS has been satisfactorily completed and in receipt of a signed declaration from the manufacturer according to the model as defined in Appendix 3, a certificate named Certificate of Compliance for SMS as described in Appendix 4 (hereinafter the Certificate of Compliance for SMS) shall be granted to the manufacturer.

5.8.4.

The Certificate of Compliance for SMS shall remain valid for a maximum of three years from the date of deliverance of the certificate unless it is withdrawn.

5.8.5.

The type-approval authority may at any time verify that the requirements for the Certificate of Compliance for SMS continue to be met. The type-approval authority shall withdraw the Certificate of Compliance for SMS if major non-conformities in the compliance with the requirements laid down in this Regulation are discovered and not immediately addressed.

5.8.6.

The manufacturer shall inform the type-approval authority or its technical service of any change that will affect the relevance of the certificate of compliance for SMS. After consultation with the manufacturer, the type-approval authority or its Technical Service shall decide whether new checks are necessary.

5.8.7.

In due time, the manufacturer shall apply for a new or for the extension of the existing Certificate of Compliance for SMS. The type-approval authority shall, subject to a positive audit, issue a new Certificate of Compliance for SMS or extend its validity for a further period of three years. The type-approval authority shall verify that the SMS continue to comply with the requirements of this Regulation. The type-approval authority shall issue a new certificate in cases where changes have been brought to the attention of the type-approval authority or its Technical Service and the changes have been positively re-assessed.

5.8.8.

The expiry or withdrawal of the manufacturer’s Certificate of Compliance for SMS shall be considered, with regard to the vehicle types to which the SMS concerned was relevant, as modification of approval, which may include the withdrawal of the approval if the conditions for granting the approval are not met anymore.

6.   Reporting provision

6.1.

The reporting of the safety assessment of the ADS safety concept as well as the audit of the safety management system of the manufacturer shall be performed in such a manner that allows traceability, e.g. versions of documents inspected are coded and listed in the records of the Technical Service.

6.2.

An example of layout for the report on the assessment of the ADS safety concept from the Technical Service to the type-approval authority is provided in Appendix 1 to this part. The listed items in this Appendix are outlined as minimum set of items that need to be covered.

6.3.

The granting type-approval authority shall issue the safety assessment results to be annexed to the type-approval certificate based on the documentation provided by the manufacturer, the report of the assessment of the ADS safety concept by the technical service and on the outcomes of the verification and test campaigns performed in accordance with Part 3 of this Annex. An example of a possible layout for the safety assessment results is given in Appendix 4.

7.   Competence of the auditors/assessors

7.1.

The assessment of the ADS safety concept and the audit of the safety management system under this part shall only be conducted by assessors/auditors with the technical and administrative knowledge necessary for such purposes. They shall in particular be competent as auditor/assessor for ISO 26262-2018 (Functional Safety – Road Vehicles), and ISO/PAS 21448 (Safety of the Intended Functionality of road vehicles); and shall be able to make the necessary link with cybersecurity aspects in accordance with UN Regulation No 155 and ISO/SAE 21434). This competence shall be demonstrated by appropriate qualifications or other equivalent training records.

Appendix 1

Model for the assessment report of the ADS safety concept

Safety assessment report No:

1.   

Identification

1.1.   

Vehicle make

1.2.   

Vehicle type

1.3.   

Means of identification of vehicle type if marked on the vehicle

1.4.   

Location of that marking

1.5.   

Manufacturer’s name and address

1.6.   

If applicable, name and address of manufacturer’s representative

1.7.   

Manufacturer’s formal documentation package

Documentation reference No:

Date of original issue:

Date of latest update:

2.   

Assessment method

2.1.   

Description of the assessment processes and methodologies

2.2.   

Acceptability criteria

3.   

Results of the review of the documentation package

3.1.   

Review of the ADS description

3.2.   

Review of Manufacturer’s safety concept and the manufacturer safety analysis

3.3.   

Review of the Verification and Validation performed by the manufacturer in particular coverage of the different tests and setting minimum coverage thresholds for various metrics

3.4.   

Review of the methods and tools (software, laboratory, others) and the credibility assessment

3.5.   

Review of ADS data requirements and specific data elements for event data recorder for fully automated vehicles

3.6.   

Checks of the Cyber Security and Software Updates certificates are covering he ADS

3.7.   

Review of the information provided in the Operating Manual

3.8.   

Review of the provisions for the periodic roadworthiness tests of the ADS

3.9.   

