The Operational Design Domain (ODD) is an important concept for the safety of systems that utilize machine-learning (ML) components. It defines the operating conditions under which the ML component is expected to function correctly. This allows the system to monitor the component’s ODD satisfaction and activate or deactivate the ML component accordingly. Similar concepts exist for other system components such as sensors and controllers, which also have defined conditions or operational envelopes within which they can safely operate. When multiple data producers such as sensors or ML components provide the same type of input but have different ODDs that may only partially overlap, a new challenge arises. During operation, the system and its environment may satisfy none, one, or several of these ODDs. However, it may not be allowed or safe to operate all data producers simultaneously. For instance, consider a set of ML components where each was trained to detect persons in camera images on training data at different flight altitudes. During operation, the system must pick the ML component that best fits the current conditions. In this paper, we formalize ODDs and present a method to infer an automatic selection mechanism that guarantees the system to choose a data producer that satisfies its ODD in the next step for all possible system executions. Therefore, the system will always receive valid inputs if they exist while minimizing the number of active data producers. We then discuss the automatic selection for an automatic landing where the selection is used to switch between different sensors and also between different specialized ML components. The main benefit of the selection mechanism is that it enables safe switching between data producers based on their ODDs, keeping the system within resource limits when not all data producers can be active at the same time, and improving overall resource consumption by only activating only the necessary data producers.
Torens et al. (Thu,) studied this question.