|
Tyrgle isn't wrong. It'd be possible to build in separate, airgapped computer systems, but it'd be more expensive. But also fuckin' at certifying software. Certified software is incredibly expensive to write; as I understand it you pretty much have to prove that it has well-defined and acceptable behavior under every possible execution path, and proving poo poo about software is a nightmare.
|
# ? May 31, 2018 01:22 |
|
|
# ? May 22, 2024 14:59 |
|
TooMuchAbstraction posted:that it has well-defined and acceptable behavior under every possible execution path Uhh yeah? It's driving a few thousand pounds of metal at up to highway speeds. Well defined and acceptable behavior is what should be required when people's lives, both in and out of the vehicle, are on the line. It's hard/it's expensive, are not acceptable responses for a commercial product that could, by definition, drive a SUV/greyhound bus/Honda through your front door.
|
# ? May 31, 2018 01:44 |
|
I don’t think even NASA uses actual proofs. It’s an unreasonable standard. Software should be under scrutiny equivalent to that imposed on the hardware. What do they do to validate power steering?
|
# ? May 31, 2018 01:45 |
|
ilkhan posted:So dangerous that nobody noticed in almost a year and only appears after multiple panic stops? It's entirely possible that OTA updates or some other process reset the brake failure, and that nobody's both had a bad enough couple drives where they had to panic stop twice, had it gently caress up the second time, and made the connection that it's defective software being shipped on their new $40k electric car made by daddy Elon himself. TooMuchAbstraction posted:Tyrgle isn't wrong. It'd be possible to build in separate, airgapped computer systems, but it'd be more expensive. On the other hand, ABS systems mostly need tuning per chassis, and not ground-up reëngineering, so sane automakers buy the computer from Bosch, Continental, Denso, etc. instead of building their own that both can and needs over-the-air updates to fix massive failures that endanger occupants and bystanders.
|
# ? May 31, 2018 01:48 |
|
Subjunctive posted:I don’t think even NASA uses actual proofs. It’s an unreasonable standard. The hardware that drives my car had to get a license, has to maintain that license, and get things like vision checked. That license can also be revoked. Software should, at a bare minimum, be held to the same standard.
|
# ? May 31, 2018 01:53 |
|
blugu64 posted:The hardware that drives my car had to get a license, has to maintain that license, and get things like vision checked. That license can also be revoked. Software should, at a bare minimum, be held to the same standard. By hardware I mean the physical elements of the car, in case that weren't obvious.
|
# ? May 31, 2018 01:54 |
|
Subjunctive posted:By hardware I mean the physical elements of the car, in case that weren't obvious. Your autopilot isn't replacing power steering, it's replacing drivers.
|
# ? May 31, 2018 01:56 |
|
blugu64 posted:Your autopilot isn't replacing power steering, it's replacing drivers. Sure, but why have different robustness requirements for software than for hardware?
|
# ? May 31, 2018 01:57 |
|
blugu64 posted:It's hard/it's expensive, are not acceptable responses for a commercial product that could, by definition, drive a SUV/greyhound bus/Honda through your front door. I feel reasonably confident in saying that the certification process would add at least a couple thousand dollars to the cost of each vehicle. It's hugely expensive for even modestly complex systems, and onboard software is getting more complex all the time because it's one of the major remaining sources of differentiation. No company would get their poo poo certified voluntarily -- the costs of certification vastly outweigh the estimated (cost of failure * probability of failure). And the government sure as hell doesn't have the will to mandate that everyone use certified software. Now, where I do think we're likely to see some kind of certification process is in self-driving vehicles. But traditional certification is completely inappropriate for that domain; the inputs are impossible to quantify and the ML-based software doesn't really have what we'd normally think of as execution paths. I would expect something like crash testing where the car is instead expected to navigate a set of controlled environments, but that seems awfully easy to defeat with "recognize I'm in a test and perform these custom behaviors instead of what I'd do in the real world" cheats.