Review of additional information not included in the Information Document

4.   

Verification of ADS functions under non-failure conditions (referred to in point 4.1.1. of Annex III Part 2 to Commission Implementing Regulation (EU) 2022/1426 of 5 August 2022 laying down rules for the application of Regulation (EU) 2019/2144 of the European Parliament and of the Council as regards uniform procedures and technical specifications for the type-approval of the automated driving system (ADS) of fully automated vehicles (2)

4.1.   

Rationale for the selection of test scenarios

4.2.   

Selected test scenarios

4.3.   

Test reports

4.3.1.   

Test No (add as many as the tests performed)

4.3.1.1.   

Objectives of the test

4.3.1.2.   

Test conditions

4.3.1.3.   

Measured quantities and measuring devices

4.3.1.4.   

Acceptability criteria

4.3.1.5.   

Test results

4.3.1.6.   

Comparison with the manufacturer’s supplied documentation

5.   

Verification of ADS safety concept under failure (referred to in point 4.1.2. of Annex III Part 2 to Implementing Regulation (EU) 2022/1426

5.1.   

Rationale for the selection of test scenarios

5.2.   

Selected test scenarios

5.3.   

Test reports

5.3.1.   

Test No (add as many as the tests performed)

5.3.1.1.   

Objectives of the test

5.3.1.2.   

Test conditions

5.3.1.3.   

Measured quantities and measuring devices

5.3.1.4.   

Acceptability criteria

5.3.1.5.   

Test results

5.3.1.6.   

Comparison with the manufacturer’s supplied documentation

6.   

Safety management system certificate (shall be appended to this test report)

7.   

Date of the assessment

8.   

Final judgement on the safety assessment outcome

9.   

This assessment has been carried out and the results reported in accordance with Implementing Regulation (EU) 2022/1426

Technical Service carrying out the assessment

Signed: ...

Date: ...

10.   

Comments:

Appendix 2

Model of the ADS assessment results to be annexed to the type-approval certificate

1.   

Identification

1.1.   

Vehicle make

1.2.   

Vehicle Type

1.3.   

Means of identification of vehicle type if marked on the vehicle

1.4.   

Location of that marking

1.5.   

Manufacturer’s name and address

1.6.   

If applicable, name and address of manufacturer’s representative

1.7.   

Manufacturer’s formal documentation package

Documentation reference No:

Date of original issue:

Date of latest update:

2.   

Assessment method

2.1.   

Description of the assessment processes and methodologies

2.2.   

Acceptability criteria

3.   

Verification of ADS functions under non-failure conditions (referred to in point 4.1.1. of Annex III Part 2 to Implementing Regulation (EU) 2022/1426

3.1.   

Rationale for the selection of test scenarios

3.2.   

Selected test scenarios

4.   

Verification of ADS safety concept under single failure (referred to in point 4.1.2. of Annex III Part 2 to Implementing Regulation (EU) 2022/1426

4.1.   

Rationale for the selection of test scenarios

4.2.   

Selected test scenarios

5.   

Assessment results

5.1.   

Results of the review of the Information Document

5.2.   

Results of the verification of ADS functions under non-failure conditions

5.3.   

Results of the verification of ADS safety concept under single failure

5.4.   

Results of the assessment of the Safety Management System

5.5.   

Results of the verification of provisions for the periodic roadworthiness tests

6.   

Final judgement on the safety assessment outcome

Appendix 3

Model of Manufacturer’s Declaration of Compliance for SMS

Manufacturer’s declaration of compliance with the requirements for the Safety Management System

Manufacturer’s Name:

Manufacturer’s Address:

…(Manufacturer’s Name) attests that the necessary processes to comply with the requirements for the Safety Management System laid down in Implementing Regulation (EU) 2022/1426 are installed and will be maintained.

Done at: … (place)

Date:

Name of the signatory:

Function of the signatory:

(Stamp and signature of the manufacturer’s representative)

Appendix 4

Model of Certificate of Compliance for SMS

Certificate of Compliance for Safety Management System

With Implementing Regulation (EU) 2022/1426

Certificate number [Reference number]

[… Type-approval authority]

Certifies that

Manufacturer: ...

Address of the manufacturer:

complies with the provisions of Implementing Regulation (EU) 2022/1426

Checks have been performed on:

by (name and address of the type-approval authority or Technical Service):

Number of report:...

