Lloyd’s Register (LR) has published its follow-up research report on Maritime Autonomous Surface Ships (MASS) highlighting the critical role of the Operational Design Domain (ODD) in defining the specific environmental, geographical and operational conditions under which MASS can safely operate.
The report “Maritime Autonomous Surface Ships (MASS) – Volume 2” emphasises the need for rigorous assurance processes to manage the heightened software complexity and autonomous decision-making challenges inherent in MASS. Additionally, the research also underscores the importance of a well-defined Operational Envelope (OE), which extends the ODD by incorporating system-level configurations, state transitions and human-automation task allocation.
By addressing the ambiguities and proposing a refined OE framework, the report aims to enhance safety, regulatory compliance and stakeholder confidence in the commercial viability of MASS.
Understanding the ODD
ODD is a process that defines the specific conditions under which a vessel – or MASS – is intended to operate safely and has gained significant uptake in the globally heavily invested automotive Connected Autonomous Vehicles (CAV) sector. The result is a sophisticated approach to operational design that emphasises flexibility, adaptability and comprehensive planning. In maritime autonomy adoption, ODD arguably offers the most structured pathway for safe MASS operation, clearly delineating the boundaries – making them traceable – within which it can perform.
Developing the ODD is a precursor to the OE but is placed here in the report to mirror the structure of the MASS Code. It is also important to note that the draft Code does not explicitly require the ODD to be included as part of the information for the MASS Certificate – although it does indirectly state that the OE includes the ODD.
As indicated within the report, the ambiguity of evidencing OE but the certainty of ODD makes the latter the primary model for delivering traceable and bounded evidence for V&V and ultimately regulation. At best, the Code’s identifying ODD as a secondary support element is a shortfall in the recognition of importance.
Understanding the OE
While the ODD specifies the environmental, geographical and situational conditions for which a MASS is designed to function, in contrast, the Code infers the OE as a broader framework, being shaped as a dynamic state space encompassing all permissible conditions of operation.
This approach not only accounts for environmental and operational parameters but also integrates the roles and transitions of human operators with autonomous systems within these conditions. Though this superficially this sounds superior, it introduces ambiguities that are very complex to trace – adding to but complicating assurance.
Comparison based on the MASS Code’s OE interpretation
In the current draft MASS Code framework, the OE is defined at a macro level. This interpretation emphasises external operational factors such as connectivity, traffic conditions and environmental limitations. This conceptualisation is as a broad safety layer that extends the pre-established boundaries of the ODD.
In this view, the ODD provides the fixed parameters – such as geographical limits, weather conditions and predefined scenarios – while the OE is tasked with dynamically managing variations and unanticipated events.
However, this approach tends to conflate external operational conditions with the intrinsic technical performance of MASS systems. Consequently, ambiguities arise during transitions between normal, degraded and fallback states, which, in turn, complicate traceability, risk mitigation and the demonstration of a complete regulatory assurance case.
Comparison based on the new proposed OE interpretation
The proposed new interpretation of the OE adopts a more granular, system-specific framework. It concentrates on the following core aspects:
- Configuration of critical systems: A detailed account of the physical layout, interconnection protocols and integration methods for key components such as navigation, propulsion, power generation, steering and communications.
- Definition of operating states: Clear delineation of normal operating states, accompanied by explicit input/output mappings. This involves setting measurable performance benchmarks for each state.
- Explicit state transitions: Comprehensive descriptions of transitions – both between normal operating states and from normal to degraded states. The approach specifies thresholds and criteria that signal degradation and triggers for fallback modes.
According to Lloyd’s Register, this revised interpretation segregates technical criteria from broader environmental factors, ensuring that the ODD remains the definitive baseline for operational boundaries. The new OE framework, therefore, reinforces the traceability and repeatability of the verification and validation (V&V) process by establishing direct linkages between system performance metrics and defined operational states.
While the draft Code’s underlying logic has served as a valuable starting point, it has become evident that a refined approach is necessary to meet the evolving demands of autonomy. The proposed interpretation of ODD and the newly defined OE addresses key limitations inherent in the Code’s current methodology.
Furthermore, by introducing technical specificity through the precise definition of every system state and transition, ambiguities that have previously complicated assurance and regulatory evidence are effectively eliminated.
By clearly delineating technical performance aspects from broader environmental conditions, the new OE provides a solid, traceable foundation that enhances safety and facilitates a more robust verification process.
