Any American owners of Toyota Prius out there?

[chrismb]

He told me that it was technically possible to make a diagnostic system so complex and thorough that it would be more circuits than the operating machine itself.

I can confirm this. We have had clients with diagnostic and prognostic system so complex that it is the cause of the systems poor reliability, whilst without it it would have all worked perfectly!

"2001: Space Odyssey" anyone??

[Does a system "fail" when a prognositc indicator within it predicts a system failure will occur but it doesn't? It is the paradox of 2001: any system with a prognositc indicator has failed at the moment it predicts a failure, so how does such a system avoid spontaneously predicting a failure?]

Even with Apollo 13, they had triple redundant systems report failure states that didn't exist or could never happen.

I have been having a dialogue with the CAA recently on a similar matter - the prospect of a dual engine failure is considered so unlikely that in many type conversions it is not even trained for. So why, I ask, is it that most of the critical accidents we hear about in the media related to double engine failures!!

My analogy is that it is not worth bothering to buy a lottery ticket, so unlikely is the chance of winning the jackpot - yet week-after-week people do win the jackpot!

[Tom Ligon]

Anybody remember Eastern Airlines Flight 855, a Lockheed L-1011 on a flight from Miami to the Bahamas?

They suffered oil pressure losses on all three engines on this very short hop, and struggled back to Miami on one engine at a time. There is a writeup on it here:

http://everything2.com/user/archiewood/ ... one+flight

The statistics say this should not happen in a thousand years, but in theory, theory and practice are the same. In practice they aren't. In practice, if you screw up the same maintenance procedure on all three engines, all three engines will inevitably and predictably suffer the same problem. In this case oil loss where a seal was not properly installed.

[Maui]

An article from today on the subject

[Maui]

(the driver of the recent runaway Prius claims he was afraid it would flip if it did that-- I think there's a 50% chance this guy is full of it and is trying to take advantage of the situation)

Looks like I may have been right: suspicious guy

[MSimon]

An article from today on the subject

I especially liked the break by wire feature.

Wait. Did I spell that right?

[DeltaV]

If I'm not mistaken, it's certain fighter jets that can pull 10 g, not helicopters. Blade bending at 10 g in a climb would break the blades. In the other direction the airframe would get hit. Some jets do currently have automatic "blacked-out pilot" mode, but I don't think that's migrated into helos yet.

[Edit] You are right about the "request to the computer" part... the pilot is sending requests to the flight software, not directly commanding the control surfaces.

[chrismb]

Helicopters are designed to pull a (up to) 22g manoeuvre.....


......it's called 'crash-landing' and the 22g is the degree of deceleration of the airframe below which it is to be survivable by the crew.

It is a manoeuvre a helicopter can only do once, for obvious reasons.

I am not sure what the maximum [maximum rate manoeuvre] is for a helicopter, but I imagine it must be limited to around the 2.5g to 3g range for aerodynamic reasons, rather than mechanical ones. The tips of the rotors will be taking a very odd angle of attack if they are accelerating (vertically) too fast.

It is possible to roll a helicopter, fully inverted, by maintaining constant >1g [relative vertical] acceleration during the manoeuvre. If you drop <0g then, obviously, the rotor disk risks collapse.

[MSimon]

I especially liked the break by wire feature.

Wait. Did I spell that right?

Certain US military helicopters are fly by wire , it's a good thing since the engines and airframe can pull 10+ G forces in certain maneuvers. Obviously that would black out the pilot and crash the thing if it was on full manual control. Hence the stick sends a request to the computer to perform actions within a certain performance envelope.

Join the crew!
http://www.avweb.com/avwebflash/news/Si ... 692-1.html

I'm going to go out on a limb and say that the auto guys do not do as much design and testing of their fly by wire as the military and aircraft industries do.

Now if the auto guys came in under FAA regulations....

[Tom Ligon]

The question is, does testing address all the modes of failure that can be encountered in real life?

Here is an example of an Engine Control Unit (ECU) intended for pretty much all markets. The page lists the tests and standards it meets. http://www.rockwellcollins.com/athena/p ... andard.pdf

From having done some EMI tests on mil-spec and aircraft equipment, I can say they blast these things with moderately intense RF over a range from audio frequencies to around 18 GHz, but it is unmodulated. Signals are applied both free-radiated and conducted along the power leads. Cable length and shielding are spelled out and carefully controlled.

