We took some time out recently to catch up with Michael Pont, Executive Director at SafeTTy Systems. Michael chats to us about the changes in demand for TT systems; complexity management challenges and insights from his book “The Engineering of Reliable Embedded Systems.”
You have been working in the field of time-triggered (TT) embedded systems for more than 25 years. How much of this work has been directly related to automotive?
I’ve supported the development of safety-related embedded systems in a range of sectors over the years, including industrial control, civilian aircraft, space and medical. I began my first major TT project in the automotive sector around 15 years ago. Since this time, I have seen two step-changes in demand for TT systems in this sector.
The first step-change came in the lead up to the publication of the first edition of the international standard ISO 26262 in 2011. At this time, many organisations realised that they needed to be able to provide evidence that the vehicles or automotive components that they were producing had been ‘designed for safety’. TT architectures provide a highly-effective way of achieving this.
The second step-change came in the last few years as people became interested in ADAS / AV designs. At this point, the complexity of automotive designs increased very significantly, and I saw further demand for cost-effective TT designs as a means of improving confidence in the safety of such systems.
The end result is that – at the present time – around 60% of my work is in the automotive sector.
What have you learnt in working in other areas of Embedded Systems that can be applied to automotive?
My main goal is to help organisations to produce systems where we can be confident about safety. The key thing that I have learned from different sectors – particularly the aerospace sector – is the importance of having what is sometimes called a ‘safety culture’ in any organisation that wishes to achieve this goal. For me, a safety culture relies on having good people throughout an organisation who are not afraid to question design decisions that – in their view – may have a negative impact on safety.
I think it’s important to add that this is no longer simply a question about the lessons that automotive organisations can learn from other sectors. The ADAS / AV designs that automotive organisations are currently involved with present safety challenges that are – in my view – greater than those faced in many aerospace designs. Over the next few years, I would expect to see experienced automotive designers providing advice in many other sectors.
What is the main challenge that faces many ADAS / AV projects?
If I had to sum up the main challenge that I have encountered in recent ADAS / AV projects, I’d use the phrase ‘complexity management’. In current ADAS / AV designs, high complexity may arise (for example) from the sensors, from the integration of sensor outputs, and from the use of highly-adaptive machine-learning technologies to control at least some of the vehicle operations.
The end result – as some recent incidents during the operation or trials of ADAS / AV designs on public roads have revealed – is that we cannot always be sure that we know exactly how the vehicle will behave when it encounters a situation that it has not seen before. This is a challenge that must be fully addressed if we are to be confident about the safety of ADAS / AV designs over the next decade.
How would you recommend that projects managers can overcome this challenge?
A little earlier you asked me what the automotive sector could learn from designers in other sectors. If we go back to thinking about the traditional approach to ensuring safety in the aerospace sector, we can see two main approaches. The first was to ensure fully-deterministic behaviour from the design. The second was to include a human in the cockpit to provide a ‘backup’ if (for example) the autopilot failed or some other problem was detected with the aircraft. In the automotive sector, in my view, the complexity of the hardware and software needed to implement ADAS / AV designs means that fully deterministic behaviour is simply not possible. In addition, when driving on a motorway, we have only around 50 ms to respond to the failure of a vehicle system – relying on a person to take control within the required timescale is only very rarely going to be a sensible option.
From this starting point, we are left with the conclusions that we need to have an independent means of monitoring our complex ADAS / AV designs at run-time, and that this monitoring system needs to be able to take over control if a failure of the vehicle is detected. Note that the failures that occur in the vehicle may not simply relate to the ADAS / AV design (it could be something as simple as a puncture or a problem with a wheel bearing).
You have authored a number of books. The Engineering of Reliable Embedded Systems is one of your titles – what would the automotive community get from this book?
The second edition of ‘The Engineering of Reliable Embedded Systems’ (ERES2) was published in 2016. This book documents an industry-proven approach to the development of software for reliable, real-time embedded systems, based on the use of second-generation ‘Time Triggered’ (TT) architectures. What distinguishes TT approaches is that it is possible to model the expected system behaviour precisely. This means that: [i] during the development process, we can demonstrate that all of the requirements have been met; and [ii] at run time, we can detect problems very quickly. The end result is that we can have a high level of confidence that a TT system will either: [i] operate precisely as required; or [ii] move into an appropriate state if a problem occurs.
You asked about the benefits that the automotive community would get from this book. As I noted in my answer to a previous question, obtaining fully deterministic behaviour from complex ADAS / AV systems is not always possible, and some form of monitoring (and backup) system will be required in the majority of designs. One way in which the techniques presented in the ERES2 can be used in the automotive sector is in the development of a ‘TT Wrapper’: this is a monitoring unit that is used to improve confidence in the safe operation of another complex component or system, such as a highly-adaptive ADAS / AV controller or a related sensor. I have been seeing a great deal of interest in the use of TT Wrappers in this way in the automotive community in the past 12-18 months.
What are you most looking forward to about presenting at AutoSens?
As I have tried to make clear in some of my previous answers, I think that the development of safe ADAS / AV designs presents a huge challenge for engineers and organisations around the world. I believe that the AutoSens event in Brussels will provide an excellent opportunity for discussions about this matter. Such discussions should help to improve the safety culture across this industry. Some of my automotive customers have also been invited to present at the AutoSens event, and I look forward to hearing what they have to say. In addition, I hope to have the opportunity to meet some new organisations that I may be able to support in the future with state-of-the-art ‘Time Triggered’ technology.
If you want to hear more from Michael Pont, you can watch him presenting at AutoSens Brussels on “Improving confidence in the safety of ADAS and AV designs that incorporate ‘unqualified’ software or hardware components.” Book your tickets to join the event >>