New Info on 2009 control system, maybe

[Kevin Sevcik]

Quote:

Originally Posted by AdamHeard

I agree wholeheartedly. I fear people will assume that because the safety and disable features of the IFI system were so robust and worked so well, that this new system must work the same way (I mean, all control systems must be the same, right? ).

I for one won't be trusting the robot nearly as much as before.

Ahem. I wouldn't be so quick to condemn the safety features of the current control system, really. In particular, the new control system uses a much better philosophy for the disable switch. On the IFI hardware, the disable system was normally open, so you could run the robot without a dongle. This means that you couldn't be certain your disable switch would work when you hit it. You could be fairly sure, since it'd worked the last several times, but if a wire had silently broken, the contacts corroded, a bad solder joint worked loose, or the thing just plain wasn't plugged in... Well you were in for a surprise. The only actual secure option for disabling last year's robot was to pull the tether or radio cables.

The new DS's disable system works on a normally closed principle. Which means that your robot won't run at all unless you have a valid disable switch in place. Or unless you're foolhardy enough to just short the contacts together with a paper clip or something. Broken wires and bad soldering will annoy you with a non-running robot instead of betray you with a robot running amok. And while it's possible for contacts to freeze shorted or be bridged somehow, it's must less likely. If you're really safety minded, you'll get an E-Stop style switch with two physically separated NC contact blocks and wire them in series. So, I think the new system's safety and disable function are as or more robust than IFI's. That's definitely something I'm not going to be worried about.

For the joystick related issues in Joe's post... I think that has to do with the decision to based the DS on a micro Linux platform. What we try to do with joysticks and such presents a unique challenge to the control system, compared to what OS's usually do with USB devices. On a Windows machine, the OS uniquely identifies each USB device and tags settings and functionality to follow it around based on its ID, as opposed to what port it's plugged into. You wouldn't want to have to reconfigure your mouse if you plugged into the top port instead of the bottom port, after all. For the DS we expect it to identify the joystick based on what port it's plugged into. If arm control functionality always followed our steering wheel around after we accidentally plugged it into port #2 the first day, I think we'd all be a bit miffed. Even my limited knowledge of USB driver programming informs me that pinning things to an exact physical port is pretty darn difficult. And it doesn't strike me as at all likely to be amenable to hot-swapping. If it takes the controller 15 seconds for each port to identify the joysticks on boot-up, I don't think you want the process constantly occurring while you're trying to drive.

The problems with old and uninitialized values being sent are slightly more worrisome, but aren't likely to be life-threatening if you're following commonsense operating rules. Also, if the 127 default startup and unplugged joystick values from the IFI OI made you feel safe enough to put yourself in harm's way, then you weren't operating under particularly safe rules in the first place. I mean, 127 isn't a guaranteed safe value for every system on a robot. Pots controlling shooter wheels or telescoping slides are likely safest at 0, not 127. Pots controlling arm positions are likely to be safest at heaven knows what value. To be blunt, if you were trusting your previous robots not to try to kill you just because you were only starting them up or didn't have anything plugged into the joystick ports... You were putting entirely too much faith in Murphy looking the other way. If the new DS makes you more cautious around operating robots, it's probably a good thing.

Finally, I'm confident that a large amount of thought went into making the new system safer than the IFI system. In fact, much of what I heard at the recent training at NI was pointing out the focus on safety as well as features in the new control system. Insinuating it was an afterthought is uncalled for. In addition to the NC disable system, the designers are looking at running practice fields on the 2.4GHz band (the field will run at 5GHz) to eliminate students racing about with tether cables, attempting to both not tangle the cords AND not be run over. The new Jaguar speed controllers have NC limit switches to make devices safer for teams that use them, as well as actual barriers between the positive and negative terminals to reducing shorting. E-Stops will now latch inside the robot instead of the field, so an E-Stopped robot will need to be power cycled before it can become dangerous again. Instead of waiting for someone to plug in a tether cable to do so. I'm certain there's some other features that I haven't recalled at the moment, but this post is probably long enough at is it.

[Dave Flowerday]

Quote:

Originally Posted by Kevin Sevcik

The new DS's disable system works on a normally closed principle. Which means that your robot won't run at all unless you have a valid disable switch in place.

