HOME  |  NEWS  |  BLOGS  |  MESSAGES  |  FEATURES  |  VIDEOS  |  WEBINARS  |  INDUSTRIES  |  FOCUS ON FUNDAMENTALS
  |  REGISTER  |  LOGIN  |  HELP
Blogs
Electronic News & Comment

Can An Engineer Prevent the Unknown?

NO RATINGS
View Comments: Threaded|Newest First|Oldest First
naperlou
User Rank
Blogger
a new approach needed
naperlou   1/9/2014 10:00:52 AM
Chuck, you bring up a valid and important topic here.  There is no way to "prove" everything about a vehicle.  Since there are so many vehicles and they are driven so much (in hours and miles) you are likely to run into any error that exists.  So, we cannot prevent problems.  In safety critical systems one typically designs in multiple failsafes.  This is a complex topic.  There are also overrides and safe modes.  This is a well understood area and is applied in the aerospace industry.  Even then, it is not perfect. 

The flip side is that we have lived for about a century with automobiles. They cause more deaths than just about anything else.  We accept that, even though many of the fatalities involve someone just getting from one place to another, often for trivial reasons.  Go figure.

There is probably no real solution.  The next step is to outline the liability rules and install those black boxes.

GTOlover
User Rank
Platinum
Re: a new approach needed
GTOlover   1/9/2014 11:49:22 AM
I agree with what you are saying naperlou. But in reality, we do NOT accept the risk of death in automobile failures. If we did, Toyota would not be forking over 3 million dollars to two families. Do not get me wrong, if the car is crap and is purposefully sold disregarding safety requirements, then they pay. But as pointed out in this article, throttle by wire is a proven and robust technology and Toyota still has to pay.

Self driving cars? I agree, rules of liability have to be established. But then you would put 99% OF ALL LAWYERS OUT OF A JOB!

Charles Murray
User Rank
Blogger
Re: a new approach needed
Charles Murray   1/9/2014 6:21:05 PM
NO RATINGS
You're right, naperlou. You can't prove everything. This is a really complex situation because, as you mention, Toyota cars have driven billions of miles with these electronic throttles. So either you believe that the one-in-a-million error occurred, or you believe that the driver stepped on the wrong pedal. Either way, there's no hard evidence. I just wonder now how the pending cases will be resolved.

TJ McDermott
User Rank
Blogger
Re: a new approach needed
TJ McDermott   1/10/2014 12:18:12 AM
NO RATINGS
Maybe we can't prevent the unknown, but documenting an incident sufficiently would turn it into a known, and the list of unknowns gets whittled down.

One approach would be vehicles that are MUCH more instrumented - more comprehensive recorders, adding some video on looped storage.

It's assuredly a reactive method, but there does not seem to be a proactive method.

GTOlover
User Rank
Platinum
Re: a new approach needed
GTOlover   1/10/2014 8:09:30 AM
NO RATINGS
TJ, from a purely engineering stand point I completely agree with instrumented vehicles with comprehensive data recorders. However, given the revelations of government snooping and the prospect of insurance companies wanting to monitor driving habits, no thanks!

TJ McDermott
User Rank
Blogger
Re: a new approach needed
TJ McDermott   1/10/2014 9:55:40 AM
NO RATINGS
GTOlover, you're right about governtment snooping.  However, recorders are impartial.  They get the bad rap from those who use them for less than noble intent.

GTOlover
User Rank
Platinum
Re: a new approach needed
GTOlover   1/10/2014 10:05:08 AM
NO RATINGS
TJ, the more I think about it, I think you are correct. I would certainly want to know if a pilot is flying incorrectly or heaven forbid, incompentantly. So why not the same for drivers and driverless cars? I think if 'accidents' were overwhelmingly shown to be driver error and people had to be held liable for their incompentant driving, then the cost of cars could go down. Automakers could focus on MPG instead of adding controls to correct bad drivers.