The certificate is valid until [...Date]

Done at [...Place]

On [...Date]

[...Signature]

Attachments: description of the Safety Management System by the manufacturer.

PART 3

TESTS

1.   General provisions

Pass- and fail-criteria to assess ADS safety shall be based on the requirements set out in Annex II and the scenario described in Part 1 of this annex. The requirements are defined in such a way that the pass/fail criteria can be derived not only for a specific set of test parameters, but also for all safety-relevant combinations of parameters that may occur in the operating conditions covered by the type approval and the specified operating range (e.g., speed range, longitudinal and transverse acceleration range, radii of curvature, brightness, number of lanes). For conditions not tested but that may occur within the defined ODD of the system, the manufacturer shall demonstrate as part of the assessment described in Part 2 to the satisfaction of the type-approval authority, that the vehicle is safely controlled.

These tests shall confirm the minimum performance requirements described in Annex II and the functionality of the ADS and the safety concept of the manufacturer as described in Part 2 of this Annex. Test results shall be documented and reported in accordance with point 6 of Part 2 of this annex.

These tests shall also confirm, that the ADS complies with the traffic rules, adapts its operations to environmental conditions, avoids disruption to the flow of traffic (e.g. blocking the lane because of too many MRMs), does not show unpredictable behaviour and shows reasonable cooperative and anticipatory behaviour in relevant situations (i.e. merging in dense traffic or in vicinity of vulnerable road users).

2.   Test site

The test site shall comprise characteristics (example: friction value) that correspond to the specified ODD of the ADS. As necessary to apply the specific conditions of the ODD of the ADS, physical tests will be performed within the actual ODD (on-road) or at any test facility that replicates the ODD conditions and shall be determined by the manufacturer and the type approval authority. The ADS shall be tested on-road in accordance with the applicable law of the Member States and provided that tests can be carried out safely and without any risk to other road users.

3.   Environmental conditions

Tests shall be carried out under different environmental conditions, within the limits of the defined ODD for the ADS. For environmental conditions not tested that may occur within the defined ODD, the manufacturer shall demonstrate as part of the assessment to the satisfaction of the type-approval authority that the vehicle is safely controlled.

To test the requirements for failure of functions, self-testing of the ADS and initiation and implementation of a minimal risk manoeuvre, errors may be artificially induced and the vehicle may be artificially brought into situations where it reaches the limits of the defined operating range (e.g., environmental conditions).

4.   System modifications for testing purposes

If ADS modifications are required in order to allow testing, e.g. road type assessment criteria or road type information (map data), it shall be ensured that these modifications do not affect the test results. These modifications shall in principle be documented and annexed to the test report. The description and the evidence of influence (if any) of these modifications shall be documented and annexed to the test report.

5.   Vehicle conditions

5.1.

Test mass

The subject vehicle shall be tested with any permissible vehicle load. No load alteration shall be made once the test procedure has begun. The manufacturer shall demonstrate, through the use of documentation, that the ADS works at all load conditions.

5.2.

The subject vehicle shall be tested at the tyre pressure recommended by the manufacturer.

5.3.

It shall be verified, that the condition of the system is according to the intended testing purpose (e.g. in a fault-free condition or with the specific faults to be tested).

6.   Test tools

In addition to real vehicles, state-of-the-art test tools may be used to carry out the tests, replacing real vehicles and other road users (e.g., soft targets, mobile platforms, etc.). The replacement test tools shall comply with the characteristics relevant for sensory performance assessment, real vehicles and other traffic participants. Tests shall not be carried out in a way that would endanger the personnel involved, and significant damage of the vehicle being tested must be avoided where other means of validation are available.

7.   Test parameter variation

The manufacturer shall declare the system boundaries to the type-approval authority. The type-approval authority shall define different combinations of test parameters (e.g. present speed of the vehicle, type and offset of target, curvature of lane, etc.) in order to test the ADS. The selected test cases shall provide sufficient test coverage for all scenarios, test parameters and environmental influences. Adequate robustness of the perceptions systems for the ADS against input/sensor data malfunction and adverse environmental conditions shall be demonstrated.

Test parameters selected by the type-approval authority shall be recorded in a test report in a manner that allows traceability and repeatability of the test setup.

8.   Tests scenarios to assess the performance of the ADS on a test track (points 8.1., 8.2., 8.5, 8.6, 8.7, 8.8, 8.9.) and on-road (8.3., 8.4., 8.10.)

