> All REWheel was trying to do was let users repair their BMS's and re level their boards for aftermarket rails as well as provide safety features so that boards didn't drop users.
I think there's a useful discussion to be had about the reasoning behind things like this. This is definitely going to be a bit of a devil's advocate thing but it brings up a much needed discussion.
One of the often cited reasons for limiting third party access to firmware and repair is that unauthorized repair could potentially compromise the safety, security or reliability of the device (or at least void the certification), and the manufacturer would still have its brand on the product and the user would not blame the third party if something broke, but rather the manufacturer. This was supposedly behind the reasons why Tesla doesn't like repair, because they really didn't want news about battery fires.
Obviously, in this particular case the safety characteristics of the original product, as you note, are terrible to begin with, so any competent third party is more likely to increase the safety than not.
But say, for example, that the OneWheel was designed with a proper engineering process. Say, for example, the ESC and powertrain was held to ASIL-D standards and the battery pack was UL 2271 [the standard for light electric vehicles batteries] certified - both are entirely reasonable standards to expect this equipment to be certified to (ASIL-D is a common standard for things like Power Steering modules in cars, which have to be robust because any failure could result in full lock to lock torque overpowering the driver at highway speed - also a system involving servo control and brushless motors.)
Such a system would involve a very significant design and verification effort to catch edge cases. Things like your wires breaking scenario would need to be analyzed as part of the design - can the design fail in a safe way when certain failures are encountered, up to and including redundancy. Things like waterproofing, as you mention, need to be tested to IP rating standards - probably at the very least IP66 for the whole device given where people use these devices.
> swapped out IMU because of chip shortage and didn't validate high pass filters properly
This wouldn't have been allowed in a certified product. When you change materials or components in a certified product, you have to redo the validation and certification process. Otherwise the certification is worthless.
*Now, given these conditions, would allowing third parties to easily replace components with random ones potentially compromise safety?*
> removing the discharge path on the BMS (so it couldn't power off the board unexpectedly)
This one, for example, IMO, is questionable. I would argue that it does reduce safety, and given the original DRM, this is what they are trying to prevent. Clearly, some level of certification was achieved for the original battery pack (UN38.3, mandatory to transport), and they don't want this modification to happen.
Given the rising dangers of battery fires and explosions, I believe that BMS system integrity has never been more important, as these devices have a MUCH greater risk exposure (24/7 potentially) and to a much greater population (anyone living in a building with at least one of these devices in it). Even big players like the Tesla Megapack have fire problems, and that's with a proper safety management design. Let's say, for example, a MLCC on your ESC fails, cascading into an arc fault involving the PCB, carbonizing and fusing the copper layers together (there are examples of this happening on even lower power designs). Without a discharge path, the battery and the device will now need to convert 1 kWh of power into heat over about 5 minutes. This is going to set the carpet on fire.
Under UL 2271, and actually under all of the UL standards for batteries if I remember correctly, you need to pass all of the safety tests for the battery with one set of safety devices not otherwise certified (i.e. mosfets as opposed to UL rated battery fuses) "faulted", which means that commercial batteries like the Segway Ninebot scooter batteries are usually fitted with multiple layers of MOSFETs and cell protection ICs. Of course in this particular situation, you don't want the battery to cut off too quickly. And thus, this would call for specific and deliberate engineering to design a solution that will protect against both sudden failure and fire.
Looking to the broader system, the VESC system proposed as a replacement for the original controller is likely more robust in actual usage, but I don't personally think it's a direct alternative to a properly designed first party solution. VESC hardware is largely a DIY-grade prototype hardware and software, which, while functional, I don't consider (and they explicitly claim) is not safety critical. I kind of did wish for a while that they would actually attempt to build such a system, because it would have been nice to have an open source solution with a safety-grade lockstep microcontroller, redundant power paths and whatnot, etc, but after spending some time in that community it seems that the thrill of danger is part of their idea of fun, so I'm not holding my breath waiting.
This brings me to I suppose what my actual point is.
I think that in some cases, software locks that attempt to prevent the unsafe modification of certified and safety critical systems are acceptable. I think that instead of disabling functionality, the app should just pop up a warning that the system has been modified. This is what Google does with bootloader unlocking and what Apple does with their "important display/battery/camera message" notifications, or what Samsung does with Knox. I'm not opposed to these types of schemes because the lifespan of a $2000+ device is likely to be very long, and it's important for downstream users to be aware of the modifications that have been done, and for the manufacturer to be able to say "hey, this is modified, the certification is void, it's your problem now" when it inevitably turns into an accident.
