RJ Lipton, professor of Computer Science at Georgia Tech has a kindred blog... He writes about computer science and particularly theory of computation. I love theory of computation. Secretly I play with Lambda Calculus as a language for describing manipulations used in physical modeling via classical mechanics, along the lines of some of the work that Sussman and Wisdom have done. Perhaps some time I will have a chance to meet him. He and I even have a very similar style and voice.

In a recent article he wrote about a Civil / Mechanical Engineering topic, so I will happily respond here about that. The idea is that systems should fail into a safe state. In particular his examples are about braking systems. In elevators, and trucks, and maybe trains, the brake system by default is clamped on. It takes some action to release them. This action is supplied in the form of compressed air, or forces applied by the elevator cable. If the cable breaks or the compressed air fails, the brakes turn on and everything comes to a relatively safe halt.

To turn this on its head, let's consider some of the recent problems causing Toyota and others to recall their cars. Toyota's latest recall is a voluntary one for the third generation Prius brakes. Apparently, the brakes don't respond in an entirely reliable way.

Now the brakes in a Prius are fairly complicated. They're not just a pad that presses on a rotor, but rather a combination of regenerative braking (where the electric motor sucks power out of the wheels and back into the battery) and a standard car braking system. Writing the software to control the braking system is undoubtedly a complicated task involving measuring how hard the brake pedal is being pressed, measuring the acceleration of the vehicle possibly through a combination of wheel rotation measurements and accelerometers, and measuring the electric power being generated. All this is done many times per second, and the computer should continuously decide how to allocate braking among the various components.

If I were to design such a system, I would want a "fail safe" along the lines of the ones previously mentioned. I imagine a system where as you press on the brake, the computer decides how to allocate the braking and sends an electrical signal to the brake pad actuator if necessary. However, if you pressed hard enough that the pedal traveled far enough, a separate sensor should detect this "extreme travel" and send a separate signal to the brake pad actuator which is independent of a computer decision. Even if the complicated computer algorithm crashed, a simple relay could send "all stop" to the brake actuator. In order to be compatible with ABS systems obviously this system can not mechanically actuate the brake in full-on position, but it can send a redundant we want full stop, give it to us now signal which can be independent of any computer algorithm decision. Such a signal could in theory be supplied by a simple mechanical switch.

I'm sure Toyota has a lot of smart engineers, and I'm sure that some of them know about the concepts of fail-safe and redundancy. I hope that their voices are heard in the design discussions, and that as we get more and more complicated software in cars, we will also see more and more low-tech standby fail-safe mechanisms which complement the high tech systems. Unfortunately, the Turing completeness of the general purpose computer tends to fool us into thinking that just because it can make all the decisions efficiently, then necessarily it should. The fact that a thing can be done in theory does not in any way ensure that any particular implementation will in fact do what we want. For safety critical systems, a simple, redundant, and independent system is a good idea.

Here's to theory of computation as an excellent compliment to Engineering analysis. After all, even as mundane a concept as toilet paper allocation can provide a fruitful example of theory of computation in the eyes of a famous design personality.