In automated driving and advanced driver assistance, hazard analysis is no longer a paperwork milestone—it is the engineering mechanism that defines what safe enough means when software makes real-time decisions in open traffic. The operational design domain is the other half of that equation: it is the bounded world your system claims it can handle, and every safety argument ultimately reduces to whether the claimed world matches the true capabilities of the vehicle, its sensors, and its decision logic.
An operational design domain is often misunderstood as a simple geofence or a marketing-friendly phrase like highway capable. In practice, the operational design domain ODD is a structured specification of operating conditions: roadway class and geometry, speed ranges, weather and visibility limits, lighting, traffic mix, rules of the road, map dependencies, and even assumptions about work zones, emergency scenes, and roadside behavior.
ISO has formalized shared vocabulary around automated-driving test scenarios and terms, notably ISO 34501:2022, which matters because a safety case collapses quickly when engineering, legal, and regulatory teams mean different things by scenario, fallback, or operational context. Once the ODD is explicit, hazard analysis risk assessment stops being abstract and becomes testable.
Hazards are not only component failures in the traditional functional-safety sense; they also include performance limitations, ambiguous perception, edge-case interactions, and human factors when control transitions occur. That is why modern safety work typically combines ISO 26262:2018 functional safety of E/E systems with ISO 21448:2022 SOTIF—Safety of the Intended Functionality, which focuses on hazards that arise even when everything is not broken, but the intended functionality is still insufficient for the environment.
If the ODD is vague, those standards can be followed faithfully and still yield a false sense of coverage. The regulatory landscape reinforces this coupling between ODD and hazard analysis. UNECE vehicle regulations have pushed manufacturers toward lifecycle management systems that look a lot like operational discipline.
UN Regulation No. 155 on cybersecurity management and UN Regulation No. 156 on software update management both entered into force on January 22, 2021, establishing expectations that extend beyond type-approval snapshots and into continuous monitoring, incident handling, and controlled change. UN Regulation No. 157 ALKS has also evolved through amendments, and the broader signal is clear: as automation advances, authorities increasingly expect defined operating limits, documented safety reasoning, and a controlled process for expanding capability.
Europe's AI governance timeline adds a second pressure line: transparency and lifecycle controls are being formalized not only for vehicles, but for AI as a regulated technology. The EU AI Act Regulation EU 2024/1689 entered into force on August 1, 2024 and, for many obligations, became applicable on August 2, 2026, with staged timelines for specific categories.
In particular, obligations for certain high-risk AI systems embedded in regulated products have their own delayed application timelines including a key milestone on August 2, 2027. For automotive organizations, the pragmatic takeaway is not to debate labels, but to treat ODD definition, dataset governance, change control, and post-market monitoring as core engineering artifacts rather than compliance add-ons.