On 02/03/2010 03:26 PM, Jed Rothwell wrote: > Stephen A. Lawrence wrote: > >> Defective fly-by-wire is very scary. Can you even turn the engine off >> if the computer isn't listening? > > It is very scary, but as far as I know, they haven't made a computer yet > that does not respond to a hardware interrupt. You can /always/ reset a > computer. On the Prius they say to hold down the Start button for 3 > seconds to generate a master reset.
Seriously, your life is flashing before your eyes, all you want to do is STOP the car, and you're supposed to remember that you need to press the START button?? Holy Interface Design School, Batman! Who dreamed THAT one up? So let's suppose you do manage to recall this counterintuitive act despite the buzzing in your ears as your blood pressure hits 300 in preparation for outrunning a mammoth, and you start stabbing at the START button. Now, you're supposed to hold it down for THREE SECONDS. Not likely! Most people can't count up to 3 seconds in an emergency to save their lives -- quite literally. Time sense goes out the window when you're under adrenaline overload. I recall reading stories of people who couldn't dial out for help in an emergency because there was a junk call on the line, and they couldn't get the stinkin' phone to hang up. The problem is the same: You need to hold down the switch hook for several seconds to break the connection. In an emergency, several seconds seems like several minutes, and the person trying to dial out repeatedly picks up again too soon, thus restarting the timeout. > It takes only one push lasting a > fraction of a second to turn the car off when it is stopped, but it > would not be a good idea to allow a reset after one second while moving. > The driver might push the button by accident an object might rest > against it. > > The question is: What monitors that button, and counts 3 seconds before > issuing an emergency reset? Could it be the master computer itself? If > so, that's a terrible design. I doubt that's how it works. For this > purpose you want a separate, independent device, maybe just > old-fashioned circuitry with no computer. The final generation of Data > General super-minicomputers came with a micro-nova mini-mini attached > which was mainly there (I was told) to kick the big computer if it went > out to lunch in a loop. Many other process control computers and flight > control computers have independent circuitry that does nothing but > generate software interrupts. If the big computer does not respond to > the interrupt, the little device then gives it a hardware interrupt kick > in the butt. > > People have been making fly-by-wire computer controlled machines for a > long time, Not car companies! If Boeing or Airbus designed the car, the situation would be different. > and they do know how to ensure safety. "They" = Boeing, Airbus, Lockheed ... yup. "They" = Toyota, GM, Ford ... well, maybe. Or maybe not. > It may be that the > Toyota engineers failed to use tried and true methods. That seems > unlikely, but who knows. Anyway, even though the idea is scary, we > should remember that hardware-based designs also fail and they are also > scary. > > I once pressed the Start button and put the Prius in motion before the > hardware check finished. It complained with dire flashing lights on the > dashboard until I got a chance to pull over and figure out what I had > done wrong. It did work, though. You can control the car a few seconds > after a master reset. > > If this is a software bug, it is exceptionally rare which may make it > nearly impossible to find. I pity the programmer Me, too. I spent all of today chasing a race condition. Haven't found it yet. :-( Luckily nobody's life ever depends on proper operation of a *debugger* (or if it does, they're misusing the product rather badly). > > - Jed