Then again, humans have a propensity for 'hiding' their faults and drivers will do the same to the blackbox recorder.

TJ McDermott
User Rank
Blogger
Re: a new approach needed
TJ McDermott   1/10/2014 11:53:07 AM
NO RATINGS
Cameras on board rocket boosters were not common-place until after the Columbia accident.  Now, most launchers have them.  Aside from the fact that they provide way-cool images, they can be used forensically.

I haven't decided if it's a good idea or not.  Today "free" people are under surveillance much more than anyone behind the iron curtain was in the bad old cold war days.

Zippy
User Rank
Platinum
Re: a new approach needed
Zippy   1/10/2014 8:39:02 AM
NO RATINGS
TJ's comment about turning unknowns into knowns is the way to go.  That's why they have black boxes on aircraft.  If Toyota had a recording sensor on the accelerator and brake of their cars, they would have answer to the "driver error" question.  As commented earlier, automakers are extremely cost sensitive, so the occasional $3MM lawsuit may be an "acceptable risk" to the accountants vs. the sensor cost.  Widespread use of driverless technology may shift that equation to the point where the automaker's liability is high enough to justify the added product cost.  Another possibility is legislation which limits liability per case, as is the case currently for air travel (see the fine print on your airline ticket).

GlennA
User Rank
Gold
old news or urban legend ?
GlennA   1/9/2014 6:31:15 PM
NO RATINGS
I don't remember where I read this, but supposedly the reason that Ford got hit so hard in the Pinto lawsuits (would you be surprised if a high-speed rear-end collision caused a fire - it happens it the movies) was that the cost to repair the design flaw would be more expensive than potential lawsuits.  Cost benefit analysis is part of the design process.  And actuaries (life insurance) are in the business of putting a value on human lives.  I have seen a car commercial where an automatic braking system stops the car while the driver is not paying attention to driving.  So there is the potential of a self-friving car to save lives.

Charles Murray
User Rank
Blogger
Re: old news or urban legend ?
Charles Murray   1/9/2014 7:18:33 PM
NO RATINGS
Today, more than 30,000 lives a year are lost on our roads, GlennA. The belief is that some day, autonomous cars could bring that down to the hundreds. So, yes, I definitely agree with you that self-driving cars will one day save lives. The question is, will our legal system allow it?

tekochip
User Rank
Platinum
Re: old news or urban legend ?
tekochip   1/10/2014 11:54:39 AM
NO RATINGS
The paperwork that surfaced during the Pinto fire lawsuits showed that Ford made a conscious decision to balance the cost of production against the cost of liabilities.  Nothing specific to the Pinto model ever came to light, but documentation exposed a culture that balanced the monetary cost of liabilities against the cost of producing the vehicle. 
 
I guess safety didn't sell back in the Seventies, but hey, now there's a mandate for every contingency.


Critic
User Rank
Platinum
Driving Skills
Critic   1/10/2014 9:00:51 AM
The thing that irritates me about the "sudden acceleration" cases is that the drivers should have been able to control the cars even if the throttles were stuck wide open.  Get on the brakes and STOP immediately (yes, the brakes are more forceful than the engine, but only count on one stop), turn off the igntion while you are stopping (yes you can still drive without power steering, and you will still have power brakes unless you take your foot off the brakes, which you should not do, and no, the steering will not lock), and shift to neutral while you are stopping.  Please practice this.

No matter how well a self-driving car is designed and manufactured, there will be failures and accidents.  Having a black box and fail-safe systems will help, but will also add to the cost of the car.  Manufacturer liability for accidents will also add to the cost to consumers.

I think I will drive the old-fashioned way, and avoid being surprised by a self-driving car failure.  Yes, there will be failures.

GTOlover
User Rank
Platinum
Re: Driving Skills
GTOlover   1/10/2014 10:13:28 AM
NO RATINGS
Amen to that Critic! Learn to safely shutdown your vehicle if it goes out of control. When a car is speeding down the freeway because the throttle is stuck wide open, even if the car is the fault, it became a driver problem if after several hundred feet they could not shutdown the vehicle!

