I have a Jeep where the dome light logic has a problem like that. If you open a door, the dome light comes on. When all doors are closed, but the engine is not running, the dome light dims out after a delay. If the engine is running or is started in the all doors closes, dome light on situation, the dome light goes out. If you open the tailgate, the dome light comes on as well. That's all normal.
But if I open a side door, then close it, and the light times out and dims, then, for some period of time thereafter, opening the tailgate will not turn on the light. I can just see some horrid mess of IF statements written in C behind this.
Distributed systems are hard, more so in a real-time environment. If you can reduce the number of components or the need for them to communicate they will almost always become more robust and also easier to code.
Rivian added some network redundancy and central monitoring to make this design safe, but otherwise the core design principle was basically KISS.
> The system includes an array of 11 internally developed cameras and five radars performing over 250 trillion operations per second, which Rivian says is an industry-leading statistic
I generally like what they are doing with their overall architectural simplifications, but gee-zus; the feeling of complexity I get from that one statement leaves me with the feeling of "it's just a car man... it takes us from point A to point B... is all that really necessary?"
https://en.wikipedia.org/wiki/Automated_emergency_braking_sy...
https://en.wikipedia.org/wiki/Lane_departure_warning_system#...
From my reading, I thought the important parts were on their own dedicated ECUs (7 ECUs, 3 zones). Battery management, driving related stuff, infotainment, door mechanisms, etc have their own ECUs. The three zones are for smaller things that are probably important but not urgently important.
The dealer can’t figure out the issue four years in.
(1) "dumb" meaning no decision-making logic. It could still mean a lot of decision-less logic, from button debouncing to input signal filtering/processing and outputting compressed audio streams.
Given some of the chip shortages of recent year, I’m curious how the teams responsible for those trade offs made the balance.
With domain-based ECUs, a failure means your locks OR windows OR windshield wipers stop working.
With zone-based, it could be the entire "west" zone that stops, which means you can't unlock the driver's door, open the windows, adjust the seat, and maybe even the ventilation fans don't work
I actually thought a lot of that was already on the CAN bus anyway, but my knowledge of cars stops there so maybe someone can fill in the gaps. Seeing only three "zones" is actually surprising to me. As I was reading I started forming the idea of a single bus cable that went around the car, with I/O modules anywhere there were physical buttons/lights/etc. There would just have to be a cost+weight balance of where it makes sense to stick a small I/O module vs run individual wires back to a bigger module. My assumption is as technology advances it becomes cheaper to have more small I/O modules with very short wire runs to buttons, but it doesn't seem like this is what they're doing.
I am also making the assumption this is "dumb I/O", and somewhere there is a "door lock" program that handles all locks/buttons. In the main computer you'd run all the domain programs individually/isolated, but there would still be a single program responsible for each domain, eg: all the locks (eg: considering button presses, fob buttons, door state, moving or not, etc, and act on the locks accordingly).
From a pure software point of view, if the east/west/south ECUs are actually doing the logic for their respective parts of the car, that seems like a nightmare to build: the code would end up being all partial and distributed. In the worst case you end up with bizarre bugs like "if you open the passenger door, then open the tailgate, then close the passenger door and press the lock button, the driver's door will lock but the passenger won't until you first unlock then shut everything" (which gets reported as "the locks are unreliable, some will randomly just not work every few days").