2010 throttle override safety measures

What's wrong with a key, power switch, or shifter? I think all cars have at least one of these already installed.

Seriously, the root of these problems is that drivers are no longer required to be competent. I'm all for making things idiot proof, but in the world of user interface design we say: "You can't idiot proof things, because idiots are too clever." Or, in another famous line:"You can't fix stupid."

Tom

 

I confess, what I said was based on what I had read in a magazine years ago and a TV documentary I watched more recently. In my own defense I will say that I am surprised at how much bad information there is about this accident.

I believe your are right, in this article "The Captain's version" states he was flying the aircraft manually which I believe you refered to as "Direct Law", which as you pointed out he would have had to do. He apparently thought he had a malfunction of the "fly by wire throttles" but it was probably the very slow throttle response of the engines and the fact he was quite a bit lower than he thought he was.

AirDisaster.Com: Investigations: Air France 296

So now I'm wondering why, if the cause was pilot error, they switched or tampered with the flight data recorders? or did they? and who did it? what a interesting mystery.

 

That is the mystery. When you examine the video from the airshow, clearly the Airbus was very low and VERY slow. In Normal Law, there is no way in hell the FAC's would have let the pilot perform such a maneuver

Any modern high bypass turbofan with FADEC (Full Authority Digital Engine Control), which means any modern high bypass turbofan made since the mid 1980's, is equipped so in a panic, when the pilot rams the throttles forward, the system automatically engages TOGA

However, at the altitude and speed that Airbus was lazily flying along at, there was no way for those high bypass turbofans to spin up in time.

For those who died, it was a tragic crash. One direct result of that crash is that no civilian airliner has ever been put into a High Alpha climb at an airshow

Its easy to blame the computer, even when the computer is hinting that something is seriously amiss. Like that Air Transat Airbus A330 that ran out of fuel over the Atlantic and fortunately was able to glide to the Azores for an emergency landing

The Air Transat Flame-out (with Photos)

Not the first time a flight crew became preoccupied with a relatively minor problem, and let themselves run out of fuel. This incident was a combination of improper engine change procedures, which allowed the fuel delivery pipe to rub and develop a hole.

Amazing the aircraft didn't catch fire in flight. All that jet fuel pouring on the hot engine. The reason why the engine oil temp went down and the oil pressure went sky high was because the oil was cooled so much, and that was what preoccupied the flight crew, not the fuel loss until it was far too late

Even then, rather than shut down the engine and isolate the fuel, they opened the crossfeed and dumped the rest of the fuel out the broken pipe. They refused to believe the fuel was disappearing that quickly, calling it a "computer glitch."

 

It's called a watchdog system and I'm sure the Prius employs such a system to make sure the critical systems are working properly. (Fly-by-wire brakes, for instance.) The watchdog also probably handles the 3-second power button shutdown.

Also, remember the Prius cannot operate at all without its computers. So if they crash or freeze, the car will have no power. Steering will be non assisted and brakes will go to failsafe mode where the pedal operates the wheel cylinders directly. (Without assist)

 

Why can you not just put it in neutral ?

 

I have no info on how the Explorer systems work so I cannot answer your question.
As for runaway problems on a Prius (if they exist), an emergency stop system that is independent of the onboard computers is needed.
If problems occur within the computer system where false sensor readings command the car to do abnormal things then that computer system has to be overridden if control is to be regained. What if one of the problems tells the computer to ignore changes to sellecting neutral or a power off command? Now a disaster situation is presented to the driver.
We know that the Prius computer systems are faulty because of the severe braking episodes at low speed mainly while backing the car that have been noted by many drivers.
On my 2006 Prius I experienced the power turning itself off while I was backing the car. Finger trouble or computer trouble - who knows.
If manufacturers do not take action, I suspect at some future date governments will legislate for kill switches to be fitted to all computer controlled cars

 

I have not read the history of the crash but the fiddle with the flight recorders back up my analysis on seeing the crash on the local televion.
From visual assessment only, it appeared that the pilot flew the aircraft at a speed that put him on the back end of the drag curve. Once in this position, full engine power may not be enough to overcome the aircraft's drag. The only solution then is to lower the nose to reduce drag but if the aircraft is so low that there is not room do so means a crash will occur.
My credentials for making the above statement are my experience with aircraft performance during my career as a test pilot.

 

There is a risk associated with kill switches, or any other safety system. Before something like that is added, an assessment must be made as to whether it helps or hurts. Kill switches will be accidentally activated, which carries a risk. If the total damage from accidental kill switch activation is worse than the total damage from complete computer failures, we end up making a bigger problem. Things are not always as simple as they seem.

Tom

 

funny .

There are safety measures in cars that prevent systems not functioning. If you had "kill" switch in prius, you would probably end up crashing when you "kill" the computers.

On the other hand, Neutral is already here. Embrace it, love it. It is what you want your kill switch to be. After putting car in Neutral, you can safely slow down.

After killing your Prius, i very much doubt you could safely slow down.

I am not sure where are you reading things, but average car has major ECU's isolated from each other. There is no signle operating system like in your computer. And there are failsafes everywhere.

 

Whenever something is made "idiot proof" there will be someone out there building a better idiot.

When Skynet becomes self aware there will be no defense when it takes control of your car through Toyota's Safety Connect System.

If you can't put the car into neutral by holding the shifter in N for two seconds then you'll have to punch out using the ejector seat.

