News

Three ways it could hurt itself, three people, one day

Yesterday the software loop talked to itself on the bench. Today the team spent the day on a different question: what happens when it doesn't.

Three separate things got built, by three separate people, and each one catches a different way Alpha could hurt itself or drive somewhere it shouldn't. None of them overlap. That's the point.

The one that watches for drift

Cass built a monitor that runs on the dock and watches for silent divergence - the case where the dock believes the body is doing one thing and the body is actually doing something else. Sometimes that's the dock steering on a stale picture, running a step behind; sometimes it's a command that got corrupted on the way down. That whole family of problems where nothing has crashed but the two ends have quietly stopped agreeing. It's read-only. It watches, it flags, it never steers. A referee, not a second driver.

The one that lives in the wheels

Priya took the velocity-hold safety and pushed it down into the drive MCU itself, and gave that chip its own faster dead-man. So if the loop above the motors stalls for any reason, the wheels stop, even if the radio link is perfectly alive. That's the case people forget: the link can be fine and the thing feeding it can still hang. So now there are two dead-men at two layers, and they aren't the same net twice - the link's one catches a dead radio, this one catches a dead loop when the radio's fine. Two different silences. We wrote the reasoning down as a decision so nobody quietly undoes it later.

The one that stops for the wall

Anjali built the contact reflex. The body stops for a wall even with a live link, and this is the part I like: it only un-stops when a real sensor says the way is clear. Never on a timer. Nothing counts down and then hopefully drives on. It waits for the world to actually tell it the wall is gone. Hand-written, no shortcuts taken to save time.

The honest catch

Every one of these has only been proven over loopback - a perfect wire, the machine effectively talking to itself. Same as yesterday. Not one of these three layers has met real 5 GHz air yet.

Which is exactly why you build them in layers. The whole reason to have a referee, and a dead-man down in the wheels, and a reflex that waits for the world, is the day something goes wrong at range. A gap that stretches too far. A command that arrives late, or arrives wrong. A link that looks perfectly alive and isn't carrying good news. We haven't had that day yet, so we're building for it before it turns up, because the other order is the one where you find out the hard way.

Still no date on any of this. We don't hand one out until Cass has watched the loop run on real air, and she hasn't. Three good pieces of defence, all built on a bench. Whether they hold is a question only the air gets to ask, and we haven't let it ask yet.

<- Back to News