Wow. MCU almost killed me.

[tls]

Correct. Just like you, I am a customer of Tesla. So unless you are also an engineer at Tesla....

Ok, if we're going to snip each others' text to nothingness and then soapbox about it, so be it. I see you confirm that you have no relevant engineering experience. I have some. In my experience engineers working on life-safety systems do not take the cavalier and reductive "well, we could all die anyway, so no point trying to mitigate new risk" view you seem to. I would assume this extends to Tesla's engineering staff of whom I do still hold a very high opinion.

So I was quite surprised to see them get this one so very wrong. Like many others I'd assumed the MCU couldn't cause this kind of failure (because well understood practices would reduce that possibility to a negligible level). I would expect someone at Tesla thought so too and screwed up. I hope they take it seriously enough to prioritize a fix but this is a problem that, to me, is different in kind than the other MCU bugs so many of us have seen. An issue that, given the experience I do have working on other embedded systems including user interfaces to dangerous machinery, I find very surprising and worrisome.

That's how it looks to me from the imperfect, non-comprehensive, but relevant experience I do have implementing life-safety systems. You admit you have none at all. What can I say?

 

[CSFTN]

And that other computer can experience a similar fault. Cut the computer out of the equation? Then you'll still end up with some part of single point of failure (a fuse, a wire, a battery) that can cause all your lights to turn off.

Here, this was obviously an edge case where the MCU experienced a case in which it turned off the lights, but in memory the state of the lights was that they were still on. It's a software bug, probably a logics bug.

I have been a reader here for years .. back in the beginning of the Model S and then the Model X, there WAS another computer called the integration unit, IIRC. Its job was to ... integrate the functions of the other computers, especially the low level computers and the MCU. It was (reportedly) designed with very basic, simple code so that it was a redundant safety system which would never crash. So, even when the MCU or IC (or Autopilot etc) crashed, the car was still drivable.

That being said, I had my own similar episode about 2 weeks ago. I had to abandon my 2 year old Model S with MCU2 and HW3 on a busy street in the rain at dusk, so I wouldn't be in it when it was rear-ended. About 10 minutes later, everything rebooted and was fine. Has been fine since. I suspect they recently introduced updated code to the IU, and that is leading to these issues. Or my problem could be of a totally different genesis of yours

 

[sonofagunn]

...Like many others I'd assumed the MCU couldn't cause this kind of failure (because well understood practices would reduce that possibility to a negligible level). I would expect someone at Tesla thought so too and screwed up...

As a software engineer who works alongside hardware engineers, I agree with you 100%. But I also would point out that I think you are the only person this particular fault has happened to. Maybe I'm wrong about this, but if this is a singular isolated case, then they have done a pretty good job of reducing the possibility to a negligible level.

 

[tls]

As a software engineer who works alongside hardware engineers, I agree with you 100%. But I also would point out that I think you are the only person this particular fault has happened to. Maybe I'm wrong about this, but if this is a singular isolated case, then they have done a pretty good job of reducing the possibility to a negligible level.

The poster directly above yours reports that it happened to them, too, about two weeks ago.
One of the first posters to respond reported that their turn signals failed in a pretty directly analogous way.

Much of my concern before seeing that stems from what was effective at resolving the problem, and that it wasn't resolved by a MCU and IC reboot. The MCU should not be able to start up and be desynchronized from the controller actually switching the head/tail lights about its state. That -- once you know -- it's so simple (though definitely not "easy" if suddenly driving in the dark with the MCU on another part of the UI...) to manually resynchronize it ("exterior lights" to OFF; "exterior lights" back to AUTO) strongly suggests to me that basic failsafe procedures like having both sides poll each other with a watchdog, or state sanity checking on startup, are in fact not in place.

 

[recluce]

I could be wrong, but all those functions (lights, HVAC, radio, etc...) are all controlled by the MCU, so the two options above are the solution.

I think what you want is for them to re-architect it to not be part of the MCU but another computer...