|
# ? May 31, 2018 02:01 |
|
Subjunctive posted:Sure, but why have different robustness requirements for software than for hardware? Because if you're accelerator breaks, and you hurtle in to a granny crossing the road, you have a tragedy. If you're speeding and do the same, you have vehicular manslaughter. It's okay if we disagree, I just think that the bit making decisions needs to be scrutinized, and not by the same folks who have a profit motive to get it out the door.
|
# ? May 31, 2018 02:09 |
|
Tyrgle posted:Car computer systems all run on one bus and largely on the same processors. That includes the infotainment system. This may have been true a few years ago, but in the past couple years there's definitely been a trend towards split buses.
|
# ? May 31, 2018 02:11 |
|
Tyrgle posted:Car computer systems all run on one bus and largely on the same processors. That includes the infotainment system. That’s not really true, there are now separate buses like flex ray, automotive Ethernet, etc.
|
# ? May 31, 2018 02:11 |
|
TooMuchAbstraction posted:Tyrgle isn't wrong. It'd be possible to build in separate, airgapped computer systems, but it'd be more expensive. LOL Sonny I remember back when we called those "analog discretes" I am reminded of a certain airplane, which, when you want to turn on a light, the switch sends a signal over databus to a data concentrator, which then tells a power distribution module to supply a voltage for the lightbulb... Which is 2 inches from the switch. I just find it really amusing that "I suppose it would be possible to separate lighting control from braking using air gapped computers, but it would be cost prohibitive" is the normal way of thinking now. Like, why not use a switch? *black bag is thrown over my head and arms ziptied behind my back* "this ones defective, send him back for reprogramming". Finger Prince fucked around with this message at 04:16 on May 31, 2018 |
# ? May 31, 2018 04:12 |
|
Exercise for the reader: 1. Capture CAN traffic from a vehicle bus. 2. Replay that traffic on the bus. 3. See how many vehicles actually behave in a safe manner in that scenario instead of going absolutely batshit. Spoiler: it’s not a very comfortably high number
|
# ? May 31, 2018 04:14 |
|
https://www.youtube.com/watch?v=MK0SrxBC1xs
|
# ? May 31, 2018 04:16 |
|
drgitlin posted:That’s not really true, there are now separate buses like flex ray, automotive Ethernet, etc. The idiot architecture is having a single gateway where the disparate busses meet and aren’t well separated. FCA hosed this up and got owned and fueled the media with the Jeep Cherokee attack. I’d wager you’d find CAN, LIN and MOST in most vehicles today. Automotive Ethernet making more inroads now (buy Broadcom stock) delivering speed over a low number of wires, and good EMC performance by bandwidth-limited signaling.
|
# ? May 31, 2018 04:18 |
|
Cocoa Crispies posted:It's entirely possible that OTA updates or some other process reset the brake failure, and that nobody's both had a bad enough couple drives where they had to panic stop twice, had it gently caress up the second time, and made the connection that it's defective software being shipped on their new $40k electric car made by daddy Elon himself.