I do, on the other hand, believe that it is valuable to allow users to prototype and develop on hardware they own. This is why I propose that the software locks do not disable functionality entirely. I also think that by replacing all, or a significant amount of the internal components of your device, it is no longer a OneWheel, it is your own creation, and as such, the manufacturer should not, and (tbh already cannot) restrict what you do with it. I'm okay with the manufacturer requiring that its trademarks and the certification marks be removed as well.
I think that a robust framework where manufacturers can prove that they are doing what is necessary to make these devices safe is extremely important especially as this is an emerging market. We are already seeing anti-PEV regulation in various markets, with these devices being technically illegal where I'm from, and NYC banning some PEV batteries (?). If these transportation devices are to become popular and accepted and eventually legalized, something has to be done, both from the DIY side (to promote actual and demonstrable safety) and from the manufacturer side (to certify their products and deliver products with a track record of safety). Otherwise, I think eventually the burden on these devices will eventually push them out of the market.
Thank you for your detailed response. I completely agree that certain standards for a safety critical system should be met for when these devices go out of the factory!
Regarding BMS safety, the reason for removing control of the discharge path is that the device should always prioritize the safety of the user while riding. Instead of dropping the user to the pavement, pushback and audio alerts should be done to alert the user that one of the cells is having a voltage issue, or the pack is getting too hot. Bypassing the BMS's discharge does not effect charge protection, which is the main scenario of what would cause the battery to catch on fire and burn your house down.
In fact, Future Motion DISABLED BEING ABLE TO READ INDIVIDUAL CELL VOLTAGES TO MONITOR THE SAFETY OF THE PACK in an effort to restrict 3rd parties from building batteries. Another anti-consumer decision was the GT having 6.5" non-standard rims in an effort to corner the tire after market. Larger rim size is actually bad for riding characteristics and the right move from an engineering perspective would have been to go smaller actually (the float life is working on 5" hubs)
Yes, I get that having a OneWheel catch on fire impacts their brand, but there's multiple other issues with these devices and quite a number of anti-R2R which is not acting in good faith for users safety, and again, the actual dangerous scenarios are when a cell gets over-charged which the BMS is still there for to enforce. :)
Regarding R2R there's people all around the world who ride these devices, and sending the board into their only location in Cali just isn't an appropriate solution. Unfortunately FM has been very strict on enforcing patents (even though they didn't technically invent the self balancing skateboard as there is prior art) and they have created a anti-competitive, anti-consumer market.
I would absolutely love a safer device that meets the safety standards and certifications you mention, and I hope there can be a path forward where I don't have to build these myself. I'm lazy. I don't exactly enjoy this type of work on my board (I'd rather be riding). I do it out of necessity.
I'm somewhat familiar with all of the problems and bugs with these particular OneWheel products and I agree that most of the actions taken by this particular company appear to be profit oriented as opposed to safety oriented.
My original comment was not really aimed directly at defending them but rather just trying to start a discussion about something that I think comes up a lot and to provide what I regard as a slightly unpopular opinion.
> Regarding BMS safety, the reason for removing control of the discharge path is that the device should always prioritize the safety of the user while riding. Instead of dropping the user to the pavement, pushback and audio alerts should be done to alert the user that one of the cells is having a voltage issue, or the pack is getting too hot. Bypassing the BMS's discharge does not effect charge protection, which is the main scenario of what would cause the battery to catch on fire and burn your house down.
Yes, I agree with your assessment that this would be a reasonable order of priorities for a device like this. If you asked me to design a device like this, on the other hand, I would probably have built it with discharge protection, but have a "controller is driving the motor" pin for feedback where the BMS will give an X-second cutoff grace period. IMO, the discharge current should be set such that it doesn't trip at motor stall current, but does trip with a low impedance short at least (in such a failure scenario, the motor would have stopped anyway). Additionally, power to the ESC should definitely be removed when the device is safely powered off. I would personally be okay with it if they did what laptop manufacturers did and set a "permanent fail" flag in the BMS after being operated outside of its design parameters to prevent the battery from being charged again.