The scenarios included in the following points have to be considered a minimum set of tests. At the request of the type-approval authority, additional scenarios that are part of the ODD can be executed. If a scenario described in point 8 of this annex does not belong to the ODD of the vehicle, it shall not be taken into consideration.

Depending on the ODD, test scenarios shall be selected as part of the type-approval test. The test scenarios shall be selected in accordance with Part 1 of this annex. Type-approval testing may be carried out on the basis of simulations, manoeuvres on the test track and driving tests on real road traffic. However, it may not be based solely on computer simulations and at the time of type-approval, the type-approval authority shall conduct or shall witness at least the following tests to assess the behaviour of the ADS.

8.1.   Lane keeping

The test shall demonstrate that the fully automated vehicle does not leave its lane and maintains a stable motion inside its lane across the speed range and different curvatures within its system boundaries.

8.1.1.

The test shall be based on the ODD of the ADS and shall be executed at least:

a)

with a minimum test duration of 5 minutes;

b)

with a passenger car target as well as a power-two-wheeler (PTW) target as the other vehicle;

c)

with a lead vehicle swerving in the lane; and

d)

with another vehicle driving close beside in the adjacent lane.

8.2.   Lane changing manoeuvre (LCM)

The tests shall demonstrate that the fully automated vehicle does not cause an unreasonable risk to safety of the vehicle occupants and other road users during a lane change procedure, and that the ADS is able to assess the criticality of the situation before starting the lane change manoeuvre (LCM) throughout the entire operational speed range. These tests are only required if the fully automated vehicle is capable of performing lane changes either during a Minimal risk manoeuvre or during regular operation.

8.2.1.

The following tests shall be executed:

a)

with the fully automated vehicle performing lane change to the adjacent (target) lane;

b)

merging at lane end;

c)

merging into an occupied lane.

8.2.2.

The tests shall be executed at least:

a)

with different vehicles, including a power two-wheeler (PTW) approaching from the rear;

b)

in a scenario where it is possible to execute a lane changing manoeuvre in regular operation;

c)

in a scenario where a lane changing manoeuvre in regular operation is not possible due to a vehicle approaching from the rear;

d)

with an equally fast vehicle following behind in the adjacent lane, preventing a lane change;

e)

with a vehicle driving beside in the adjacent lane preventing a lane change;

f)

in a scenario where a LCM during a minimal risk manoeuvre is possible and executed;

g)

in a scenario where the fully automated vehicle reacts to another vehicle that starts changing into the same space within the target lane, to avoid a potential risk of collision.

8.3.   Response to different road geometries

These tests shall ensure, that the fully automated vehicle detects and adapts to a variation of different road geometries which can occur within the intended ODD across its whole speed range.

8.3.1.

The test shall be executed with at least the list of scenarios below based on the ODD of the ADS:

a)

T-junctions (3-way intersections) with and without traffic lights, with different rights of way;

b)

crossroads (4 or more way intersections) with and without traffic lights, with different rights of way;

c)

roundabouts.

8.3.2.

Each test shall be executed at least:

a)

without a lead vehicle;

b)

with a passenger car target as well as a PTW target as the lead vehicle/other vehicle;

c)

with and without approaching or passing vehicles.

8.4.   Response to national traffic rules and road infrastructure

These tests shall ensure that the fully automated vehicle complies with national traffic rules and that it adapts to a various permanent and temporary changes of the road infrastructure (e.g. road construction sites) in the entire speed range.

8.4.1.

The tests shall be executed with at least with the list of scenarios below that are relevant for the ODD of the ADS:

a)

different speed limit signs, so that the ADS has to change its speed according to the indicated values;

b)

signal lights and/or stop instructed by a road safety officer/enforcement agents with situations of going straight, turning left and right;

c)

pedestrian and cyclist crossings with and without pedestrians/cyclist approaching/on the road.

d)

temporary modifications: e.g., road maintenance operations indicated by traffic signs, cones and other signalisation, access restrictions.

e)

motorway entry, exit and toll stations.

8.4.2.

Each test shall be executed at least:

a)

without a lead vehicle;

b)

with a passenger car target as well as a PTW target as the lead vehicle/other vehicle.

8.5.   Collision avoidance: Avoid a collision with road users or objects blocking the lane

The test shall demonstrate that the fully automated vehicle avoids a collision with a stationary vehicle, road user or fully or partially blocked lane up to the maximum specified speed of the ADS.

8.5.1.