|
# ? May 31, 2018 06:08 |
|
https://www.youtube.com/watch?v=kyeg5p4aHvc Tesla 3 on the dyno
|
# ? May 31, 2018 06:31 |
|
Finger Prince posted:
It seems simple on the face of it, but you quickly go down the rabbit hole. Oh, wait, lighting needs to be keyed off the headlight switch so the displays dim and go into night mode properly. Oh, the car has automatic headlights, so that switch to headlights don't actually control much normally and it's instead keyed off a car's light sensor feeding into a control unit for the exterior lighting Oh, the headlights have adaptive high beams, so the exterior lighting control unit needs access to speed data and steering input. Oh, the car can also put on the hazards automatically in emergency braking situations, now the exterior lighting control module needs access to brake controller data that detects the panic stop. Oh, the car has automatic emergency stopping, so the panic stop may be initiated automatically, both cutting engine power and applying the brakes. There, I just drew a straight line from the map light in the car to being able to actuate the brake system and manipulate the throttle. Add in lane keeping tech and automatic parking tech and you now have a vector to completely remote control the car due to an entry point elsewhere. Yeah, these systems can and should be defined with logical security partitioning and authenticated limited API access, but every system on a car is intertwined and can't be fully airgapped without limiting functionality or duplicating control inputs (like having a dedicated sensor that detects exterior light levels to adjust interior lighting rather than keying off headlight state.) bull3964 fucked around with this message at 06:38 on May 31, 2018 |
# ? May 31, 2018 06:36 |
|
bull3964 posted:It seems simple on the face of it, but you quickly go down the rabbit hole. From a safety point of view, with cars the counter-argument (besides cost) to implementing some kind of byzantine fault tolerant Space Shuttle computer system is that these systems all generally have some kind of mechanical backup. That is, if the car's computer goes skynet and tries to kill you, at least in principle you can throw it into neutral and still depend on your brakes mostly working even if the ABS functions are shot. In the more likely scenario where the computer just bricks itself, you're probably just going to end up on the side of the road just fine. This whole argument really falls apart, though, when you're talking about level 4/5 autonomy stuff where the car is expected to drive itself. If the car's computer goes skynet, which backup computer is going to heroically seize the wheel, slam it into neutral, and bring it to a stop within its lane? I've heard that GM at least is designing redundant hardware for this reason, but they seem to be an outlier.
|
# ? May 31, 2018 07:28 |
|
Tyrgle posted:This whole argument really falls apart, though, when you're talking about level 4/5 autonomy stuff where the car is expected to drive itself. If the car's computer goes skynet, which backup computer is going to heroically seize the wheel, slam it into neutral, and bring it to a stop within its lane? I've heard that GM at least is designing redundant hardware for this reason, but they seem to be an outlier. This is a very good point. If you take an airliner’s flight computer (defined as the thing running the control laws / translating pilot inputs into commands to actuators) as an example, it is capable of incredible autonomy in certain cases. It can perform automatic landings under incredibly austere conditions and that capability grew out of the late 1960s if I recall correctly. Human supervision is 100% required but modern systems can have direct control of the flight surfaces and other systems (thrust reversers, etc.). What I’m getting at here is that this system is redundant, usually in triplicate fashion with associated voting logic, to help achieve a desired reliability and safety level. I don’t know what regulations will look like for a passenger car that has L4/L5 autonomy but redundancy requirements on sensors (airplanes have multiple pitot tubes) and compute would drive cost and complexity through the roof for a mass-market item. We don’t have redundant speedometers in our cars (ABS equipped we’d have 3 or 4 wheel speed sensors, I don’t know what most clusters do with that data), but that isn’t really required right now because we expect the human behind the wheel to exercise good judgment, and we take advantage of our human perception system to act as a backup (estimate / go with the flow of traffic which is arguably the way to do it anyways). If I get a control loop that uses speed as a critical variable, I’d want some level of redundancy to ensure that I can start react to a faulted sensor, loss of data or implausible value. One argument is that computer vision will get so good (lol) that it simply does what a human does in a fallback scenario, and that is visually estimate speed. That’s a capability that needs to be verified and validated, which costs time and money. Or we drop in enough sensors that we feel good we can in a single-fault scenario reliably determine the speed of the vehicle to an acceptable degree of accuracy, in all conditions (even in wheels slipping and spinning).
|
# ? May 31, 2018 07:59 |
|
blugu64 posted:The hardware that drives my car had to get a license, has to maintain that license, and get things like vision checked. That license can also be revoked. Software should, at a bare minimum, be held to the same standard. You've been on the road right? We're all loving doomed if mechanics and software are held to the garbage standard that people are to get licenses. A pulse and enough arms and hands to touch all the controls and away you go.
|
# ? May 31, 2018 08:27 |
|
Analog EVs are the future!
