UST034

2getthere third-generation shuttle | Dossier prediction, behaviour selection and enactment form a control cycle, each step of which is carried out within a set time to create a deterministic system. “We have to make sure all the equipment follows that timing – that is a design requirement,” he says. “We have to select computers, sensors and communication networks that comply with that requirement.” Van der Zwaan says 2getthere writes all its control system software in-house, including the camera image recognition algorithms and the AI that govern the vehicle’s performance. “We have also studied and benchmarked all types of algorithms, from classical approaches in which you control every step in the processing pipeline to machine learning and neural networks. It became apparent in the past decade that these outperform the classical methods, but the problem is that they work in a ‘black box’. “You train a neural net and it has very good recognition performance – performance you cannot achieve through conventional approaches – but you don’t know the underlying steps so you can’t control it,” he cautions. “There have been examples where, given a well-known training sample with a little noise added, a neural network made a completely wrong classification.” He emphasises that the performance of such systems can only be validated empirically, continuously adding to the training set. They therefore cannot be relied on in safety-critical applications or anything that relies on deterministic behaviour. Deterministic safety path For that reason, 2getthere’s vehicle architecture features an independent, much simpler and deterministic safety path that keeps an eye on what the performance path described above is doing, stepping in whenever necessary. The path consists of high-integrity hardware and software components certified to automotive standards, particularly ISO 26262, targeting ASIL B up to ASIL D levels. The current system is based on a pre-certified safety ECU, and the entire application is built from pre- certified blocks. Its operating principle is to protect a predetermined safety volume around the vehicle. If any other object or road user comes within a certain predicted time to collision it will kick in as a last resort to prevent a collision and bring the shuttle safely to a halt. The other kind of circumstance that will bring it into action is if the performance path suffers a functional fault or, even in the absence of a fault, does something potentially dangerous. This is the domain of Safety Of The Intended Functionality (SOTIF) standards, otherwise known as ISO 21448, that apply to AI and machine learning in autonomous vehicles.