Slashdot Mirror
Should I Take Toyota's Software Update?
kiehlster writes "I'm a software developer, and I know that most software has bugs, but how much trust can we put in the many lines of code found in our automobiles? I have a 2009 Camry that is involved in both of the recent Toyota recalls. As part of the floor-mat issue, they're offering to install a software update that would cause 'the brake pedal to take precedence over the gas pedal if both were pressed,' or, as their latest notice states, 'would cut power to the engine if both pedals were pressed.' In the computer world, we're all taught to install firmware updates only if there is a real problem because a large percentage of firmware updates actually brick the hardware or cause other unforeseen consequences. On a base of 100 million lines of code, can I really trust a software update to work safely when it is delivered in a three-month development cycle? My driving habits don't cause the floor mat to slide much, so I see the update as overkill. What do you think? If it doesn't void the warranty, should I tell them to skip the update?"
You already took the 100 million lines of code when you bought the car.
Now do you want the bug fixes, or would you rather find out what a "fatal exception" means in more physical terms?
Are you for real?
yes
First, this is about your safety.
Second, if the update bricks your car, that would be Toyota's fault, not yours and I'm pretty sure they would resolve the issue for you free of charge.
Or, you can keep driving a potentially unsafe vehicle on "firmware update" principles.
Unpatched PCs are bad enough. If I can't go outside because of morons with unpatched cars, I will be very unhappy.
If it bricks, the Dealer's going to be the one who has to replace it. As far as I look at it, it's zero risk, financially.
Safety wise, it fixes a known bug.
Take the update.
"If we let things terrify us, life will not be worth living."
- Seneca
The car in front is a Toyota because the accelerator pedal is stuck down
Summation 2
Take the upgrade. Shipping firmware always has bugs. Always. As a system administrator, the first thing I do out of the box is download and install the current firmware while it's still under warranty. And if they brick your computer they'll replace it.
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
Yes, but make sure you drive the Toyota round a large sandbox for a few days first...maybe you live near a sandy beach or golf course with large bunkers. At a pinch, do your kids have a playpit in the garden? Cat litter tray?
AT&ROFLMAO
There's the chance that the update may turn off any jailbreaks you've already got working. Worst case scenario is that it detects a jailbreak and bricks your car, like you said.
I'd stick with the white hat hackers who are providing jailbreaking instructions and forgo any manufacturer updates.
The worst that can happen is that your car becomes susceptible to the sudden acceleration "problem" and you lose control and wipe out a family or farmer's market. But you're inside the car so you'll be fine.
Plus, you'd have to go down to the dealership and they're going to ask you if you've had any problems and a huge rigmarole just to end up with essentially the same performance you've had all along.
Too many risks and too few benefits. I'd say no.
There's a lot of cars that have the 'brake takes precedence' feature. The only real reason to not have such a feature is because of trail-braking or hell-toe shifting. Both are racing/performance driving techniques you won't be doing in your Camry. Plus, it is a pure software feature in that if it detects you braking, it will cut throttle. So there's no big issue there.
Also, cars have their computers updated all the time, and it has never been a big deal in the past. The Nissan GTR was the last example that made the news (to cut down on the RPM the launch control used). But really, cars are reflashed all the time. Its not a big deal.
Many other manufacturers have already added a similar piece of code. It really doesn't take to long to debug an interlock. Your primary failure mode will be: if the brake pressed switch fails (ie: the tail lights are stuck on), then the car won't run.
Every interlock has a strong tendency to fail into the safe state. Conversely, omitting interlocks tends to result in fail-dangerous failures, which is what Toyota is experiencing.
Take the update.
My driving habits don't cause the floor mat to slide much, so I see the update as overkill.
Perhaps, but didn’t I read about some people who died in a Toyota, presumably from this exact bug, whose floor mat was found secure in their trunk, exactly where Toyota recommended them to put it when they thought the floor mats were causing the accelerator bug?