|
# ? May 31, 2018 10:27 |
|
movax posted:If you take an airliner’s flight computer (defined as the thing running the control laws / translating pilot inputs into commands to actuators) as an example, it is capable of incredible autonomy in certain cases. It isn't really that amazing. It relies on few inputs, it does fairly basic calculations, has very simple outputs and it makes no decisions. When it correctly detects errors, it just sounds a warning and gives up. When it fails to detect errors, it can kill everyone on board, as has happened multiple times. It completely ignores the traffic around it and it will happily fly into a mountain if you tell it to. All of this is ok because it is operated in a very controlled environment with rigorous external controls. An autonomous car is the opposite. Complex calculations, constantly adapting to traffic around it and operated by a total moron who would not notice if a wheel was about to fall off. The risk scenarios are opposite as well. If the plane fails completely, hundreds of people are guaranteed to die. If the car fails, it can just flash its hazards and apply some brakes, the single idiot inside will probably be fine. So it doesn't need complex redundancies in order to soldier through a level 5 cross country with failing subsystems. If bird poop gets on the important camera, you will just have to wait for some autonomous breakdown bot to come wipe it off.
|
# ? May 31, 2018 10:43 |
|
Elephanthead posted:Analog EVs are the future! You are probably joking, but I for one can't wait for EVs to become mainstream enough to be able to get cheap motors and batteries and do a classic car to EV conversion.
|
# ? May 31, 2018 11:35 |
|
Tyrgle posted:From a safety point of view, with cars the counter-argument (besides cost) to implementing some kind of byzantine fault tolerant Space Shuttle computer system is that these systems all generally have some kind of mechanical backup. That is, if the car's computer goes skynet and tries to kill you, at least in principle you can throw it into neutral and still depend on your brakes mostly working even if the ABS functions are shot. In the more likely scenario where the computer just bricks itself, you're probably just going to end up on the side of the road just fine. Everyone is designing redundant hardware, and that’s been a recommendation in every version of the DoT AV guidance so far. WRT to hacking, the long answer is wait for me to eventually write this goddamn automotive cybersecurity feature I’ve been interviewing people for for the last year or so. The short answer is that OEMs are taking this issue a lot more seriously than they used to, and there are a lot of different solutions which will work together, from firewalls and anomalous detection to trusted keys and so on.
|
# ? May 31, 2018 11:38 |
|
bull3964 posted:It seems simple on the face of it, but you quickly go down the rabbit hole. Thank you for so eloquently making my point! Or, if you wanted to dim the lights, you could just roll a potentiometer (or digital friendly equivalent if you're using LEDs), and let the important computers do the important computer stuff. Oh wait I've been reprogrammed. You could have that dial to send a signal over its own WiFi network to the assorted interior lighting control boards to adjust the lighting intensity! While you're at it, the dome light switch could be used to turn on the dome light using the same network! And since you've got an in car WiFi network, why not use some of that so you can watch hilarious YouTube compilations of autonomous vehicles crashing into things!
|
# ? May 31, 2018 11:49 |
|
drgitlin posted:That’s not really true, there are now separate buses like flex ray, automotive Ethernet, etc. movax posted:The idiot architecture is having a single gateway where the disparate busses meet and arent well separated. FCA hosed this up and got owned and fueled the media with the Jeep Cherokee attack. Fortunately my car is old enough that it has no built-in connectivity, all it's capable of doing is making a dialup modem call via a connected Bluetooth phone to send vehicle diagnostic reports to Ford (who recently discontinued that service so it doesn't even work anymore). wolrah fucked around with this message at 16:21 on May 31, 2018 |
# ? May 31, 2018 16:19 |
|
Given all their faults, Tesla's OTA architecture for the S/X is pretty good and secure. I wonder if they went with the same for the 3. There are 3 main modules. Dash computer, MCU (big tablet), and the Gateway. There are multiple CAN buses in the car, along with a Ethernet network between the MCU, Dash, and Gateway. Neither the MCU or Dash have direct access to the CAN buses. Instead they access it using a limited set of commands via the Gateway module. (and I guess there is now a autopilot computer that is also on the Ethernet network in newer cars) Updates and data to/from the Tesla mothership are carried via a OpenVPN tunnel secured and verified with the car's own key. This connection runs on the MCU. OTA updates are received and verified by the MCU and then actually performed by the Gateway. More details in this talk: https://www.youtube.com/watch?v=KX_0c9R4Fng
|
# ? May 31, 2018 17:01 |
|
MrOnBicycle posted:You are probably joking, but I for one can't wait for EVs to become mainstream enough to be able to get cheap motors and batteries and do a classic car to EV conversion. I haven't looked into it since you can bu ya used volt or leaf for $10k but I have to imagine the conversion parts are better then they were 8 years ago. The controllers were the bad part you just could not find.
