Paving the way for safe Autonomous Driving with Software-Defined Vehicles
The future of Cooperative, Connected, and Automated Mobility (CCAM) hinges on the development of Software-Defined Vehicles (SDVs) that are both safe and reliable. TNO is leading the charge by providing a unique blend of expertise to both the industry and road authorities, addressing key facets of the safety of automated driving SDVs. In an interview with ‘Pathfinder’ Michael Borth, he emphasises, ‘Safe Autonomous Driving is a long, but important journey – by taking responsibility, we will get there.’
In just a few decades, cars have transformed from primarily electromechanical devices to intelligent, software-driven machines that can be continuously upgraded—much like the evolution from traditional phones to smartphones. Software-Defined Vehicles (SDVs) represent this new generation, capable of managing their operations, adding functionality, and enabling new features primarily through software.
The origins of SDVs can be traced back to the 1990s when car manufacturers recognised the immense potential of software to enhance the safety, comfort, and efficiency of cars. This shift marked the beginning of an era where vehicles became computing platforms for continuous innovation, paving the way for the advanced, cooperative, and connected mobility solutions we envision today.
‘As a pathfinder, I envision paths toward solutions, drawing from my extensive experience to navigate the complexities and opportunities of this evolving field.’
Bringing computer science into vehicles
A firsthand witness and leading expert on SDVs is Michael Borth, Senior Research Fellow at TNO, who prefers the informal title of ‘pathfinder’. His journey into the field began at Daimler, long before machine learning and AI became mainstream. ‘I always focused on integrating advanced computer science into vehicles. Working on novel architectures and applications like onboard diagnostics and preventive maintenance in the past and on Autonomous Driving with AI today, that allows me to understand the landscape and the problem field of SDVs.’
Borth's unique blend of system thinking, system architecting, and AI expertise positions him to address the current challenges of SDVs. ‘As a pathfinder, I envision paths toward solutions, drawing from my extensive experience to navigate the complexities and opportunities of this evolving field.
Meet the expert - Join one or more free and online sessions
What are the milestones on the path to safe automated driving? Join one or more free online sessions and meet the experts.
Too complex to comprehend
One of the early challenges with vehicle software was the complexity of software-defined functionality and data exchange between components, even baffling experts. Michael Borth recalls, ‘When data collection started at Daimler, a Mercedes would generate more internal data than NASA collected from the systems that helped put Neil Armstrong on the moon! Initially, this data was used primarily for preventive maintenance, improving vehicle quality, and learning about driver behaviour.’ However, this wealth of data was not yet harnessed for Automated Driving (AD), one of the most relevant applications of SDVs.
‘These challenges arise largely because software defined systems and especially AI-based systems operate fundamentally differently from those relying solely on physical components.’
Significant safety challenges
Today, we are witnessing a steady pace of development in Automated Driving and Advanced Driver-Assistance Systems (ADAS). With legislation permitting the use of Automated Lane Keeping Systems (ALKS) and Driver Controlled Assistance Systems (DCAS) with limited Operational Design Domains (ODD), substantial safety challenges are still present in their development, assessment and release processes.
Michael Borth elaborates, ‘These challenges arise largely because software defined systems and especially AI-based systems operate fundamentally differently from those relying solely on physical components. Think of a light switch: its immediate response makes troubleshooting straightforward.’
‘If the light doesn’t turn on, it’s either no power, a broken lamp, or a problem with the wiring. However, software-defined systems, especially those connected to network services in cyber-physical systems, work 99.9% of the time – but they can fail under very specific circumstances.’
‘For instance, if a piece of information gets corrupted or two parallel computing processes disrupt their timing, causing conflicting information. These issues are incredibly hard to identify during development, testing, or assessment processes. And if we do find them, we need to correct them and update the software; it's the same as with your phone or computer. This is one of the main benefits of SDVs: the possibility to continuously improve the vehicle, even after delivery to the customer.’