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
Think of this a few different ways. First from a liability standpoint, you are considering actively refusing a fix for a known bug that has killed people. If you ever sell your car and it can be proved you actively refused this you could be on the hook both civilly and criminally. Second from a liability standpoint, Toyota is now assuming liability for this, if they brick your car, they are liable for fixing it. Third, this is a known bug that has killed people, are you bloody nuts? This is not a software bug that results in a software crash, this is a software bug that results in a real world crash!
In the computer world, we're all taught to install firmware updates only if there is a real problem because a large percentage of firmware updates actually brick the hardware or cause other unforeseen consequences.
/.
Nobody taught you that. You pulled it out of your ass so you'd sound officious and get a post on
The vast majority of firmware updates work, fix problems and don't brick devices. Much more of this shit that gets by as posts and I'll be begging for Jon Katz to come back.
"Eve of Destruction", it's not just for old hippies anymore...
So based on vague general principles without any specific knowledge of the engineering issues involved you are refusing to install a manufacturer recommended safety fix. In an accident situation this is arguably evidence of a reckless disregard for human life. Good luck with your insurance company.
Yes. Toyota's mechnical fix may not be the actual fix and the root issue may be a software based one.
The software update is a failsafe, think of it as an error catching routine. All programs can benefit from error catching routines, problem is that programmers don't have enough time to program for every error possibility. Toyota has taken the time to add one to their cars.
cc
If you don't take the patch and later have the problem you will likely have lost the ability to sue if necessary. Also, if you live in a state with the concept of "contributory negligence" in it's laws you could be found partially or fully at fault for any accidents that would have been prevented by the patch. Eventually insurance companies are going to realize that they could deny claims in accidents if the driver's car is not fully patched. So yes, take the patch
Take a look at the statistics for death causes for people under 60, and you will find almost everyone who doesn't die old dies in a car. Study why cities are large but there's lots of empty space with no people, and what causes urban sprawl, and you will find roads and parking lots fill all the space. Look at what wasted labor there is in society, and you will find that producing and maintaining one high-price high-waste transportation system per citizen is quite a bit of work when horses managed do to better than that quite some time ago, not to mention electricity and electric computer system transport. And PRT more recently. Then read about pollution, and oil wars. Then get back in your car anyway, without even writing a letter to someone.
Build your own energy sources from scratch. http://otherpower.com/
Even in the most modern car, I find this hard to believe, unless you include the entertainment/nav system in the count.
In my opinion, it doesn't count since this is typically decoupled heavily from the safety-critical components of the car.
It is usually easier to write bug-free microcontroller code (ECUs and such) than general purpose PC code. Also, the distributed nature of most automotive microcontroller code keeps code separated into nice little easily-testable modules.
There are always exceptions, but it's very rare for a firmware update in a vehicle to cause regressions. Nearly all of the time, "bugs" in vehicular firmware are really unanticipated results of intentional design choices. For example, the Partial EMCC (PEMCC) code in early-1990s Chrysler A604 transmission firmware that slowly trashed torque converters was intended to improve fuel economy by partially engaging the torque converter lockup clutch - it turned out this wore out the clutch FAR faster than any of the mechanical engineers anticipated. In 1993 or so, this feature was removed once its contribution to premature transmission wear was discovered. (So yeah, this was a case where a bug really WAS originally a feature!)
retrorocket.o not found, launch anyway?
closed source software model so much more fascinating when there is a body count, no?
100 million lines of code? Where are they getting this number? The entire Microsoft ecosystem is about that many lines of code.
Maybe they mean assembly code? I'd imagine that the microcontrollers that a car uses are probably programmed with lots of bare metal assembly coding.
I have an '09 Prius. And I'll be getting that firmware update. It's a feature they should have included in the first place. It's not the best implementation of the brake override I'd like. What I'd really like to have an electrical circuit connection between the brake pedal and the throttle fly-by-wire assembly. When the circuit is tripped, the throttle position output of the assembly drops to 0 regardless of actual pedal position or sensor position. But that would require new hardware.
