Should I Take Toyota's Software Update?

kiehlster writes "I'm a software developer, and I know that most software has bugs, but how much trust can we put in the many lines of code found in our automobiles? I have a 2009 Camry that is involved in both of the recent Toyota recalls. As part of the floor-mat issue, they're offering to install a software update that would cause 'the brake pedal to take precedence over the gas pedal if both were pressed,' or, as their latest notice states, 'would cut power to the engine if both pedals were pressed.' In the computer world, we're all taught to install firmware updates only if there is a real problem because a large percentage of firmware updates actually brick the hardware or cause other unforeseen consequences. On a base of 100 million lines of code, can I really trust a software update to work safely when it is delivered in a three-month development cycle? My driving habits don't cause the floor mat to slide much, so I see the update as overkill. What do you think? If it doesn't void the warranty, should I tell them to skip the update?"

Are you kidding?

[Spazmania]

Take the upgrade. Shipping firmware always has bugs. Always. As a system administrator, the first thing I do out of the box is download and install the current firmware while it's still under warranty. And if they brick your computer they'll replace it.

Re:You're looking at it wrong.

[Rakshasa+Taisab]

Good luck getting any money from Toyota or your insurance company if you _don't_ take that update.

Besides, there's not 100 million lines of code in _that_ particular part, they won't be updating your blinkenlights firmware and such at the same time.

Re:You're looking at it wrong.

[je+ne+sais+quoi]

Not to mention that there is a real chance this isn't being caused by floor-mats or sticky pedals at all and that it's the software that's causing this in the first place. My gut is to say that their patch is necessary for the same reason why the phone company uses a program whose job it is to go and find memory that is allocated but not being used and free that memory. It's because the system is so complicated that they don't know what's causing the problem and can't find the answer, so this patch acts as a stop-gap to at least cure the symptom if not the disease.

I think you'd have to be nuts not to install it.

Re:Jane, you ignorant slut...

[HotNeedleOfInquiry]

Then let me give you a more extreme example. Firmware in avionics and flight control electronics. The manufacturer releases an update and the customer has to install it to remain airworthy. Why? because the manufacturer knows more than the customer. That is almost always the case.

Re:You're looking at it wrong.

[0100010001010011]

Then you're using it wrong.

I work for a rather large corporation that uses Simulink for all of our stuff. Nothing gets re-written. The stuff that goes into production is stuff that IS assembled by the electronics group.

Other groups that design the control algorithms do use XPC boxes to create strategies quickly. Once this is done a software specification is written and given to the group that actually makes the model 'their way' (fixed point, design standards, naming conventions, etc). This gets compiled and put into production ECMs that customers use.

It's really amazing how settings and maps get pulled from different databases and merged together

Re:You're looking at it wrong.

[Zurk]

IT is not THE fix. it is a failsafe for THE fix.
The REAL problem is the reading from the toyota ECM when the two redundant APP (accln pedal position) signal circuits are shorted together (main and sub), From the toyota camry VSRM :
DESCRIPTION
This ETCS (Electronic Throttle Control System) does not use a throttle cable. The Accelerator Pedal Position (APP) sensor is mounted on the accelerator pedal bracket and has 2 sensor circuits: VPA (main) and VPA2 (sub). This sensor is a non-contact type, and uses Hall-effect elements, in order to yield accurate signals, even in extreme driving conditions, such as at high speeds as well as very low speeds. The voltage, which is applied to terminals VPA and VPA2 of the ECM, varies between 0 V and 5 V in proportion to the operating angle of the accelerator pedal (throttle valve). A signal from VPA indicates the actual accelerator pedal opening angle (throttle valve opening angle) and is used for engine control. A signal from VPA2 conveys the status of the VPA circuit and is used to check the APP sensor itself. The ECM monitors the actual accelerator pedal opening angle (throttle valve opening angle) through the signals from VPA and VPA2, and controls the throttle actuator according to these signals.