The primary safety condition I'd like addressed is the case where a failure in the electronics while the device isn't being used may cause the pack or the electronics to start a fire (e.g. water ingress into device causing shorts, which has caused documented problems before; Apple actually applies potting compound to the BMS PCB in their batteries to supposedly address this case), though I am aware that charging appears to be where a lot of the hazards come from.
> Unfortunately FM has been very strict on enforcing patents (even though they didn't technically invent the self balancing skateboard as there is prior art) and they have created a anti-competitive, anti-consumer market.
To be honest, I think that this is the core of the problem. In a market where competitive products exist, defects are fixed rather quickly because customers can and will choose products without this unfortunate imbalance of power. If you look at the EUC market, there is plenty of innovation that leads to better products year over year - defects happen, but they appear to actually get fixed.
> Regarding R2R there's people all around the world who ride these devices, and sending the board into their only location in Cali just isn't an appropriate solution.
I think overall with this company, there's a good amount of kool-aid going around in the typical Silicon Valley fashion where people think they know everything about how the world and how customers work. If I remember correctly it's a business that started out of what was once someone's passion project and I'd imagine it is emotionally difficult for people to let go of their "children" and accept that the community and the customer base are ultimately going to take the product places they might not have imagined, and that the aftermarket and consumers are ultimately the deciders of where their vision will go. I feel like a lot of what they're doing could potentially just be a last ditch effort to maintain some semblance of ownership and control, but historically, the pioneer of a technology is not often the one that sees it through to maturity.
Oh of course, you even lead with stating that you would like to make some points as devils advocate and I agree with that approach. It's like when you're doing prompt engineering for an LLM. i.e. need to make sure we loud all context into our shared memory so our neural networks can properly evaluate the scenario and make informed statements. It's a collaborative effort. :)
Regarding discharge protection and BMS safety I completely agree with a hybrid approach of discharge protection with a grace period to alert the user if the device is armed. The main issue with battery safety is when the device is left unattended charging, but I do agree that ideally it should be shutoff completely while unattended. However, when riding, I would rather my board start smoking and catch on fire than ditch me going 25mph. Obviously there needs to be a hybrid approach as you describe as the current situation is not optimal.
Yes, the EUC market is a prime example. There aren't actually that many VESC EUC builds because there is so much competition it is not needed.
Regarding "drinking the kool-aid" and "the pioneer of a technology not is not often the one that sees it through to maturity", I feel like a prime example was the Boosted boards.
> I feel like a prime example was the Boosted boards.
I always thought this was more of a business side problem (they tried to expand pretty quick, including making a scooter) than a technical or product execution problem. If I remember correctly, Boosted's products were actually fairly highly regarded - while I've never had one, I had a friend that had the V2 and he seemed to enjoy it quite a lot. They also made a very nice and functional backpack which I wish was still available, honestly.
I think the Boosted products were a little bit ahead of their time. It was only during the pandemic, at least where I'm from, when PEVs really started becoming popular. One thing I really did appreciate about their products was that they appeared to be designed/engineered here and not overseas. Since they left the market, most other alternatives are just OEM products white labelled from overseas, and you tend to see less design elegance and purposeful vision unfortunately.
I honestly think the Onewheel company could have been the spiritual successor to Boosted, but it's sad to see that they haven't continued that tradition of being dedicated to building a good product and providing good support.
I think there's a useful discussion to be had about the reasoning behind things like this. This is definitely going to be a bit of a devil's advocate thing but it brings up a much needed discussion.
One of the often cited reasons for limiting third party access to firmware and repair is that unauthorized repair could potentially compromise the safety, security or reliability of the device (or at least void the certification), and the manufacturer would still have its brand on the product and the user would not blame the third party if something broke, but rather the manufacturer. This was supposedly behind the reasons why Tesla doesn't like repair, because they really didn't want news about battery fires.
Obviously, in this particular case the safety characteristics of the original product, as you note, are terrible to begin with, so any competent third party is more likely to increase the safety than not.
But say, for example, that the OneWheel was designed with a proper engineering process. Say, for example, the ESC and powertrain was held to ASIL-D standards and the battery pack was UL 2271 [the standard for light electric vehicles batteries] certified - both are entirely reasonable standards to expect this equipment to be certified to (ASIL-D is a common standard for things like Power Steering modules in cars, which have to be robust because any failure could result in full lock to lock torque overpowering the driver at highway speed - also a system involving servo control and brushless motors.)
