Fail Safe Design – An Anti-Example

One design concept drilled into my head, back when I worked in the military aerospace industry, was the concept of fail-safe design. This concept requires the system to react in a safe manner, even if it fails. Safety is built-in, by design, into the system.

One example, aircraft hydraulic systems typically have multiple hydraulic pumps to supply pressure. The hydraulic control computer will sense flight conditions and turn on the number of pumps required to maintain proper system pressure, and turn off pumps when not needed to save fuel.  The fail safe design has two elements: the main pump is not actually controllable by software. That way, no software failure can possibly result in the main pump being turned off. It’s impossible. Another element of fail-safe design, the secondary pumps are turned off by the control system applying power to the solenoid, rather than turning power on to activate the pump. This means that full hydraulic pressure will be available even if the electrical power is disabled.

Likewise, the landing gear can be deployed by hydraulic pressure, or in case of emergency, by gravity. The systems are designed to fail in a safe manner.

I once worked on a project to see if we could improve the UI indication to fighter pilots when firing a missile. The conversations drifted towards the possibility of automating the entire process. The pilots said that we can do whatever we want in software, but to always leave the trigger decision to them. Having a human in the loop was the fail-safe design principle.

Coming back to this example, TrackingPoint Precision Guided Firearms have created this fighter pilot technology for the home user, in the form of a high-powered rifle. “You don’t have to be an experienced shooter.”  The rifle includes a button to designate a target, a Linux-driven computer that calculates the firing solution, and automatically fires when the rifle is aligned properly with the target.

The networked scope includes a wifi server, 15-point Heads-Up Display, and is USB extendable. There even is an app for that. 

This is a scary picture from their web-site, showing the computer controlled trigger:

Guided Trigger Assembly

The video implies the firing mechanism is completely computer controlled, when the target, barrel, and firing solution all line up. The web-site implies the computer controls the weight, or resistance, of the trigger – making it easier to pull the trigger only when the firing solution is aligned. This is a key distinction for the safety of this system. (and does this imply that the trigger is actually computer controlled?  Were they able to change the system behavior after the video was released?)

I hope their software developers really know their stuff. I hope the test team wasn’t rushed to meet a delivery date. I hope the software controller doesn’t suffer a memory leak. I hope the USB port cannot load software or be bootable. I hope, I hope, I hope…

I’d really like to see their FMEA, trigger lock design, and review the test results. They should consider being transparent and posting this information on the web.  I have confidence in the military solutions, having been in that industry and I know how much design, testing, review, accountability, and oversight exists for aircraft.  I think the investment in quality for military gear minimizes chances of these errors. For a startup? I’m not as confident.