FAIL-SAFE
The accelerator pedal position sensor has two (main and sub) sensor circuits. If a malfunction occurs in either of the sensor circuits, the ECM detects the abnormal signal voltage difference between the two sensor circuits and switches to limp mode. In limp mode, the functioning circuit is used to calculate the accelerator pedal opening angle to allow the vehicle to continue driving. If both circuits malfunction, the ECM regards the opening angle of the accelerator pedal as being fully closed. In this case, the throttle valve remains closed as if the engine is idling.
If a pass condition is detected and then the ignition switch is turned off, the fail-safe operation stops and the system returns to a normal condition.

VPA and VPA2 are coming from the PCM with .5-1.1v at one of the sensors and 1.2-2.0v at the other when the pedal is at its relaxed position. When there's force at the pedal, one sensor will operate between 2.6-4.5v and the other at 3.4-5.0v.

Toyota specs normal voltage for both the VPA sensors between between .4-4.8v for VPA, and .5-4.8v for VPA2 with a .2v deviation between the 2 sensors. Anything out of those ranges will trigger a DTC

An internal short could occur within one or more of the paths from the circuits leading to the ecm. That could lead to a situation where the computer cannot detect its own failure.Therefore, when the system gets conflicting information, it arbitrarily ignores half the conflicting information. It does not know which of the circuits are lying or if they both are lying and shorted together. different resistance values will lead to arbitrary acceleration. Having the brake override it is a stopgap, but ixing the real problem (perhaps with a third circuit in voting mode which will require replacing the entire circuit path) is the REAL FIX. I suspect 2012 and onwards toyotas would have a third path and faraday cage/denso replacement for the magnet assembly in the plastic accelerator pedal (which is another problem with EMI which might lead to acceleration) which i am not going to go into here.

So, YES OP you should definitely install the update. Its the only thing standing between you and death if both the APP circuits short.

Re:You're looking at it wrong.

[jellomizer]

Number 3 is a good point...

You get in an accident. You go Well it is a Toyota bug. But Toyota goes well we gave you the fix you said "I don't know if I should install it, I mean it is a patch it just may not fix the problem"

Basically if you install it, there is a problem it is Toyota fault not you... If you don't then it is your fault.

I also fail to see where this Millions of Lines of code comes from. I haven't ever see anything that has a million of lines of code. I have seen groups of software when packaged together will be millions of lines of code. Even the Linux Kernel it is broken into a bunch of smaller programs, so a fix doesn't effect millions lines of code.

When some one says it is millions of lines of code it is them bragging how much effort they put into making the application deployable... However if there is a bug that needs to be fixed it is normally part of a module where you need to test to make sure that it doesn't effect around 5000 lines of code.

Rhonda Smith's story smells fishy

[sjbe]

Rhonda Smith's story of six miles of interstate terror, as her Lexus suddenly zoomed to 100 miles per hour, will set the mood Tuesday for the first congressional hearing on Toyota's acceleration problems.

Yes and if you read more about it you'll find several interesting bits of info. One is that upon inspection there was no evidence that the brakes had been applied, including the MECHANICAL emergency brake. She also claimed under oath that she had complained about the problem to Toyota but the only record Toyota has is for an oil change. She also sold the car to a family member (not something you'd think she'd do if it really were unsafe) and according the the Wall Street Journal the car is still on the road.

Frankly I think there are a lot of people making up stories hoping to get money in a lawsuit, much the same way people made up stories about Audi a few decades ago. Yes, there appear to be some actual problems but there are a lot of liars out there too.

Re:You're looking at it wrong.

[toastar]

Just push the power button for 5 seconds.

Yah Know.... I never really liked when computers switched to this method with the ATX revolution, Sometimes you still have to reach around and pull the plug. Sometimes it can take a minute or two.

I'd hate for this to happen in a life or death scenario. As mentioned above a hard off ala old AT cases just seams safer.