Problematic software updates
Software updates in SDVs however also introduce additional challenges. ‘How can we ensure for every update it's still safe in all situations? Can we still allow it on the road?” Michael Borth highlights a recent case illustrating this issue: a software update, including AI, was scrutinised by German authorities.
‘AI complicates these update issues further because it produces soft results that can sometimes be outright incorrect, similar to the well-known language models used for search queries. Even with low fault rates, the consequences of errors can be very serious. Furthermore, if an AI error causes an accident, identifying the root cause may be virtually impossible, as current AI operates on correlations, not causality. To warrant a safe operation, validation is needed. Because this is a cumbersome process, we have to make sure that it doesn't need to be done all over again with every new release.’
So although periodic updates of software defined automated driving systems are the fundamental solution for the safety assessment challenge, it translates into two new challenges: how to find imperfections that give rise to a software update and how to keep the safety evaluation of a software manageable. For that we need to understand the failure mechanisms of these systems much better than we do today.
‘Software bugs can destabilise the system, degradation occurs over time, and external changes, like new transportation modes and infrastructure, continuously evolve.’
Updates without risk
Current safety assessment frameworks are not equipped to handle AI's complexities. Traditional system engineering relies on stable, repeatable processes suitable for validation and performance guarantees – but AI does not provide that. Therefore, both industry and road authorities need new methodologies to ensure SDVs remain safe under all circumstances.
Michael Borth envisions methods to update software without introducing new risks. ‘Analysing AI in vehicles and updating such systems with attention to possible impacts remains a research topic. Additionally, we need to understand the various reasons for updates.’
‘Software bugs can destabilise the system, degradation occurs over time, and external changes, like new transportation modes and infrastructure, continuously evolve. We must detect these developments early, differentiate their origins, and respond effectively without introducing undue risk.’
Functionality and safety go hand in hand
At TNO's Integrated Vehicle & Safety department, the AI team is dedicated to enhancing both functionality and safety in Software-Defined Vehicles (SDVs). Michael Borth explains: ‘Our Safety4AI initiative tackles challenges like System Validation and Verification when AI is involved. We also research Competence Assessment at runtime, which means that a vehicle can assess whether it's equipped to handle an upcoming situation. Additionally, Lifecycle Management ensures that ADS or ADAS can adapt to a changing world, focusing on new system analytics and assessment methods.’
Borth and his team are modelling vehicles and their AI, factoring in interactions with humans, the environment, and various driving scenarios. ‘We use advanced system-level reasoning AI to identify risks and provide safety argumentation, considering the system state, environment, and scenarios.’
‘This reasoning AI employs probabilistic and causal reasoning, making it understandable and explainable. This approach is crucial for ensuring that the AI in ADS and ADAS is trustworthy,’ says Borth.
‘It’s fair to say that we offer a unique combination of expertise, ranging from software and system engineering methodologies to AI expertise, and from human-machine interactions to moral evaluations.’
‘It will happen’
When asked about the future of Automated Driving, Michael Borth maintains a realistic perspective. ‘Automated driving will happen, but I expect it to unfold differently than some current trends suggest. Success requires closer collaboration among experts in AI, automotive, and safety domains, and a deeper understanding of each other's disciplines.’
‘To address safety and trust concerns, we need systems with a different type of AI, engineered with novel methodologies. Additionally, we must collaboratively determine the 'how,' 'where,' and 'why' of Automated Driving—especially to tackle the significant challenge of transitioning from the current state to a potentially better future.’
A unique combination of expertise
TNO’s has all the knowledge and experience to guide the industry and authorities towards that future. Michael Borth: ‘It’s fair to say that we offer a unique combination of expertise, ranging from software and system engineering methodologies to AI expertise, and from human-machine interactions to moral evaluations.’
‘As an independent, societal driven research organisation committed to safer mobility, this makes us a valuable partner for road authorities as well as for car manufactures and their suppliers. It’s a long, but important journey – by taking responsibility together we will get there.’