Risks

You should be questioning if this device is safe to use.

Here is what you need to know.

This device controls the steering of the vehicle. This is intrinsically more dangerous than manual control. The force is limited to prevent the vehicle from deviating from a standard lane (3.7 meters) in less than 1.7 seconds when driving straight. This force is small enough to be easily overcome by grabbing the steering wheel. However, if the driver is distracted, a command from the controlling device can lead to serious injury or death if not corrected quickly. This is true for all LKAS systems. If you are a person that becomes complacent and can be distracted easily then you should not use this device!

Question: Can I lose power steering when using this device?

Answer: Yes! The power steering can be disabled at any time! You must pay attention at all times! You must also have your hands on the wheel when making turns in traffic! This is true for all lane-centering systems.

Question: Can the steering wheel over-power me if something goes wrong?

Answer: Simply put, no. This is because first, the software is reading the driver input torque, then applies a limited offset to the input. Second, if the sensor input or output peripheral malfunctions, the output would be instantly invalidated. This is accomplished through:

• Redundant torque sensors.

• Master arbitration of all signals by the OEM EPS.

• Redundant MCUs and ancillary hardware rated for the application.

• Digital sensor protocol designed for the application.

• Torque limits.

With these 5 items, you can drive assured that you can always take control.

However, in this crazy world, anything can happen. I will discuss some hypothetical situations that would need to happen in order for the driver to lose control of the steering. Keep in mind that these situations would apply to the OEM EPS even without using the TI2.

All input and/or output peripherals fail on all 4 MCUs at the same time but continue to output valid signals. There is no way to detect this and this could hypothetically happen to any OEM EPS system at any time.

A bug in the software occurs on all 4 MCUs at the same time but continues to output valid signals. Again, this could hypothetically happen to any EPS system at any time. This is prevented is by executing every line of code in different scenarios during development.

There are other Torque Interceptors that have massively overlooked safety. Take a look at this video:

You can see the driver reaching over to engage the assistance software and it immediately ignores driver input and causes an accident. The torque interceptor used in that video is likely similar to this. This implementation uses the ADCs to read the driver torque and calculate a torque offset and then apply the torque using the DAC. This implementation is extremely likely to fail with dangerous results if not accounted for. The implementation is entirely different than the TI2. I will discuss the possible causes of this situation.

The most likely reason the driver torque was ignored is that the software simply did not check the driver torque and another bug in the software decided to apply a left turn. But, to make things interesting, let's assume the software was checking the driver input. Another cause could have been an input-output peripheral failure. If the ADC peripheral that reads the driver-torque fails, all the channels of the ADC can fail simultaneously. When a DAC fails it can get stuck at any voltage. This would wreak havoc on hastily written software with inadequate hardware. This can easily be detected by doing sanity checks on the input and output which would switch a relay and ground the outputs during a failure. In summary, here is a list of the possible causes discussed as well as other causes:

• Input/output peripheral failure and lack of redundancy.

• No input-output sanity checks.

• No output torque limits.

• No fail-safe strategy.

• The design is not rated for the application.

• Unexpected/Improper code execution.

• MCU freezes and the watchdog timer was not enabled.

• Random bit flips. (No ECC).

The above video shows there are cases in the wild where design oversights and laziness have led to the steering wheel overpowering the driver. This is why comma.ai stance is to err on the side of caution. See the comma.ai post here on the subject. The TI2 and original TI have been designed to account for edge failure cases to ensure they will fail safely.