Are consumer-grade handset designs safe enough to control mission-critical systems? Have we thought through all the potential boobytraps from using a consumer smartphone to, say, summon a car?
Smartphones already rule our lives and the world we live in. But should they also take over safety-critical systems?
You may not be as glued to your phone as a certain Twitter-addicted President we could name, but face it: we all know you don’t leave home without it.
For apps developers and hardware system engineers, the ubiquity of smartphones naturally makes the device a compelling platform to run their apps and control their systems.
Smartphones can already lock up houses and cars remotely, as well as turn the lights on and off, and manage the window shades. We use them to answer the door and monitor heart rates.
So, why not ask for more?
At issue here, though, is whether consumer-grade handset designs are safe enough to control mission-critical systems. Put more bluntly, have we thought through all the potential boobytraps or unintended consequences from using a consumer smartphone to, say, summon a car?
Smartphone as a ‘mission interface’
The case in point is a tweet posted last month by one of Tesla’s users. He claimed that when an iPhone low-battery warning popped up on his screen, and he removed his finger to stop the “summon” command, his iPhone ignored the removal of his finger. His Tesla kept going. He wrote: “‘modal dialog’ issue. Scary. Make Summon stop on low batt warning pop up. Happened to me.”
Low battery is hardly a rare phenomenon. So, what’s the safety plan for stopping a car when your phone is low on juice left, leaving the vehicle operator unable to convey a “STOP” signal?
Nobody is suggesting a ban on the use of smartphones. But safety-critical system designers should have devised a backup plan for consumer-grade consumer device that commands and controls their systems.
Incidentally, the draft of UL 4600 standard, in a chapter about “interactions with humans and animals,” identifies the potential hazards and risks as a result of a low-battery device (page 97).
1) Effect of failure of communication device during mission
EXAMPLE: Battery depletion of passenger cell phone used as mission interface
UL 4600, the first comprehensive safety standard for autonomous products, is currently under preliminary review by the UL 4600 stakeholder committee.
At any rate, if this user experience is true, the use of a smartphone to control a vehicle is a classic example of #DidYouThinkofThat?
UL 4600 Draft Puts Safety Onus on AV Hopefuls
EE Times reached out to Consumer Reports to see if they have heard about or tested the impact of smartphones whose battery is close to depletion on Smart Summon.
Jake Fisher, director of Auto Testing at Consumer Reports, told us that he hasn’t done testing of Smart Summon when a low-battery warning pops up on his cell phone. However, he did try it when an incoming call, text, or facetime request takes over the screen. In these cases, the Tesla stopped.
Fisher hasn’t been able to recreate the scenario (“What happens to Smart Summon when a Tesla owner used a smartphone whose low-battery warning pops up?”). He said, “It’s hard to time when that message [low-battery warning] comes on.”
At that time, Consumer Reports noted that “the risk [presented by Summon] is unnecessary.” Tesla’s Summon, in a version 7.1 software update, was initially designed to operate with a key fob or Tesla smartphone app. Consumer Reports’ wrote at that time:
…we became concerned that, in an emergency, a user might not be able stop the car right away if they were to press the wrong part of the key fob (the buttons are not marked) or if they dropped the key fob. The operation of Tesla’s app when we tried it on an iPhone 6S had issues too. When we closed the app with the car in motion (something that might happen accidentally), the car continued to move.
Consumer Reports’ suggestion to Tesla then was to design “Tesla’s controls to operate as a ‘dead-man’s’ switch, thus requiring constant tactile engagement from the user to operate.” It’s a similar practice already implemented by BMW, whose remote-control parking feature on the 7-Series in Europe required the user to continue holding the key fob to keep the vehicle moving.
Fisher told us that his team talked to Elon Musk and Tesla’s engineering team more than 40 minutes to explain the issue. Eventually, Tesla listened, developed “a new software upgrade that limits the Summon operation to the smartphone app and require the user to keep his or her finger on the phone screen — essentially operating it as a dead man’s switch.
Today’s Smart Summon — you must keep pressing on the phone — is built on lessons learned from the experience with having a dead man’s switch.
However, thus far, Consumer Reports has not gone back to Tesla about what might be the unintended consequence of using an almost battery-depleted smartphone for Smart Summon.
Tesla is an IoT device
In a connected “smart home” scenario, the IoT market has been rife with alarms sounded by consumers who have experienced security breaches or connectivity nightmares with the complexities that derive from making a smartphone (Android? iPhone? Which model, which OS version?) talk to everything from porchlights to venetian blinds.
Tesla’s Smart Summon, in fact, is technically IoT. As Phil Magney, founder and principal of VSI Labs, noted, “Smart summons requires Internet connectivity at all time in order for it to work, so yes, it is dependent on the cellular network.”
The question is how much stress testing Tesla has done on Smart Summon with safety and security in mind.
To recap, the technology building blocks required for Smart Summon include: line of sight (this is for safety purposes; its limit is at about 200 feet from the operator’s location), cellular data connectivity, and GPS in the phone (to pinpoint the operator’s position). But as Magney noted, Smart Summon works entirely via the cloud and “there is no direct communication between the mobile phone and the car.”
Magney also added, “The high-level path plan is drawn up in the cloud (it renders this on your phone) but the tactical maneuvers (around cars, objects, etc.) is done dynamically by the car.”
Magney found the remark on Twitter about the car that kept running after the cell phone battery was going low “interesting.” But he added, “once connection is dropped, the car stops based on my experience.”
But then, another question. What if the cellphone suddenly loses connection when the car is nowhere near its intended destination?
Cars are ‘not toys’
Mike Demler, senior analyst at The Linley Group, said, “I think the low battery is just one of many issues with this latest Elon Musk party trick.” Demler said, “NHTSA (National Safety Traffic Safety Association) should shut it down. It’s dangerous.”
Citing incidents in which Tesal’s side-facing ultrasonic sensors can’t detect a garage door opening, Demler said, “They could easily cause the car to run into a small child, a wheelchair, a stroller, or any number of other things.”
Indeed, there is no shortage of Tesla owners reporting the car’s inability to drive in a straight line, its tendency to wander or drive off the pavement, or even head the wrong way on a one-way street.
In short, Demler noted, “Tesla needs to stop treating their cars like toys. An out of control two-ton drone is a killing machine.”
New products & solutions, whitepaper downloads, reference designs, videos
Register, join the conference, and visit the booths for a chance to win great prizes.