In our DARPA Grand Challenge vehicle in 2005, we had a non-computerized system for an emergency stop. A hardware timer had to be reset every 120ms by the computers. If it timed out, a relay dropped out, and an electric motor with two sources of DC power (the main power system, and a battery) drove the brake pedal down until a hydraulic pressure switch detected full brake pressure and turned it off.
In addition, the throttle control went through a pull cable device with an electromagnet. With the electromagnet on, a servomotor could operate the throttle. The emergency stop system would drop power on the electromagnet if the stall timer timed out, or on some other fault conditions. That forced the throttle to idle.
Then we had an Eaton VORAD radar. That data went into the main mapping system, along with LIDAR data, but it also was processed by a simple separate process that computed time to collision from range and range rate, and if it didn't compute a safe distance, or didn't reset the watchdogs, tripped the emergency stop system. If this happened, the LED sign on the back of our vehicle displayed "COLLISION IMMINENT".
This happened once during the Grand Challenge preliminaries. Several vehicles were in the starting gates side by side. We were ready to go, all systems running and armed, waiting for DARPA to release the hold signal they were sending by radio. The organizers decided to release the CMU vehicle first, and it came out of the starting gate and cut in front of our vehicle. The safety systems tripped and "COLLISION IMMINENT" appeared in the sign. After a few seconds, with the threat gone, the system reset and the sign went dark.
This was all fully automatic. There was also a remote engine kill system, required by DARPA.
We didn't win. But we didn't crash or hit anything. There were Grand Challenge entries that ran away, including, in 2004, one from CMU. Another one ran away because they filled their disk with logging info and this stalled the software. Steering and throttle froze, and the vehicle ran away until it hit something.
If you work on automatic driving, you have to prepare for trouble like this.
In addition, the throttle control went through a pull cable device with an electromagnet. With the electromagnet on, a servomotor could operate the throttle. The emergency stop system would drop power on the electromagnet if the stall timer timed out, or on some other fault conditions. That forced the throttle to idle.
Then we had an Eaton VORAD radar. That data went into the main mapping system, along with LIDAR data, but it also was processed by a simple separate process that computed time to collision from range and range rate, and if it didn't compute a safe distance, or didn't reset the watchdogs, tripped the emergency stop system. If this happened, the LED sign on the back of our vehicle displayed "COLLISION IMMINENT".
This happened once during the Grand Challenge preliminaries. Several vehicles were in the starting gates side by side. We were ready to go, all systems running and armed, waiting for DARPA to release the hold signal they were sending by radio. The organizers decided to release the CMU vehicle first, and it came out of the starting gate and cut in front of our vehicle. The safety systems tripped and "COLLISION IMMINENT" appeared in the sign. After a few seconds, with the threat gone, the system reset and the sign went dark.
This was all fully automatic. There was also a remote engine kill system, required by DARPA.
We didn't win. But we didn't crash or hit anything. There were Grand Challenge entries that ran away, including, in 2004, one from CMU. Another one ran away because they filled their disk with logging info and this stalled the software. Steering and throttle froze, and the vehicle ran away until it hit something.
If you work on automatic driving, you have to prepare for trouble like this.