This test shall be executed at least with the following scenarios, where relevant in the ODD:

a)

with a stationary passenger car target;

b)

with a stationary PTW target;

c)

with a stationary pedestrian target;

d)

with a pedestrian target crossing the lane with a speed of 5 km/h, also in the presence of other objects relevant in the ODD (e.g. a ball, a shopping bag, etc.);

e)

with a pedestrian target moving a speed of up to 5 km/h within and partially occupying the lane of the ADS and following the same or the opposite direction of the fully automated vehicle;

f)

with a pedestrian target swerving in the same lane of the fully automated vehicle;

g)

with a cyclist target crossing the lane with a speed of 15 km/h;

h)

with a cyclist target which is travelling in the same direction with a speed of 15 km/h;

i)

with the fully automated vehicle turning right and crossing the path of the cyclist travelling in the same direction with a speed of 15 km/h;

j)

with a target representing a blocked lane;

k)

with a target partially within the lane;

l)

with one or more different types of unpassable objects relevant in the ODD (e.g., a dustbin, a fallen bicycle or scooter, a fallen traffic sign, a stationary or moving ball, etc.);

m)

with multiple consecutive obstacles blocking the lane relevant in the ODD (e.g., in the following order: ego-vehicle -motorcycle – car);

n)

on a curved section of road.

8.6.   Avoid emergency braking before a passable object in the lane. A ‘passable object’ is such an object, that may be rolled over without causing an unreasonable risk to the vehicle occupants or other road users.

The test shall demonstrate that the fully automated vehicle is not initiating an Emergency Braking with a deceleration demand greater than 5 m/s2 due to a passable object in the lane relevant for the ODD (e.g., a manhole lid or a small branch) up to the maximum specified speed of the ADS.

8.6.1.

This test shall be executed at least with the following scenarios, where relevant in the ODD:

a)

without a lead vehicle;

b)

with a passenger car target as well as a PTW target as the lead vehicle/other vehicle.

8.7.   Following a lead vehicle

The test shall demonstrate that the fully automated vehicle is able to maintain and restore a stable motion and a safety distance to a vehicle in front and is able to avoid a collision with a lead vehicle which decelerates up to its maximum deceleration.

8.7.1.

This test shall be executed at least with the following scenarios, where relevant in the ODD:

a)

across the entire speed range of the fully automated vehicle;

b)

using a passenger car target a PTW target as well as a bicycle target as lead vehicle, provided standardised PTW targets suitable to safely perform the test are available;

c)

for constant and varying lead vehicle velocities (realistic speed profile);

d)

for straight and curved sections of road;

e)

for different lateral positions of lead vehicle in the lane;

f)

with a deceleration of the lead vehicle of at least 6 m/s2 mean fully developed deceleration until standstill.

8.8.   Lane change of another vehicle into lane (cut-in)

The test shall demonstrate that the fully automated vehicle is capable of avoiding a collision with a vehicle or other road user cutting into the lane of the fully automated vehicle up to a certain criticality of the cut-in manoeuvre.

8.8.1.

The criticality of the cut-in manoeuvre shall be determined according to the provisions introduced Part 1 of this annex and depending on the distance between the rear-most point of the cutting-in vehicle and front-most point of the fully automated vehicle.

8.8.2.

The test shall be executed at least with the following scenarios, where relevant for the ODD:

a)

with different TTC, distance and relative velocity values of the cut-in manoeuvre, covering types of cut-in scenarios in which a collision can be avoided and those in which a collision cannot be avoided;

b)

with cutting-in vehicles travelling at constant longitudinal speed, accelerating and decelerating;

c)

with different lateral velocities, lateral accelerations of the cut-in vehicle;

d)

with a passenger car, PTW as well as bicycle targets as the cutting-in vehicle, provided standardised PTW targets suitable to safely perform the test are available.

8.9.   Stationary obstacle after lane change of the lead vehicle (cut-out)

The test shall demonstrate that the fully automated vehicle is capable of avoiding a collision with a stationary vehicle, road user or blocked lane that becomes visible after a preceding vehicle avoided a collision by an evasive manoeuvre. The test shall be based on the requirements set out in Annex II and scenario parameters in Part 1 of this annex. For conditions not tested that may occur within the defined operating range of the vehicle, the manufacturer shall demonstrate as part of the assessment described in Annex III, Part 2 to the satisfaction of the relevant authorities that the vehicle is safely controlled.

8.9.1.