I think the OP, just as myself, expects vital systems to be configured to fail safe - i.e. low beam lights default to on with the MCU failed and the car driving. How they do it: I really don't care. It could be a micro-controller that performs as a watchdog for the MCU, whatever.

 

[Catbiscuits]

Did I miss something or did you try your hazards?

 

[tls]

Hazards worked. Only exterior lights that did. Didn't really provide enough illumination to see the road, though...

 

[CSFTN]

Hazards worked. Only exterior lights that did. Didn't really provide enough illumination to see the road, though...

same for me. And when I came to a full stop at a red light, the car turned off, wouldn't move once throttle depressed. IC even had a message something to the tune of "car turned off."

 

[tls]

I just filed NHSTA complaint number 11365827. In a nutshell: all my exterior lights just turned off while driving on a twisty, limited-access road with no shoulder (Garth Woods section of the Bronx River Parkway, for those of you in the NYC area) in the dark. Head and tail. Neither high nor low beams would come on (high beams wouldn't even "blink" when I pulled the stalk). If a driver behind me hadn't noticed and used his high beams to guide me about a mile onto the next safe shoulder, I could easily have died.

We just got the car back from a week long investigation / service. Tesla's diagnosis is that one HID headlamp is failing, which by design causes both headlamps to shut down (!). They say they were able to reproduce this in the shop and noted that one headlamp is dimmer than the other (this is in fact visible to the naked eye).

Evidently powering the car up/down, rebooting the computers etc. will not cause the car to attempt to relight the lamps in this condition (perhaps none of these actions cut power to the ballasts if the lights are set to "auto"?) but cycling the "exterior lights" setting off/on will.

They say there is no MCU involvement in the problem. In fairness, they did call while they had the car to ask if I was 100% sure the tail lights were also off when the car went dark; at this point I am only 90% sure, so: maybe. Though there were no warning lights displayed, etc. -- does this component really fail without any feedback?They recommended replacing both headlights at a cost of $3000.

Instead, we are trading the car in on a Y. Which we had been thinking of anyway. Not the worst outcome in the world, though I am still not entirely sure what to think about the cause here.

 

[Doanster1]

Hmmm, I don’t buy that in its entirety because I know for a fact that one headlight going out will not cause the other to shutdown. That’s just counterintuitive. Cause instant blindness vs allowing the driver to make it safely home/to the auto parts store. Either way, you lived, so congrats on the Y.

 

[brkaus]

I think the car should have a physical switch for headlights.

It is possible for physical switches to fail also. An open circuit in a mechanical headlight switch would leave you in the same situation, however I believe the failure rate of a well-designed (most likely borrowed from M-B as many parts have been) would be far less than MCU failures which (in various forms) have been rather common.

My bmw headlight switch failed. It’s even coded with the VIN so it has to be replaced with a new part by BMW or it gets a tanker symbol on the dash.

 

[evalst2018]

2 weeks ago I was driving down the freeway at night. My infotainment unit turned black, I lost:

1.. Auto pilot
2. hvac
3. exterior lights
4. radio
5. maps, blinkers

When I contacted Tesla, they said nothing was wrong with my car. We could have easily got into an accident losing these vital things. How do you get Tesla to fix this and what is the right fix?

 

[wooter]

When I contacted Tesla, they said nothing was wrong with my car. We could have easily got into an accident losing these vital things. How do you get Tesla to fix this and what is the right fix?

Just like any other car: you go in, the dealer doesn't find an obvious problem and that's it.

It's very unlikely though that your infotainment would kill the AP, exterior lights and blinkers. In my experience, if AP was engaged before the MCU reboots, AP keeps working (but you can't reactivate it). Exterior lights and blinkers keep working, but you won't get an audible signal they do. Radio, map and HVAC are obviously not working because the MCU is not in a running state.

