.I drive a vehicle with an all drive-by wire setup. Drive-by wire brake, throttle, and PRNDL (the shifting mechanism for those of you not in the Auto Industry (Park, Reverse…) While as a controls engineer, and an environmentalist, I like both the performance increase and the weight savings to fuel savings that this brings it raises the question, what do you do when the system fails?
Primary mode: Fail safe
The first rule of safety critical software (and a break in a vehicle is safety critical) is to fail in a safe fashion. There are several modes in which a brake can fail, from worst to best
- Complete sensor failure: on highway
- Partial sensor failure: on highway
- Complete sensor failure: parked
- Partial sensor failure: parked
First, what is a partial failure? A partial failure is when part of, but not all of, a redundant system sends back data that is not in alignment with the other parts. Standard protocols for drive by wire brakes is to have 3 redundant sensors to determine
Of the four scenarios, the first is the most dangerous and poses an interesting question “what is the fail safe behavior?” Hard braking could result in a rear end collision. Failure to brake could result in running into someone. Of course, this problem is no different from the one found in traditional fully mechanical/hydraulic systems. For an overview of what to do if this happens, take a look at this article.
Secondary mode: Fail friendly
So what does it mean to “fail friendly?” In a fail friendly scenario, the objective is for the system to maintain the maximum functionality without putting the user or the device in danger. In the example of the brake failure, with an all electronic version, the vehicle could allow driving at speeds up to 5 mph. This mode allows the driver to safely move the vehicle off of roads into a safe parking location.
Final thoughts
The way in which systems fail directly impact the end users experience of the product. Providing the secondary fail friendly mode results in a more positive user experience.