|
# ? May 31, 2018 17:45 |
|
movax posted:This is a very good point. If you take an airliner’s flight computer (defined as the thing running the control laws / translating pilot inputs into commands to actuators) as an example, it is capable of incredible autonomy in certain cases. It can perform automatic landings under incredibly austere conditions and that capability grew out of the late 1960s if I recall correctly. Human supervision is 100% required but modern systems can have direct control of the flight surfaces and other systems (thrust reversers, etc.). To your point about fault-tolerant redundant systems: despite most modern airliners having fly-by-wire controls with every input normally mediated through the flight computer, they all have three separate hydraulic systems that operate the flight surfaces. Two main ones that are driven by pumps, either of which can fly the plane normally on its own and which can be seamlessly swapped back and forth in flight, and a third emergency one that is directly connected from the flight controls to the surfaces with no intermediaries. The third circuit's lines are run through a different part of the plane from the first two to reduce the risk of disabling all three systems at once. It takes a heroic effort to steer the plane with muscle power alone (sometimes there is a ram-air turbine booster), but it's there to ensure that even if everything else totally shits the bed you can still point the aircraft generally in the right direction. Of course as Ola points out a car is not quite in the same ballpark as an airliner, and even if you suddenly lost all control at freeway speeds you would probably just run off the road and skid/roll to a stop and there's a good chance you'd survive. But given the, uh, level of polish we've seen on Tesla software to this point, what sort of backup systems have they got?
|
# ? May 31, 2018 17:53 |
|
Your backup system is the brakes. I can't wait until fly by wire brakes.
|
# ? May 31, 2018 18:09 |
|
Elephanthead posted:Your backup system is the brakes. I can't wait until fly by wire brakes. You should watch the first like 15 seconds of
|
# ? May 31, 2018 18:21 |
|
Elephanthead posted:Your backup system is the brakes. I can't wait until fly by wire brakes. In this thread we have just established that the Model 3's brakes are at least in part software-controlled and that they can be updated over the air. What happens if a borked update or some OTA malware causes the ABS valve to lock in the open position?
|
# ? May 31, 2018 18:29 |
|
Sagebrush posted:What happens if a borked update or some OTA malware causes the ABS valve to lock in the open position? A smaller recall than VW’s. http://www.thedrive.com/news/12186/volkswagen-recalls-766000-cars-globally-for-brake-issue Which was also resolved by a software update.
|
# ? May 31, 2018 18:31 |
|
Is the e-brake in a model 3 in a menu on the touchscreen? lol
|
# ? May 31, 2018 18:34 |
|
MrOnBicycle posted:You are probably joking, but I for one can't wait for EVs to become mainstream enough to be able to get cheap motors and batteries and do a classic car to EV conversion.
|
# ? May 31, 2018 18:44 |
|
Powershift posted:Is the e-brake in a model 3 in a menu on the touchscreen? lol Yep lots of cars have electric parking brakes now (love 2 have another actuator whirring away somewhere in the back) but I think the model 3 is the first one where it's controlled through the screen instead of a button
|
# ? May 31, 2018 18:51 |
|
The Model S has it there as well. It comes on when you put it in P, but you can park on a hill in N with the touch screen e-brake, which people used for camper mode before "keep climate on" was introduced. (Doesn't feel like I'm talking about a car)
|
# ? May 31, 2018 18:54 |
|
|
# ? May 22, 2024 14:59 |
|
Sagebrush posted:Yep If it’s like the S, the parking brake is automatically engaged when you put the car in Park.
|
# ? May 31, 2018 19:12 |