The test shall be executed at least with the following scenarios, where relevant for the ODD:

a)

with a stationary passenger car target centred in lane;

b)

with a PTW target centred in lane;

c)

with a stationary pedestrian target centred in lane;

d)

with a target representing a blocked lane centred in lane;

e)

with multiple consecutive obstacles blocking the lane (e.g. in the following order: ego-vehicle – lane change vehicle – motorcycle – car).

8.10.   Parking

The test shall demonstrate that the ADS is able to park in different parking spaces and parking layouts under different conditions; and that during the parking manoeuvre it is not causing damage to the surrounding objects, road users and itself.

8.10.1.

The test shall be executed at least with the following scenarios, where relevant for the ODD:

(a)

with parking spaces parallel and perpendicular to the road;

(b)

on even and slant surfaces;

(c)

with other vehicles in the surrounding parking spaces, including PTWs and bicycles;

(d)

parking to parking spaces with different geometrical dimensions;

(e)

on different road slope angles;

(f)

with another vehicle cutting in to the parking space during the parking manoeuvre.

8.11.   Navigating in a parking facility

The test shall demonstrate that the ADS is able to handle the low driving speed and the general lack of visibility that may occur in a parking.

8.11.1.

The test shall be executed at least with the following scenarios, where relevant for the ODD:

a)

with an initially obstructed pedestrian target crossing the path of the fully automated vehicle with a speed of 5 km/h.

b)

with a vehicle driving out of a parking place in front of the fully automated vehicle.

c)

with a stationary obstacle in the path of the fully automated vehicle.

d)

with different paths, where the infrastructure is obstructing the field of view.

e)

with a small obstacle on the floor after a ramp obstructed by other objects in the path of the fully automated vehicle.

8.12.   Specific scenarios for motorway

8.12.1.

Motorway entry

The test shall demonstrate that the ADS is able to safely enter the motorway.

8.12.1.1.

The test shall be executed at least with the following scenarios, where relevant for the ODD:

a)

with different vehicles, including a PTW approaching from the rear;

b)

with vehicles approaching with different speed from the rear;

c)

with a platoon of vehicles driving beside in the adjacent lane.

8.12.2.

Motorway exit

The test shall demonstrate that the ADS is able to safely exit the motorway.

8.12.2.1.

The test shall be executed at least with the following scenarios, where relevant for the ODD:

a)

without a lead vehicle;

b)

with a passenger car target as well as a PTW target as the lead vehicle/other vehicle.

c)

with other vehicle(s) or obstacle(s) blocking the motorway exit.

8.12.3.

Toll station

The test shall demonstrate that the ADS is able to select the proper passing gate, and adapt its speed to that permitted within the toll area.

8.12.3.1.

The test shall be executed at least with the following scenarios, where relevant for the ODD:

a)

with and without a lead vehicle;

b)

with other vehicles blocking the passing gate(s);

c)

with closed and opened passing gates.

d)

with different permitted speeds in the toll area.

8.13.   For dual mode vehicles, transition between the manual driving mode and the fully automated mode.

The test shall demonstrate that the ADS takes over the DDT in a safe manner and only when the vehicle is standstill.

8.13.1.

The test shall be executed at least with the following scenarios, where relevant for the ODD:

a)

with and without human driver present in the vehicle;

b)

with open and closed vehicle doors;

c)

with and without obstacles around the vehicle,

d)

inside and outside of the dedicated parking area, if applicable

8.13.2.

The test shall be executed at least with the following scenarios, where relevant for the ODD:

a)

in a situation where transition is possible and executed;

b)

in a situation where transition is not possible to be executed.

PART 4

PRINCIPLES FOR CREDIBILITY ASSESSMENT FOR USING VIRTUAL TOOLCHAIN IN ADS VALIDATION

1.   General

1.1.

The credibility can be achieved by investigating and assessing five properties of Modelling and Simulation (M&S):

(a)

capability – what can the M&S do, and what the risks are associated with it;

(b)

accuracy – how well does M&S reproduce the target data;

(c)

correctness – how sound & robust are M&S data and algorithms;

(d)

usability – what training and experience is needed.

(e)

fit for purpose – how suitable is the M&S for the ODD and ADS assessment.

1.2.

At the same time, the credibility assessment framework shall be general enough to be used for different M&S types and applications. However, the goal is complicated by the broad differences between ADS features and the variety of M&S types and applications. These considerations require a (risk-based/informed) credibility assessment framework relevant and appropriate to all M&S applications.

1.3.