Another example is manual stick shift cars and trucks. My teenage son has a 1981 F150 with a manual transmission. I have shown him and trained him on how to respond if he pushes in the clutch and it does not disengage. Brake hard and throw the shifter into neutral ASAP! Then safely coast to a safe stop (or push the truck to a safe spot). He has even demonstrated this to me so I can be sure he is aware of what to do.

William K.
User Rank
Platinum
Re: Driving Skills: and hardware thrills
William K.   1/10/2014 12:56:03 PM
NO RATINGS
GTO, the understanding of how to shut down a runaway engine is indeed a potentially lifesaving thing. And having a runaway engine overspeed destruct upon shifting to neutral may be the lesser of the evils, but it is a very expensive one, since overspeed induced failures are seldom minor.

I have had stuck throttles a few times and switching off the ignition has always been the first step to recovery. The HUGE problem, which I have pointed out before in other discussions, is the cars that no longer have a way to switch off the engine. Instead, they have a big button that sends a shut-off request to the controls computer, and does not include a way to force the shutdown. 

There is no rational reason for allowing such cars on public roadways.

A simple on/off switch that would disable the ignition system entirely independant of the control computers would solve the problem. It would also be able to provide an additional child-proofing safety function, which is how it could be marketed.

For all of my career in designing industrial control systems, there has been a requirement for a "Emergency Stop" function that must be independant of all control software and logic. That requirement is right next to the specification of the machines functions, and for very good reasons. Just like any other computer type of system, if a failure has caused an unwanted type of operation it can not be expected that the failed control system will respond to any command as required. So that is why the big red button provides the non-maskable hardware shutdown. Because if part of a system has failed other parts may also have 

bob from maine
User Rank
Platinum
Re: Driving Skills: and hardware thrills
bob from maine   1/10/2014 4:32:31 PM
NO RATINGS
Most modern fuel-injected engines have an overspeed shut-down that either interrupts the spark, fuel or both to prevent an engine from overspeed destruction; it may sopund scary, but it does work. Selecting neutral and standing on the brakes shoudl always work. Like Asimov's 3 laws of robotics, a heirarchy of operation needs to be established that only allows safe operation and different failures would invoke different levels of over-ride up to stopping immediately. There will never a fail-safe autonimous vehicle until the definition of "fail-safe" has been established and agreed upon by all developers. Once those utterly defensible parameters have been incorporated, autonomy may be added. The rub is there will never, ever exist a definition of "Fail Safe" that can't be successfully challenged by lawyers. The technology may be perfect, but the written word will always be open to interpretation. "Thou shalt not kill." Seems to exemplify a simple, clear sentence, yet somehow we manage to re-interpret the meaning on occasion.

William K.
User Rank
Platinum
Re: Driving Skills: and hardware thrills
William K.   1/10/2014 5:31:28 PM
NO RATINGS
Bob, I wonder if some of these cars would allow shifting into neutral. If the shifting is controlled by the same computer that has failed and locked the throttle open, then possibly not. And I know that at least a few transmissions are entirely controlled by electronics, although I think that they may have a mechanical link for the "park" locking function. And using the brakes can get interesting when the engine won't slow down. Quite a few years ago I drove a lab car about 50 miles after the idle speed cam control system froze, and the "idle" would run about 78MPH. The day was bitter cold and it was befor cell phones, and so the chice was sit and freeze or dive and heat up the brakes. They were quite hot by the time I got back. And even with good power brakes, slowing a vehicle with the engine running hard is not easy. 

Charles Murray
User Rank
Blogger
Re: Driving Skills
Charles Murray   1/10/2014 5:33:01 PM
NO RATINGS
You're right, critic, there will be failures. Watching my car struggle through the recent deep freeze, with mechanical parts locked up by sub-zero temperatures and snow, I wondered how good those autonomous vehicles will be when they face bad weather and aging parts. Will they know the headlights are blocked by ice and snow? Will the camera-based sensors be able to see under those conditions? And, if not, will they know they can't see? Vehicle intelligence will be built up by years of experience and, yes, failures.