Such a system would involve a very significant design and verification effort to catch edge cases. Things like your wires breaking scenario would need to be analyzed as part of the design - can the design fail in a safe way when certain failures are encountered, up to and including redundancy. Things like waterproofing, as you mention, need to be tested to IP rating standards - probably at the very least IP66 for the whole device given where people use these devices.
> swapped out IMU because of chip shortage and didn't validate high pass filters properly
This wouldn't have been allowed in a certified product. When you change materials or components in a certified product, you have to redo the validation and certification process. Otherwise the certification is worthless.
*Now, given these conditions, would allowing third parties to easily replace components with random ones potentially compromise safety?*
> removing the discharge path on the BMS (so it couldn't power off the board unexpectedly)
This one, for example, IMO, is questionable. I would argue that it does reduce safety, and given the original DRM, this is what they are trying to prevent. Clearly, some level of certification was achieved for the original battery pack (UN38.3, mandatory to transport), and they don't want this modification to happen.
Given the rising dangers of battery fires and explosions, I believe that BMS system integrity has never been more important, as these devices have a MUCH greater risk exposure (24/7 potentially) and to a much greater population (anyone living in a building with at least one of these devices in it). Even big players like the Tesla Megapack have fire problems, and that's with a proper safety management design. Let's say, for example, a MLCC on your ESC fails, cascading into an arc fault involving the PCB, carbonizing and fusing the copper layers together (there are examples of this happening on even lower power designs). Without a discharge path, the battery and the device will now need to convert 1 kWh of power into heat over about 5 minutes. This is going to set the carpet on fire.
Under UL 2271, and actually under all of the UL standards for batteries if I remember correctly, you need to pass all of the safety tests for the battery with one set of safety devices not otherwise certified (i.e. mosfets as opposed to UL rated battery fuses) "faulted", which means that commercial batteries like the Segway Ninebot scooter batteries are usually fitted with multiple layers of MOSFETs and cell protection ICs. Of course in this particular situation, you don't want the battery to cut off too quickly. And thus, this would call for specific and deliberate engineering to design a solution that will protect against both sudden failure and fire.
Looking to the broader system, the VESC system proposed as a replacement for the original controller is likely more robust in actual usage, but I don't personally think it's a direct alternative to a properly designed first party solution. VESC hardware is largely a DIY-grade prototype hardware and software, which, while functional, I don't consider (and they explicitly claim) is not safety critical. I kind of did wish for a while that they would actually attempt to build such a system, because it would have been nice to have an open source solution with a safety-grade lockstep microcontroller, redundant power paths and whatnot, etc, but after spending some time in that community it seems that the thrill of danger is part of their idea of fun, so I'm not holding my breath waiting.
This brings me to I suppose what my actual point is.
I think that in some cases, software locks that attempt to prevent the unsafe modification of certified and safety critical systems are acceptable. I think that instead of disabling functionality, the app should just pop up a warning that the system has been modified. This is what Google does with bootloader unlocking and what Apple does with their "important display/battery/camera message" notifications, or what Samsung does with Knox. I'm not opposed to these types of schemes because the lifespan of a $2000+ device is likely to be very long, and it's important for downstream users to be aware of the modifications that have been done, and for the manufacturer to be able to say "hey, this is modified, the certification is void, it's your problem now" when it inevitably turns into an accident.
I do, on the other hand, believe that it is valuable to allow users to prototype and develop on hardware they own. This is why I propose that the software locks do not disable functionality entirely. I also think that by replacing all, or a significant amount of the internal components of your device, it is no longer a OneWheel, it is your own creation, and as such, the manufacturer should not, and (tbh already cannot) restrict what you do with it. I'm okay with the manufacturer requiring that its trademarks and the certification marks be removed as well.
I think that a robust framework where manufacturers can prove that they are doing what is necessary to make these devices safe is extremely important especially as this is an emerging market. We are already seeing anti-PEV regulation in various markets, with these devices being technically illegal where I'm from, and NYC banning some PEV batteries (?). If these transportation devices are to become popular and accepted and eventually legalized, something has to be done, both from the DIY side (to promote actual and demonstrable safety) and from the manufacturer side (to certify their products and deliver products with a track record of safety). Otherwise, I think eventually the burden on these devices will eventually push them out of the market.