What of a real-world installation where wear and tear or repairs have compromised cable shielding or an enclosure shield? Now expose this to an environment of modulated signals carrying digital information. How could you design a test program that anticipated every mode of failure?

A non-electronic example of how tests can miss a problem comes from my own product test background. We received a food processor that had injured a user when it came on with the lid removed, something the interlock should have prevented. I spent several days playing with the thing. I was frankly impressed with how well-built it was and how good the interlock design proved to be. It could be deliberately overridden, but it seemed to work repeatably. In fact, I was so impressed by the quality I bought one, and still have it.

Finally I realized it had a little drag, and the drag came in to play if a newbie user did not understand how the interlock worked would fight with it. If you lifted the lid, then turned to remove it, the drag left the interlock half-cocked. If you subsequently pushed down and turned putting it back on, you set the interlock to enable the machine without capturing the lid. The lid could be removed with the machine still enabled.

Experienced testers could test this thing a million times and never get a failure because they knew how the thing was supposed to work, and did not fight it. They turn and then lift. Only a neophyte will lift, then turn.

Test programs are done by people who know how the machine works. Only when you put it in the hands of the general public will you find the sneaky modes of failure. 8 million drivers will come up with something, no matter how good the product is. Like repeatedly and rapidly hitting the resume button to adjust the speed up, the mode identified by Wolzniac in a link above.

[chrismb]

From having done some EMI tests on mil-spec and aircraft equipment, I can say they blast these things with moderately intense RF over a range from audio frequencies to around 18 GHz, but it is unmodulated.

This is work I get up to. Just for info: There are all sorts of modulations possible, the usual aerospace tests are either carrier wave with a square wave AM modulation, or a pulse modulation. I can't even recall the last aerospace test we did that was just CW.

Our kit is calibrated up to 18GHz but some tests call for up to 40GHz and that tends to get subcontracted, and is mostly spot frequencies (radar, &c.). We do 'HIRF', over 3500kV/m (that is very high(!)) and also lightning strike tests, which are like conducted susceptibility but are defined and damped high frequency sinusoids of various characteristics. I am lead to believe we are only one of two test houses in the UK that can do both the HIRF and lighning tests, partly because you can't buy test gear for this off the shelf and we've gone to the effort of making our own.

[chrismb]

I'm going to go out on a limb and say that the auto guys do not do as much design and testing of their fly by wire as the military and aircraft industries do.

I'm not sure that automatically follows, and it is *certainly* the case that aerospace test a lot fewer samples and, thus, it can be argued that their testing doesn't have the statistically significant coverage of automotive.

I would say that the reality is that automotive systems are much more reliable than aerospace, but it doesn't look like that for, maybe, four particular reasons; i) automotive systems don't have redundancy, excepting for dangerous single point failure modes (of which this potentially appears to be a candidate) the SIL levels are probably much the same for actual modules of both, but you are multiplying event rates together with aerospace redundancy, ii) an aeroplane gets inspected after every trip and maintenance is very high, whereas the majority of a car will never even be looked at for its whole life unless it goes wrong, iii) a pilot is trained to recognise and report irregularities whereas the majority of car drivers appear to have no mechanical sympathy at all, iv) when you've got millions of units operating, then you will expect to see examples where failure rates are in the millions-to-one chance.

[Tom Ligon]

The question is also if they do EMI/EMC testing while simultaneously doing temperature and humidity and vibration with fungus growth and carry it out for 100 k miles or more.

Will they know by any testing other than real-world that after 20 k miles the insulation and shielding break down on the firewall cable to the ECU, and that a ground breaks on a flex-ribbon connector (which I profoundly distrust but manufacturers love), and that afterwards if the consumer places a 5-G MyPhone on the dash just below the satellite radio antenna embedded in the windshield (a new option), and the phone rings to a user-installed ringtone of "Ernie" singing "Rubber Ducky", that the ECU receives a signal it interprets as a command to drag race, essentially calling up an old lab test mode of the engine?

Eight million drivers will find something over the 20 year life of the car.