 

[1windy]

We just got the car back from a week long investigation / service. Tesla's diagnosis is that one HID headlamp is failing, which by design causes both headlamps to shut down (!). They say they were able to reproduce this in the shop and noted that one headlamp is dimmer than the other (this is in fact visible to the naked eye).

Evidently powering the car up/down, rebooting the computers etc. will not cause the car to attempt to relight the lamps in this condition (perhaps none of these actions cut power to the ballasts if the lights are set to "auto"?) but cycling the "exterior lights" setting off/on will.

They say there is no MCU involvement in the problem. In fairness, they did call while they had the car to ask if I was 100% sure the tail lights were also off when the car went dark; at this point I am only 90% sure, so: maybe. Though there were no warning lights displayed, etc. -- does this component really fail without any feedback?They recommended replacing both headlights at a cost of $3000.

Instead, we are trading the car in on a Y. Which we had been thinking of anyway. Not the worst outcome in the world, though I am still not entirely sure what to think about the cause here.

Just curious are they lowering the trade in value due to not repairing the lights?

 

[bob_p]

We've lost the console processor (black screen) recently on both our 2017 S (MCU1/HW3) and 2018 X (MCU2/HW3).

With MCU1, the dashboard display is still operational, since that is controlled by a separate processor. With MCU2, the dashboard display can also be lost (since it's controlled by the same processor as the console display).

It appears a recent software change has caused some instability, resulting in the console processor hang/freezes/restarting.

Forcing a restart (using the steering wheel thumb wheels) also seems to take much, much longer than it used to. This could be caused by a recent software change - or because we've had both vehicles upgraded recently to the new FSD processor.

Vehicle operations (steering, braking) is not controlled by the console processor, so the vehicle is still fully operational even though you may not see anything on the console and/or dashboard displays. With AP2 and later, the AP functions should also be operational, running on separate processor(s).

Years ago, when the MCU was restarted (either due to a crash or steering wheel controls), the restart process was pretty quick. The console display would go black for a few seconds. The Tesla T would be displayed. The air conditioner would stop for a few seconds. The display would start coming on with a blank map. And once the internet connection was completed, the map would be displayed. The entire sequence didn't take that long - and could be done without too much difficulty while the vehicle was in motion.

Today, the process takes much, much longer.....

 

[brkaus]

With MCU1, the dashboard display is still operational, since that is controlled by a separate processor. With MCU2, the dashboard display can also be lost (since it's controlled by the same processor as the console display).

My last MCU hang resulted in the IC crashing and going black. Without me specifically rebooting the IC.

it may all be software bugs...

 

[tls]

Just curious are they lowering the trade in value due to not repairing the lights?

It appears not, though they're at the low end of the valuation range for this car.

I still have to drive the car while I wait for the Y, so I will replace the bulbs and ballasts. Shocking that Tesla won't do this instead of insisting on replacing each entire headlight assembly at $1500 per.

 

[Quamera]

Correct. Just like you, I am a customer of Tesla. So unless you are also an engineer at Tesla, you're limited to alerting Tesla, alerting the NHSTA, posting your one-time encounter with this bug on the internet and what more.

This was a bug that affected the headlights, just like a single fuse is responsible for the lights in my old analogue car, which by the way only had one 12V battery and one alternator, so if one of those things would fail, I would have been left in the dark aswel. Oh, not to mention the single switch to turn on or off the lights, which could also fail.

I am looking forward for the recall of... pretty much nothing? It's a software bug? Or can probably be solved with software? Because, as with my analog cars, Tesla won't install a redundant MCU, switching, 12V battery and HV battery. So it'll probably be resolved with a OTA software update and you'll never be the wiser without insight in the individual commit logs of the code or insight in Tesla's bug tracking system.

Not sure about other countries design rules but for headlights and brakes Australian Holden (GM) Commodores have dual circuits so in case of a failure you still have partial lights or brakes. Dual brake circuits have been around since the '60s, dual headlight circuits since the '80s (separate fuses and relays for left and right but powered by the same switch).