I'm getting the update because if the engine does start runaway acceleration, the brakes aren't enough to overcome the hybrid system's output. I know the right thing to do would be to put the car into neutral and get it safely off the road. But I don't react well to stressful situations.
Well, Toyota is giving hearings on capital hill, they have taken a non-trivial finical hit, and I think their president is one piece of bad news away from sepaku. Yeah, you can probably trust that they did everything in their power not to screw it up. I probably would take a potentially unknown problem on a firmware updates that is being watched by dozens of agencies and internal company auditors over a firmware that is known bad with a questionable dedication to quality. Even if their is a problem, it is a safe bet that it will be detected very early due to the number of eyes on it.
Having been inside of a company that has had to do a recall, I can say that nothing sharpens a company's overzealous safety instincts and risk avoidance mania than a major recall. Recalls, especially the type that Toyota is experiencing, are a complete disaster for the company. They are extremely expensive both in terms of cost and reputation. I am pretty sure that the internal state of Toyota right now is a safety mania that trumps all else that would make a Puppeteer proud. In fact, you can probably rest assured that Toyota is currently wildly overshooting the 'proper' levels of safety. It will probably be a few quarters before they unwind to more reasonable levels.
You need to consider it from the perspective of a manager. If you, as a manager, are in charge of a critical safety component, what is in your best interest? Yeah, you could try and cut a corner and skim an extra 2% profit that your boss might or might not notice, but if it backfires and YOU result in a safety issue, especially in the current environment, you should get a friend with a sword and a basket for your head and save the company the trouble. Right now, kudos in Toyota are earned by being a safety nut and being the one to discover and 'fix' some absurdly low probability safety concern, not for squeezing the budget a little further. Speaking as someone who has been in a company in full recall mode, if there is ever a time to trust that a company really is putting safety first, now is the time.
> ''the brake pedal to take precedence over the gas pedal if both were pressed' or, as their latest notice states, 'would cut power to the engine if both pedals were pressed.'
Hint: this is a feature, not a bug. And even if you're reviewing very closely, it's not something that it takes three months to avoid messing up. if(X&&Y) Z=Y;
When the two pedals work at the same time, it can result in pretty horrible accidents. Unless your driving style uses both pedals at the same time in a way that increases your safety (in which case you're James Bond and you don't ask slashdot questions), just take the update.
-- IANAL, this isn't legal advice, and definitely isn't legal advice for you. Also, Squee!
I think the anti-Toyota mania is getting a little out of hand. The problem caused 34 deaths in 10 years. Given the tens (hundreds?) of millions of Toyotas on the road, it's actually not a big deal. It's an unimaginable tragedy to the people and families that died, and it should be fixed. But as a public safety issue, more people died of lightening strikes and bee stings during that period. Heart disease kills over 1,000 Americans per day. Let's keep it in perspective.
Now we don't trust their firmware updates? I think their safety record is pretty good. You're driving their car at death-defying speeds, aren't you?
The concept of a firmware update for your car is pretty interesting, though.
To illustrate my point, take a made up piece of code that takes the position of 1 sensor, and uses that to control a servo. Lets say that for whatever reason a peice of the code looks like: ServoPosition =(sensor1 + offset) * ServoOffset
Offset is used to correct for initial installation differences for the sensor, so the sensor can detect where it normally sits at idle(when not pressed) so that it can calculate its real position and not its perceived one. NOW! Lets go one step further and say the offset is suppose to be a static variable the entire time the loop is running.. but what if, WHAT IF, the code doesn't lock the offset variable, and for whatever reason the chip is restarting its program over and over again, increasing the size of the offset variable. Eventually, this could cause the sensors to detect the pedal being floored, when its not. So how do you fix that? Remove the offset variable from the part that could be ran over and over again. Be sure to always set it to 0 when you restart the loop.