JimT@Future-Product-Innovations
User Rank
Blogger
Re: Driving Skills
JimT@Future-Product-Innovations   1/16/2014 1:02:45 PM
NO RATINGS
Even as a competent Design Engineer, I strongly advise there is no better safeguard against accidents than an experienced, skilled operator.  It's just sad that people (in general) expect everyone else to protect them, and take no personal responsibility in the fact that they perhaps don't belong behind the wheel of a car.

This mentality has forced all automakers to include countless so-called 'safety' features, in effort to appease the unqualified demands of the public.

If you think about it, if we lived in a world where this was not so important, there would exist a natural-selection process which would help keep roads safer, merely by thinning the herd.

(I'm just sayin',,,please don't bombard me with insensitivity comments !!)

bobjengr
User Rank
Platinum
UNKNOWN
bobjengr   1/11/2014 5:37:08 PM
NO RATINGS
  

Excellent post Charles.  One factor that  contributes to the unknown is the condition of the car AFTER maintenance has been performed.  I think we all have had problems resulting from maintenance that might have fixed one problem but created another.  Then it becomes "he said--she said". Is the fault basic engineering or issues AFTER customary work accomplished during the life of the vehicle.  I really don't know how engineers can prepare for outcomes such as this.    I have been part of FMEA (failure mode effect analysis) exercises and sometimes the possible number failure modes are truly astounding.  Add to that customer interaction and maintenance and you have to be a prophet to understand all of the possibilities.   

Charles Murray
User Rank
Blogger
Re: UNKNOWN
Charles Murray   1/13/2014 2:05:20 PM
NO RATINGS
Yes, an engineer would have to be a prophet to consider all possibilities, bobjengr, and therein lies the problem. A class action suit resulting for one of those unforeseen problems can practically crush a company. It almost did in Audi's case, and we still don't know for sure what the cause was there.

patb2009
User Rank
Gold
Re: UNKNOWN
patb2009   7/5/2014 4:13:21 PM
NO RATINGS
You can't prevent the unknown but you can clearly reduce the odds down to the billions or trillions.

 

Consider a fault that kills is 1 in a million per year.  Seems like a tolerable number?

Well, considering a good selling car can sell 8 million, tha'ts 8 people per year.

if it's a systemic fault, we have a fleet of 100 million cars, you are killing 100 people

per year.  Given the litigation hazard for death is about 2 million per person,

that's potentially $200 Million in cost every year.  

 

if you can get the problem down to 1 in a billion, then it's $200K per year.

 

If you consider aircraft engines, a single faulty disk can kill a plane, that disk will turn at 5,000 RPM for thousands of hours.  That's 10EE8 rotations per engine, 2 engines per bird,

a thousand aircaft of type easily made.


How do you get to 1 in a trillion failures?  Well that's what risk analysis is all about.

 

every failure is analyzed, predicted, and chased down. then, they are designed against

or inspected against, or monitored against.

 

It's why airplanes rarely crash.

 

 

Reliabilityguru
User Rank
Platinum
Welcome to my world
Reliabilityguru   1/13/2014 9:37:45 AM
NO RATINGS
Building the safety case for software controlled weapon system; we are required to prove that the probability of a hazardous incident is less than 1 in a million. The only way to do this is by analysis, supplemented with tests. The system has to be partitioned and designed from the beginning to support the safety case. In the end it does not matter what fault or rather what faults in combination lead to a catastrophic event so all possibilities must be accounted for over the life of the system.