The credibility assessment framework provides a general description of the main aspects considered for assessing the credibility of an M&S solution together with principles on the role of third parties assessors in the validation process with respect to credibility. Concerning the latter point, the type-approval authority shall investigate the produced documentation supporting credibility at the assessment phase, whereas the actual validation tests occur once the manufacturer has developed the integrated simulation systems.

1.4.

Ultimately, the outcome of the current credibility assessment shall define the envelope in which the virtual tool can be used to support the ADS assessment.

1.5.

The requirements of this part are therefore intended to demonstrate the credibility of any simulation model or virtual toolchain for its use in ADS validation.

2.   Definitions

For the purpose of this annex

2.1.

‘abstraction’ means the process of selecting the essential aspects of a source system or referent system to be represented in a model or simulation, while ignoring non-relevant aspects. Any modelling abstraction carries with it the assumption that shall not significantly affect the intended uses of the simulation tool.

2.2.

‘closed loop testing’ means a virtual environment that takes the actions of the element-in-the loop into account. Simulated objects respond to the actions of the system (e.g. system interacting with a traffic model).

2.3.

‘deterministic’ means a term describing a system whose evolution over time can be predicted exactly and a given set of input stimuli will always produce the same output.

2.4.

‘driver-in-the-loop (DIL)’ is typically conducted in a driving simulator used for testing the human–automation interaction design. DIL has components for the driver to operate and communicate with the virtual environment.

2.5.

‘Hardware-In-the-Loop (HIL)’ involves the final hardware of a specific vehicle sub-system running the final software with input and output connected to a simulation environment to perform virtual testing. HIL testing provides a way of replicating sensors, actuators and mechanical components in a way that connects all the I/O of the electronic control units (ECU) being tested, long before the final system is integrated.

2.6.

‘model’ is a description or representation of a system, entity, phenomenon, or process.

2.7.

‘model calibration’ is the process of adjusting numerical or modelling parameters in the model to improve agreement with a referent.

2.8.

‘model Parameter’ are numerical values used to support characterizing a system functionality. A model parameter has a value that cannot be observed directly in the real world but that must be inferred from data collected in the real world (in the model calibration phase).

2.9.

‘model-in-the-loop (MIL)’ is an approach which allows quick algorithmic development without involving dedicated hardware. This level of development usually involves high-level abstraction software frameworks running on general-purpose computing systems.

2.10.

‘open loop testing’ means a virtual environment that does not take the actions of the element-in-the loop into account (e.g. system interacting with a recorded traffic situation).

2.11.

‘probabilistic’ is a term pertaining to non-deterministic events, the outcomes of which are described by a measure of likelihood.

2.12.

‘proving ground or test-track’ is a physical testing facility closed to the traffic where the performance of an ADS can be investigated on the real vehicle. Traffic agents can be introduced via sensor stimulation or via dummy devices positioned on the track.

2.13.

‘sensor stimulation’ is a technique whereby artificially generated signals are provided to the element under testing in order to trigger it to produce the result required for verification of the real world, training, maintenance, or for research and development.

2.14.

‘simulation’ is the imitation of the operation of a real-world process or system over time.

2.15.

‘simulation model’ is a model whose input variables vary over time.

2.16.

‘simulation toolchain’ is a combination of simulation tools that are used to support the validation of an ADS.

2.17.

‘software-in-the-loop (SIL)’ is where the implementation of the developed model will be evaluated on general-purpose computing systems. This step can use a complete software implementation very close to the final one. SIL testing is used to describe a test methodology, where executable code such as algorithms (or even an entire controller strategy), is tested within a modelling environment that can help prove or test the software.

2.18.

‘stochastic’ means a process involving or containing a random variable or variables. Pertaining to chance or probability.

2.19.

‘validation of the simulation model’ is the process of determining the degree to which a simulation model is an accurate representation of the real world from the perspective of the intended uses of the tool.

2.20.

‘vehicle-in-the-loop (VIL)’ is a fusion environment of a real testing vehicle in the real-world and a virtual environment. It can reflect vehicle dynamics at the same level as the real-world and it can be operated on a vehicle test bed or on a test track.

2.21.

‘verification of the simulation model’ is the process of determining the extent to which a simulation model or a virtual testing tool is compliant with its requirements and specifications as detailed in its conceptual models, mathematical models, or other constructs.

2.22.

‘virtual testing’ is the process of testing a system using one or more simulation models.

3.   Components of the credibility assessment framework and related documentation requirements

3.1.