Kevin, I agree that the normally-open setup of the IFI system was a deficiency (though here was a feedback LED on the OI as I'm sure there will be on the new DS so you could verify it was disabled). However, the switch position is not the only problem. If the new DS can take up to 2 seconds to get the disable command to the robot, that is a problem. A lot of damage (to people or robots) can be done in 2 seconds. I realize this is a problem that they will have to solve before competition (no one will tolerate 2 seconds of lag), but the fact that the bug exists while teams are actively working with it on their robots means that the dangerous situation is already a reality.

Quote:

On a Windows machine, the OS uniquely identifies each USB device and tags settings and functionality to follow it around based on its ID, as opposed to what port it's plugged into.

This is not always true - it is up to the device's driver how to treat it. There are many Windows devices that end up being identified by which port they are plugged into. In some cases, the USB devices have no unique serial number and therefore cannot be identified at all other than by which port they are plugged into.

Quote:

For the DS we expect it to identify the joystick based on what port it's plugged into.

This is built-in functionality of the USB spec. A USB host will only talk to one device at a time. When a computer boots up, it goes through a process called enumeration, which it individually identifies each device one at a time on each port. It inherently knows which device is plugged into which port because of the way the system operates. If you plug in two identical USB devices to a hub at the exact same time, it doesn't matter. The hub indicates to the host that a new device was detected, the host instructs the hub to establish a connection to the new device (in this case the lower port number), and the host sets up the new device. This process is then repeated for the other new device on a different port on the hub.

Quote:

Even my limited knowledge of USB driver programming informs me that pinning things to an exact physical port is pretty darn difficult.

For a USB driver, not hard at all. As previously indicated, it's required. If Linux is used on the DS, then it would be fairly straightforward to implement the necessary means to identify USB devices based on the port they're plugged into.

Quote:

If it takes the controller 15 seconds for each port to identify the joysticks on boot-up, I don't think you want the process constantly occurring while you're trying to drive.

The USB bus generates the equivalent of an interrupt when a new device is connected. The host does not have poll. I have no idea why the DS would take 15 seconds to initialize a device, but I've used plenty of Linux boxes (including small, embedded ones with tiny, slow processors) and none of them took 15 seconds to identify a device.

Quote:

The problems with old and uninitialized values being sent are slightly more worrisome, but aren't likely to be life-threatening if you're following commonsense operating rules. Also, if the 127 default startup and unplugged joystick values from the IFI OI made you feel safe enough to put yourself in harm's way, then you weren't operating under particularly safe rules in the first place.

I would not feel safe intentionally sticking my hand in an enabled robot based on the IFI 127 default value, but I can tell you that I've seen plenty of demos and such where a joystick was accidentally unplugged, and I'm really glad that the robot didn't take off full-reverse when that happened (by reading a 0 instead of 127). It's not hard to imagine a situation where a controller falls off a shelf, gets bumped full-forward or full-reverse, and then gets unplugged (leaving the robot moving that speed under the new DS). Then, in a quick instinct, you hit the disable button only to find out that it is experiencing a 2-second lag... well you get the picture.

Quote:

Insinuating it was an afterthought is uncalled for.

There are demonstrated safety deficiencies in the system that FIRST shipped to beta teams. It is not uncalled for. Someone had to prioritize the things that got developed on the DS, and obviously whatever functionality it has right now was either prioritized over the safety features that it currently lacks such as safe values when a stick is unplugged or was overlooked. Either way I don't think questioning the safety decisions is uncalled for.

FIRST robots are just as dangerous as many machines found in a shop, which typically have mechanical lockout switches and all sorts of other safety implements. Yet, with our robots our safety will depend almost entirely on the firmware in the DS and robot controller. Sure, we have a breaker that we can turn off, but how do you do that if the robot has gone nuts and is spinning dangerously fast in a circle? Being critical of the safety of the new system is in everybody's best interest. This is no time to simply drink the kool-aid. You probably think I'm overreacting, and I honestly hope you're right. If, however, I saw potential flaws in the system and didn't do something to call attention to them and someone got hurt, I would feel awful.