imagineer1000
User Rank
Iron
Simplify...
imagineer1000   1/13/2014 1:52:06 PM
NO RATINGS
What is alarming is how complex software is getting - and I think unnecessarily.  It hasn't helped reliability.  As an example, I rent dozens of vehicles a year, and in spite of the fact that none had more more than a few thousand miles on them I've had two rentals where the throttle and transmission simply stopped working when I was backing up  - one in the desert, the other in the snow.  Both times required shutting off the ignition to get them working again.  In a combined 700,000 miles/65 years on my old personal vehicles under worse environmental conditions than I've subjected any rental to I've never once had an issue with the transmission (OK - except for leaking seals, and frozen solid due to -45F).  I've also had two rentals suddenly go to full throttle for no reason (when cruise control was engaged) - fortunately both were on interstates with no traffic around me.  Not hazardous, but definitely irritating.

And mind you, what will happen when these complex systems are subjected not to unusual environments - including EMI, but to deliberate malicious attack - say a bunch of teens who get their jollies out of watching drivers reactions when they cause a vehicle to accelerate just before a red light?

patb2009
User Rank
Gold
preventing the unknown
patb2009   7/5/2014 4:07:54 PM
NO RATINGS
Everything needs to be designed to be 2 fault tolerant and self diagnosing.

 

You don't make a single channel throttle pedal, and you don't make a 2 channel throttle pedal where the A channel and B Channel send the same voltage.  to show the same position because a sneak circuit reduces you to 1 channel with no visible detection.

 

No you design it so the A channel sends 0-6 volts and the b Channel sends 13-18

volts  that way, if you get 14 volts on the A channel you know there is a sneak circuit,

and if you get 5 volts on the B channel you also know  and during startup the system

checks itself out by running on single channel.

 

now it takes 2 failed channels to kill the throttle.

 

you put in things like a hard stop button, that kills the driveline.

 

and as charles points out, you have telemetry, and record everything.  Wheel inputs,

brake inputs, brake outputs, ABS frames, get it all. voltages, running lights, 

 

 

tekochip
User Rank
Platinum
Re: preventing the unknown
tekochip   7/7/2014 12:31:41 PM
NO RATINGS
For something critical we frequently use two different ADCs, just in case something goes wrong with the multiplexer in the ADC.

Partner Zone
More Blogs from Electronic News & Comment
As more electric cars and plug-in hybrids hit the highways, the need for battery chargers is growing.
If the design of Subaruís XV Crosstrek Hybrid car is any indication, we may now be seeing the next new wrinkle in the evolution of automotive test simulation.
Despite recent news reports to the contrary, cold winter weather was probably no more than a minor contributor to the Boeing 787ís lithium-ion battery fires last year.
Using sensors and a specialized test stand, engineers have discovered that the root causes of head trauma may lie in a complex pattern of forces that todayís football helmets arenít equipped to handle.
Lithium-ion batteries will soon back up the power grid on the Hawaiian island of Kauai, providing the stability to handle intermittent power fluctuations from renewable energy sources.
Design News Webinar Series
7/23/2014 11:00 a.m. California / 2:00 p.m. New York
7/17/2014 11:00 a.m. California / 2:00 p.m. New York
6/25/2014 11:00 a.m. California / 2:00 p.m. New York
5/13/2014 10:00 a.m. California / 1:00 p.m. New York / 6:00 p.m. London
Quick Poll
The Continuing Education Center offers engineers an entirely new way to get the education they need to formulate next-generation solutions.
Aug 18 - 22, Embedded Software Development With Python & the Raspberry Pi
SEMESTERS: 1  |  2  |  3  |  4  |  5  |  6


Focus on Fundamentals consists of 45-minute on-line classes that cover a host of technologies. You learn without leaving the comfort of your desk. All classes are taught by subject-matter experts and all are archived. So if you can't attend live, attend at your convenience.
Next Class: September 30 - October 2
Sponsored by Altera
Learn More   |   Login   |   Archived Classes
Twitter Feed
Design News Twitter Feed
Like Us on Facebook

Sponsored Content

Technology Marketplace

Copyright © 2014 UBM Canon, A UBM company, All rights reserved. Privacy Policy | Terms of Service