The credibility assessment framework introduces a way to assess and report the credibility of M&S based on quality assurance criteria where the levels of confidence in the results can be indicated. In other words, the credibility is established by evaluating the following M&S influencing factors that are considered as main contributors for M&S properties and therefore for the overall M&S credibility: (a) M&S management; (b) team’s experience and expertise; (c) M&S analysis and description; (d) data/input pedigree and (e) verification; validation, uncertainty Characterisation. Each of these factors indicates the level of quality achieved by M&S, and the comparison between the obtained levels and the required levels shall determine whether the M&S is credible and fit to use for virtual testing. A graphical representation of the relationship between the components of the credibility assessment framework is shown below.

Image 3

3.2.

Models and simulation management.

3.2.1.

The M&S lifecycle is a dynamic process with frequent releases that shall be monitored and documented. Management activities shall be established to support the M&S in a work product management fashion. Relevant information on the following aspects shall be provided.

3.2.2.

The M&S management process shall:

(a)

Describe the modifications within the releases;

(b)

Designate the corresponding software (e.g., specific software product and version) and hardware arrangement (e.g., XiL configuration);

(c)

Record the internal review processes that accepted the new releases;

(d)

Be supported throughout the full duration of the virtual model utilization.

3.2.3.

Release management.

3.2.3.1.

Any M&S toolchain’s version used to release data for certification purposes shall be stored. The virtual models constituting the testing toolchain shall be documented in terms of the corresponding validation methods and acceptance thresholds to support the overall credibility of the toolchain. The developer shall enforce a method to trace generated data to the corresponding M&S version.

3.2.3.2.

Quality check of virtual data. Data completeness, accuracy, and consistency shall be ensured throughout the releases and lifetime of an M&S toolchain to support the verification and validation procedures.

3.2.4.

Team’s experience and expertise.

3.2.4.1.

Even though experience and expertise (E&E) are already covered in a general sense within the organization, it is important to establish the basis for confidence in the specific E&E for M&S activities.

3.2.4.2.

The credibility of M&S depends not only on the quality of the simulation models but also on the E&E of the personnel involved in the validation and usage of the M&S. For instance, a proper understanding of the limitations and validation domain will prevent the possible misuse of M&S or misinterpretation of its results.

3.2.4.3.

Therefore, it is important to establish the basis for the manufacturer’s confidence on the E&E of:

(a)

The Teams that will validate the simulation toolchain and,

(b)

The Teams that will use the validated simulation for the execution of virtual testing with the purpose of validating the ADS.

3.2.4.4.

A proper management of the team’s E&E increases the level of confidence on the credibility of M&S and its outcomes by ensuring that the human factors behind the M&S are taken into consideration and any possible human component risk is controlled, as is expected in any suitable Management System

3.2.4.5.

If the manufacturer’s tool chain incorporates or relies upon inputs from organisations or products outside of the manufacturer’s own team, the manufacturer will provide an explanation of measures it has taken to support its confidence in the quality and integrity of those inputs.

3.2.4.6.

Team’s E&E consists of two levels.

3.2.4.6.1.

Organizational level

The credibility is established by setting up processes and procedures to identify and maintain skills, knowledge, and experience to perform M&S activities. The following processes shall be established, maintained and documented:

(i)

Process to identify and evaluate the individual’s competence and skills;

(ii)

Process for training competent personnel to perform M&S-related duties

3.2.4.6.2.

Team level

Once a M&S has been finalised, its credibility is mainly dictated by the skills and knowledge of the individual/team that will validate the M&S toolchain and use the M&S for the validation of the ADS. Credibility is established by documenting that these teams have received adequate training to fulfil their duties.

The manufacturer shall then:

(i)

provide the basis for the manufacturer’s confidence in the E&E of the individual/team that validates the M&S Toolchain.

(ii)

provide the basis for the manufacturer’s confidence in the E&E of the individual/team that uses the simulation to carry out virtual testing in order to validate the ADS.

The manufacturer’s demonstration of how it applies the principles of ISO 9001 or a similar best practice or standard to ensure the competence of its M&S organization and the individuals in that organisation will be the basis for this determination. The type-approval authority may not substitute its judgment on the E&E of the organisation or its members with that of the manufacturer.

3.2.5.

Data/input pedigree

3.2.5.1.

The data/input pedigree contains a record of traceability from the manufacturer’s data used in the validation of the M&S.

3.2.5.2.

Description of the data used for the M&S