And then you wonder if its safe? Really they changed less then 1% of there code you fake developer.
So basically, -1 troll/offtopic is really slashdots way of saying "I hate that you thought of something before me."
the car even with the throttle wide open.
Motor Trend's own test of a Camry found that even with the accelerator wide open the brakes can overcome the engine, easily in fact. Better yet, it still stopped shorter than the Taurus with no accelerator problems!
http://forums.motortrend.com/70/8007011/the-general-forum/c-d-toyota-dealing-with-unintended-acceleration-te/index.html
so take the update, its not like your car hasn't already have a program, one declared defective.
* Winners compare their achievements to their goals, losers compare theirs to that of others.
No brake and gas at the sametime? That majorly sucks. Albeit, not usually needed but there are situations where you need to press both, besides when doing a burnout on a RWD ...
Drive By Wire in itself is a bit stupid idea ... Servos break more easily tha hydraulic cylinders or legs. Electric connections get loose easier than hydraulic sealings start to leak. Nevermind the lost feeling of brake, gas and clutch pedals.
I drove once a drive by wire car, and i seriously couldn't use it during the winter: I had to take my shoes of to feel the pedals enough to know how much i'm pressing brake or acceleration.
Nevermind the fact that using traditional systems you apply force mostly directly to the brakes, and there can't be any software bugs.
I just wish in 20 years time i can still find "oldschool" cars which does not have drive by wire and issues it may cause, and rather has hard lines.
Did you think about the fact that this "floor mat" issue might not exist if there was traditional pedals with the amount of force being needed to press than in older cars? Not only will you actually feel the throttle position, but it wouldn't so easily be pressed by accident.
Pulsed Media Seedboxes
would cut power to the engine if both pedals were pressed
So anyone who starts from a stop on a steep incline by slowly depressing the brake while simultaneously pressing the gas to avoid rolling back into the vehicle behind them will now stall their vehicle?
The accidents that have occurred as a result of this are tragic. But adding quirky behavior as a stop-gap measure seems ridiculous and sets a bad precedent. Is there anything out there to make sure vehicle behavior is reasonably consistent across different vehicles (or even vehicle firmware versions)? Or are we going to have to be aware of all the different firmware ins and outs between different models and firmware versions.
I've been especially surprised at the fact that so many people seem to think that sudden acceleration is unstoppable. If you're driving a vehicle that suddenly accelerates and you cannot prevent the acceleration PUT THE VEHICLE IN NEUTRAL OR DOWNSHIFT (and yes you can downshift with automatics)! How people can get their driver's license while thinking the only way to slow/stop a vehicle is to press the brake is beyond me. I know panic can set in and can make reacting to unexpected dangerous situations difficult, but isn't that why you had a learner's permit first? My father took me to an empty lot and had me practice reacting to different situations that you can encounter which can be dangerous if you panic (ie: sliding, hydroplaning, slamming on brakes, etc.). Perhaps drivers education courses should focus more on these kinds of situations rather than merely how to obey traffic laws.
Faith is a willingness to accept something w/o complete proof and to act on it. Reason allows you to correct that faith.
Take a look at the statistics for death causes for people under 60, and you will find almost everyone who doesn't die old dies in a car.
Nonsense. Yes, motor vehicle accidents are the leading cause of death in the US for those between the ages of 15 and 34 (peaking at around 1 out of 3 deaths for the 15-24 age group) but it is nowhere close to "almost everyone" no matter what age group you choose. But don't let actual data get in the way of a good sound bite.
Look at what wasted labor there is in society, and you will find that producing and maintaining one high-price high-waste transportation system per citizen is quite a bit of work when horses managed do to better than that quite some time ago...
If horses were actually more efficient economically, we would still be using horses. If you think horses are cheap as a means of transportation, you clearly have never tried to use them. Yes there is a cost to modern infrastructure but there is a bigger (economic) cost to lacking it. The biggest obstacle to the growth of many nations (India is a good example) is a poor quality road infrastructure.
not to mention electricity and electric computer system transport. And PRT more recently.
