Operational Design Domain (ODD) framework for driver-automation integrated systems
Massachusetts Institute of Technology. Department of Aeronautics and Astronautics.
R. John Hansman. Jr. AND Julie A. Shah.
MetadataShow full item record
Current driving automation systems have technical limitations which restricts their capability. Because of these limitations, the Society of Automotive Engineers (SAE) proposed the concept of the Operational Design Domain (ODD), which defines conditions under which a given driving automation system is designed to function. However, there is not yet a clear standard and a systematic process to evaluate an automation system to determine its ODD. In addition, inappropriate use of the automation outside the ODD may result in accidents. This thesis had following research objectives: 1) to develop a framework and methodology to define the ODD with a principled basis to determine the ODD of driving automation systems, and 2) to understand how the human operators make use decisions in order to support adequate management of the ODD.A risk-based framework was developed, leveraging on the traditional risk theory, to formally provide a threshold to define the ODD in terms of risk related to an automation system's failure to perform its intended function. Based on this framework, the thesis developed a methodology to determine the ODD by identifying the key dimensions of the conditional hyperspace and the boundary that demarcates the sets of conditions with an acceptable level of risk. The method identifies the relevant conditions that becomes the dimensions of the conditional hyperspace in which the ODD boundary is determined. The methodology was applied to a simple forward collision avoidance system in order to demonstrate the use of the proposed framework. Once an ODD is determined for a driving automation system, it must be adequately managed so that the use of the automation outside the ODD is avoided.The key role of ODD management is to observe available information and assess whether the observed conditions are inside or outside the ODD. This role may be performed automatically by the system (for SAE Level 3 or 4 systems) or performed by the human operator (for SAE Level 1 or 2 systems). An analysis of recent accidents involving driving automation system's failure and the literature on human cognition process were used to investigate how human operators perform ODD management. A model was developed and used to identify potential failure modes of human ODD management. These include: 1) inability to observe relevant states indicating an ODD violation, 2) failure to observe relevant states indicating an ODD violation and 3) ignorance of the ODD states resulting in an ODD violation.These failure categories were explored to identify potential causes including: lack of observability of the ODD conditions, drivers over-trust in automation, lack of understanding of the automation or ODD, and inaccurate projection of the future conditions. Based on this, a set of recommendations for improving the driver-automation integrated systems that would support to improve the ODD management are suggested.
Thesis: E.A.A., Massachusetts Institute of Technology, Department of Aeronautics and Astronautics, September, 2020Cataloged from student-submitted PDF of thesis.Includes bibliographical references (pages 77-80).
DepartmentMassachusetts Institute of Technology. Department of Aeronautics and Astronautics
Massachusetts Institute of Technology
Aeronautics and Astronautics.