[SystemSafety] AVs vs. driver aids ... some more WTF questions
Olwen Morgan
olwen at phaedsys.com
Mon Sep 2 11:54:08 CEST 2019
On 06/08/2019 13:00, Andrew Banks wrote:
>>> One way to avoid this is to design the HMI and functional
>>> logic as distinct communicating action systems
> Good heavens, woman - next you'll be suggesting that an unprotected
> head-unit should not be allowed to communicate directly onto the vehicle
> control bus?
>
There are sound technical reasons for decoupling HMI code from
functional code. Among them are that (1) The control structures of both
are simpler and easier to write if you do it that way, and (2)
Finite-state machine and /or actiobn systems theory give you a passably
tractable way to analyse system behaviour if you do. (Although it's
actually better to use formal methods specifically designed for HMI
development).
Sadly, the benefits of splitting the HMI and core functions in this way
are, in my experience, rarely considered in general - though this is
probably more prevalent in hosted systems than embedded ones, AFAI can see.
Olwen
More information about the systemsafety
mailing list