You think a PRT is seriously a solution which makes sense for more than a few high density urban areas? Nice for airports but it isn't going to be much use on a farm.
Then read about pollution, and oil wars.
Yep, there is a downside to fossil fuels. Fossil fuels have serious problems in need of serious solutions. However there is a huge upside too which I note you are conveniently forgetting. I'd also like you to point out the magical technology you think will eliminate pollution. Solar and wind come closest but even they pollute. (you didn't think the steel in that turbine came without an environmental cost did you?)
Sometimes folks step on both pedals to start up steep inclines. You can use the emergency brake as an alternative though.
Doing it wrong.
And yes, I drive a manual.
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
Rhonda Smith's story of six miles of interstate terror, as her Lexus suddenly zoomed to 100 miles per hour, will set the mood Tuesday for the first congressional hearing on Toyota's acceleration problems.
Yes and if you read more about it you'll find several interesting bits of info. One is that upon inspection there was no evidence that the brakes had been applied, including the MECHANICAL emergency brake. She also claimed under oath that she had complained about the problem to Toyota but the only record Toyota has is for an oil change. She also sold the car to a family member (not something you'd think she'd do if it really were unsafe) and according the the Wall Street Journal the car is still on the road.
Frankly I think there are a lot of people making up stories hoping to get money in a lawsuit, much the same way people made up stories about Audi a few decades ago. Yes, there appear to be some actual problems but there are a lot of liars out there too.
It's still 100M lines of code friend, regardless of who or what wrote it.
When you write code and estimate its LOC size, do you also include the LOCs of the trusted libraries you use to build your apps? If you do a printf("%u\n",1), do you count this as one LOC or do you also count the LOCs in printf? When you use a GNU compiler, do you also count the thousands LOCs generated by it in assembler?
Does it really not matter *who/what* wrote it? Pretty myopictardic and useless way of software estimation if you ask me.
Firstly, it's not the floormats. Even Toyota has backed away from that as an explanation. The current theory is that it's the accelerator pedal sticking, but that doesn't jibe well with all of the incident reports either. Given that, I wouldn't count on your driving habits or removing the floormats to solve the problem.
You should also consider that if you have a problem later and the update hasn't been done, guess what they'll blame?!
In general, the modification sounds like a very good idea. If for whatever reason your car decides to go full throttle against your wishes, I'm sure you'd like one extra chance to convince it otherwise.
As others have pointed out, you have already accepted 100 million lines of their code without knowing anything about their software practices.
Manual transmission drivers don't have three feet, they can't hold the break, clutch and gas at the same time.
You've never done a heel-and-toe shift I guess. Not really disagreeing with your main point (regarding rollback) - just being pedantic and pointing out that it is quite possible for two feet to control three pedals at once. In fact before synchronized transmissions became common it was nothing unusual to need to engage in some fancy footwork. Some race cars still do.
He has to release the brake for 1 to 2 seconds so that the car recognizes the brake pedal has been released before it allows the Gas pedal to apply any acceleration to the engine when you start moving.
Citation needed. According to the press release,
Nowhere does it say that you have to let the brakes up for 1-2 seconds before you can use the accelerator.
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
"Older" as meaning before mid-1970s.
Even those late 70s / early 80s automobiles that seem sans of computers very likely have at least one or more to help meet emission requirements.
Ron
Last week I took my 2009 Camry into the dealer. Here is what they did:
1) Chopped off about 4cm from the end of the gas pedal. It looks like they did it with a hack saw. The air near the brake pedal smelled like hard plastic that has just been cut.
2) Replaced the old floormat with looked like this:
+-----------+
| |
| |
| |
| |
| |
| |
+-----------+
To one that looks like this:
+---+
| |
+---+ +---+
| |
| |
| |
| |
+-----------+
That way there is a lower chance of the gas pedal touching the floormat. It also means, that the carpet underneath your gas and clutch pedals will get soiled.