 

My interpretation of a kill switch for a motor vehicle is:
1. It should be easily accessable.
2. It should be difficult to activate accidently.
3. It should decelerate the engine by limiting fuel supply to that engine (reducing not cutting off entirely) - be it liquid, gas or electricity.
4. It should enable steering to be maintained by overriding the normal system.
5. It should enable the brakes to be applied by overriding the normal system.
6. It should be capable of being easily reset so that normal operations can continue.
If properly implemented, the vehicle would be driveable but limited in what it can do. Such a system would not be easy to engineer and would increase the cost of the vehicle.

 

Bob Wilson

 

The handgun is used to put the car out of its misery if the Triangle of Doom lights up

 

My FJ Cruiser also has electric assist brakes, and an electric throttle. Semi trucks with Heavy Duty electronically controlled motors, such as the Detroit Diesel 60 series, have used electric throttles for over a decade

A huge number of passenger cars, SUV's, pickup trucks, and semi trucks would have to be retrofitted with a Kill Switch if such an issue existed beyond statistical abnormalities

I used the Airbus fly-by-wire as one example. What happens in a much older "conventional" airliner in the event of a catastrophic failure? For example, airliners use 3 hydraulic systems to control the flight control surfaces, so if one fails, 2 others will still work

But what happens if a catastrophic event simultaneously destroys all 3 systems at once? Like if a turbofan has a hidden defect, a casting issue with a hard alpha inclusion, in the stage 1 fan rotor?

So the rotor hub fractures at cruise power setting, and the hub pieces and fan rotor violently tear out of the engine, tearing out all 3 hydraulic lines. Can't happen?

It already has

DCA89MA063

In the world of engineers, we like to think everything is perfect. Of course, it isn't. We have to make very clear, difficult choices, as to how "failsafe" we make things.

And, how much are you willing to pay to bring a system from three 9's to five 9's?

Again, there are many mysteries surrounding that crash. But under Normal Law, the pilot could not have put the aircraft into that position.

In a more conventional airliner, the GPWS wailer would have been going off "pull up! Pull up! Pull up!." Trying to put the airliner into such a maneuver the stick shaker and stick pusher would have been activated

In a T-tail aircraft, like a DC-9, if the stick pusher doesn't work, or is purposely dumped, such an airliner would them have had a Deep Stall, tail first

The crash of that Air Inter Airbus crash was different, the flight crew selected "f/s" instead of "fpa" on the autopilot, but they thought they had selected -3.5 flight path angle

Instead, they had selected 3,500 feet per second decent into the Mont Sainte-Odile region.

Air Inter Airbus crash at Mont Sainte-Odile near Strasbourg

That Airbus wasn't equipped with EGPWS, so most likely by the time the radar altimeter, configured for cruise, registered the steep decline in altitude Above Ground Level, it was far too late

The problem with crashes is that usually there isn't a single clear cause - well perhaps there was with that DC-10 crash at Sioux City. Crashes are usually a series of events that by themselves, are relatively harmless.

But put those chain of events together, and deadly things happen

 

à have heard of a Hercules transport aircraft having the elevator cable break thus losing elevator control.
Thankfully, the crew landed the aircraft using the elevator trim as well as engine control. Well done.
I had a episode in 1961 flying an Avon Sabre fighter aircraft - the quill shaft broke. The quill shaft drives the hydraulic pump and the electric generator. The ailerons and elevator on the Sabre were hydraulic, the rudder used cables and was mechanical.
There is an emergency hydraulic pump that is electrically driven getting its electrical supply from the battery. I notified my number two of my predicament and then turned off all electrical items that I could, including the radio. My number two got landing instructions and used hand signals to alert me to runway etc.
I flew the aircraft using engine power and the rudder thus minimising the need to use the hydraulic controls.
I landed the aircraft at an airfield that was not cleared for Sabre operations and managed to stop the aircraft before the end of the runway, even without hydraulic boost for the brakes. Fortunately the battery held up and had enough power to supply the hydraulic power needed to round out the aircraft for the landing.
All's well that ends well.

 

Is it true that to protect the engine and transmission from damage caused by this "abuse," the gear selector will not go into neutral above a certain speed or throttle position?

 

The 3 second button press to turn off the engine while moving is not intuitive. I'm glad I saw that online (although I may have thought of it from my personal experience turning off stuck PCs). I can imagine others would not think to hold the button down and that's why the San Diego family died in that crash in their loaner Lexus.
I can understand making it not too easy to turn off the engine accidentally, so then they should make it a 3 second hold to start and stop all the time so you are used to doing it and don't have to learn this new technique in an emergency

 

No. You can shift to N at any speed. Remember that the transmission is always connected in the Prius. Shifting to N does not change any gearing, it only cuts the field current to the MGs.

Tom

 

Since the steering is electric, does that mean you lose all steering control if you turn off the engine? Will the wheel lock as soon as the car is turned off since it doesn't have a specific steering wheel "Lock" position you can avoid like a mechanical key ignition?
Will the car go into Park automatically (like it normally does when stopped) if you hold the start button down for 3 seconds to kill the engine while moving?

 

My Prius has no steering wheel lock. I can still turn the wheel and front tires while the car is 'Off' and parked, and the key fob is at the far end of the house, beyond its remote range. This model uses different methods to impede theft when the key is absent.

The 'electric' part of the electric steering is a power assist, just like the hydraulic assist of other cars. Killing power just makes the steering much stiffer, without disabling it.