Safer Control of Steering
I’ve seen several very sketchy experiments around lately where people are controlling the steering of cars in unsafe ways. Let me break down a few of these ways, and discuss concerns. This is not safety advice, this is educational background info. If you do not understand what you are doing, don’t do it. Certainly don’t do it on public roads.
Electronic power steering requires an ASIL-D rating, which is the highest safety rating in cars. And it’s easy to see why, the motor is around 1 HP, and can put more torque on the steering wheel than you can. Bad software or poorly done mods can result in a car that you are not capable of steering, despite putting as much force as you can on the wheel. Imagine being on a split road and the car steers hard left into oncoming traffic. You fight the wheel as hard as you can, but you are powerless. It is stronger than you.
Fortunately, there are ways to avoid this. All cars with EPS have the capability to overpower you, but almost none ever do. That’s because a lot of engineering has been put into making these systems safe. Be careful not to bypass it.
Using ADAS Messages (the intended way)
All the code in upstream openpilot controls steering like this. The manufacturer of the steering rack has commands designed for ADAS features. These commands are torque limited, usually with the speed taken into consideration. Even Tesla FSD is using ADAS messages provided by the steering rack manufacturer.
The beauty of using these messages, particularly after confirming you aren’t using them outside the stock system limits, is that you get the benefit of the manufacturer safety and testing. Upstream openpilot only steers cars in this way.
Even minor EPS firmware mods mostly retain the safety. If you insist on more torque, a small data only change to a table in the EPS firmware is likely much safer than the other two options.
Torque Interceptor (safety critical HW required)
Power steering is a fairly simple system. At the core, it uses a sensor to detect if the user is applying torque to the wheel, multiplies that torque appropriately in software, and applies that torque with a motor to the steering column.
You can build a hardware device to intercept the torque sensor and change its output value. This will put torque on the wheel by pretending the user is putting that torque on the wheel.
This is how Waymo controlled their early cars, and it is possible to do this safely, but it is not easy at all. Unless you have experience with ASIL-D hardware and software engineering, you shouldn’t be messing with this. Even at comma we don’t feel comfortable doing it.
If you make any mistakes with the safety here, you can end up with a car that the driver cannot physically steer. Imagine straining your muscles to fight the wheel and the wheel not turning while your car flies off a bridge! The EPS motor can put more torque on the wheel than you! If the microcontroller you are using would not be acceptable for use in an EPS module, it is not acceptable for use in a torque interceptor.
Parking Modes (very dangerous at high speeds!)
Many cars have a parking mode which allows high torques to be put on the wheel at low speeds for self parking features. Using this for low speed control is fine.
So you get an idea, why not always tell the car it is parking? NO. If you are driving on the highway while telling the EPS your car is going 5 mph, this is extremely dangerous. Think of how hard it is to steer a car at low speeds without power steering, now realize that’s how much torque the car would steer with on the highway. The EPS is using that 5 mph speed to compute the output torque, and the amount of torque used to steer at 5 mph is orders of magnitude off from what you need to apply ever on the highway. This should never be used outside a private test environment. The EPS was not designed for this, and there’s no way to make it safe. The user torque detection disengage will not save you, as the EPS is being used so far outside what it is was engineered for.
No safety outside the EPS can really make this safe, even if you have an external ASIL-D microcontroller (which the panda is not, and the EON certainly is not). The torque applied in this mode is effectively unlimited at highway speeds. And even if you write the correct real time redundant code to use the angle sensor on CAN to limit the rate, that steering wheel angle sensor is not designed to be used as part of a safety critical system. The sensor can glitch, fail, or misbehave in countless ways, and this happens quite often, think 737 MAX, just it usually happens without consequence. The proper rate limit that would be written inside the EPS module does not use the external angle sensor, it would compute the rate by how it drives the motor. It would also apply a sane speed based torque limit, which it usually does, but can’t if you are lying to it about the speed.
TL;DR: Using a spoofed parking mode at highway speed can move the steering wheel so fast that you go off the road or flip your car before you can react, even if you are paying close attention. In the best case, external safety code that would enforce angle based rate limiting can not be tested well in worst case scenarios, as we do not know how reliable the angle sensor is or what else might fail. Without modifying the EPS firmware, there is no way to do this safely.
We tested this in our Prius on a closed airstrip. When we did injection testing, I thought we were going to flip the car. Good thing the Prius does well on the moose test. You’d have to be insane to use this on a public highway.
A possible area for investigation here is a firmware mod, allowing it to remain in parking mode without lying to the EPS about the speed. You have to make sure the normal torque speed curve still applies, and you have to make sure the angle rate limit scales with speed. You also have to consider what happens if the angle sensor or speed sensor fails. Do not use on road until you’ve done proper injection and safety testing.
Safety in general
Safety isn’t when you tested it once and it was okay. Safety isn’t when you tested it three times and it was okay. Safety is when you have thought through every possible scenario, tested the worst possible thing that can happen, and it was still safe. By driving something for 10 miles, you have no idea if it fails catastrophically every 10³ miles, 10⁶ miles, or 10¹⁰⁰. There’s a huge difference between those three that you have no insight into by just testing in normal conditions. Imagine the worst possible scenarios, and test them all. Nature may still come up with something worse, but at least then you are on the path to safety.