3) Updated the firmware. After the update, I did a test where I got the car going 30Mph, and then pressed and held the accelerator. While the accelerator was depressed, I applied the brake with my left foot. After about 1.5 seconds, the engine RPM went down to idle speed. I repeated this test 2 more times. Same result each time.
The firmware update appears to work at least in 3/3 of my test cases.
KDE, Gnome, Linux, OpenOffice, etc. ARE written in assembly language, for the purposes of this bizarre argument.
The media is taking what's in essential a high-level language (MATLAB and/or other code builders) and counting the source lines it creates to get a huge number.
When we write in C or Java, it creates source lines at a level below that (assembly or VM opcodes). And YES, YES, all those programs are in at least only off the 100 million lines of code by one order of magnitude.
But let's just say one opcode is one byte. It's not, but let's say that for yucks that it is, then OpenOffice would need to be 100 megabytes to possibly have that many lines. OpenOffice writer is only 7MB, but we know it uses libraries and other packages, and so, adding all that crap in willy nilly, we probably get up to at least 100MB, and thus (in silly-think) 100 million lines of code.
But let's step back a second. Let's ask ourselves (and I KNOW that there are people who read this who know the answer) "how big is the PROM/ROM/CMOS RAM whatever on the Toyota car computer?" If it's 128MB then this silliness is (for what it's worth) correct-ish. If it's 64MB, it's INSANE. If it's a lot less, it's just mindlessly wrong.
If you have to bet between your judgement and that of your auto manufacturer, I'd suggest that unless you really know what you're talking about, bet on the auto manufacturer. They're the experts.
Likewise, if you're some independent thinker and have an idea how something works, but the scientific community has significant work in the field, you should generally bet on them rather than you.
For every problem, there is at least one solution that is simple, neat, and wrong.
Yes, people do it all the time when someone is tailgating them.
He drives much too slowly, and then when someone is following him, wishing he would speed up and drive the same speed as everyone else, he taps his brakes.
Of course, tailgating someone so they'll accelerate to my desired speed is also a "stupid asshole tactic". Probably a better bet when encountering someone driving "too slowly" for your tastes is to either pass (if possible) or suck it up, Nancy. Maybe even give them more distance, not less. Even if they are driving so slowly as to create a traffic hazard (not just an inconvenience). Especially then. Because if someone is unintentionally creating a nuisance or a hazard, you ought to keep your distance to avoid making an accident even more likely. And if they're doing it intentionally, it's an even better idea. In no event is tailgating the "offending driver" going to make things better. If you wreck your car to make some kind of point, well, you've still got a wrecked car.
Naturally this doesn't apply to operators of trucks over 1 1/2 ton, who are specifically permitted by most rural and southern states to "run over his slow ass". Yes, mods, that sentence was "sar-cas-tic".
I am not a crackpot.
I used to work for a automotive software company that does work for the likes of Ford, Mazda, Volvo and thy do pretty much test safety critical parts of the system as much as aviation.
The big element in the gap is aviation using formal methods for verification of the design.
And most of the good players have testing sufficiently automated and systems of design, change, test with reviews at every stage.
Testing typically covers functional unit testing, module testing, system testing. In several ways, on a simulator, on the real hardware being amongst them. Plus the code is usually subject to strict coding standards that would make most programmers weep about being able to express their individual creativity and other crap.
Then there is the extensive use of static analysis and code coverage to make sure that every line of code has been exercised with the tests and if not that review has signed off that it really really is an unreachable piece of code.
You don't move tool chains because by the time you have finally released you know the bugs and have worked around them.
Safety with software in cars amongst 5 car companies I've seen inside of is taken very very seriously. Remember too most of these people drive their own dog food and that includes taking their families in them. So if you trust your quality of work enough to trust your families lives to it good on you.
So I would certainly be taking the updates. That said I like that my motorbike runs on carb's and no ECUs.