Stephen A. Lawrence wrote:
Defective fly-by-wire is very scary. Can you even turn the engine off if the computer isn't listening?
It is very scary, but as far as I know, they haven't made a computer yet that does not respond to a hardware interrupt. You can always reset a computer. On the Prius they say to hold down the Start button for 3 seconds to generate a master reset. It takes only one push lasting a fraction of a second to turn the car off when it is stopped, but it would not be a good idea to allow a reset after one second while moving. The driver might push the button by accident an object might rest against it.
The question is: What monitors that button, and counts 3 seconds before issuing an emergency reset? Could it be the master computer itself? If so, that's a terrible design. I doubt that's how it works. For this purpose you want a separate, independent device, maybe just old-fashioned circuitry with no computer. The final generation of Data General super-minicomputers came with a micro-nova mini-mini attached which was mainly there (I was told) to kick the big computer if it went out to lunch in a loop. Many other process control computers and flight control computers have independent circuitry that does nothing but generate software interrupts. If the big computer does not respond to the interrupt, the little device then gives it a hardware interrupt kick in the butt.
People have been making fly-by-wire computer controlled machines for a long time, and they do know how to ensure safety. It may be that the Toyota engineers failed to use tried and true methods. That seems unlikely, but who knows. Anyway, even though the idea is scary, we should remember that hardware-based designs also fail and they are also scary.
I once pressed the Start button and put the Prius in motion before the hardware check finished. It complained with dire flashing lights on the dashboard until I got a chance to pull over and figure out what I had done wrong. It did work, though. You can control the car a few seconds after a master reset.
If this is a software bug, it is exceptionally rare which may make it nearly impossible to find. I pity the programmers.
- Jed
