Toyota's Engineering Process and the General Public

Doofus writes "The Washington Post has published in today's paper an article titled 'Why it's so hard for Toyota to find out what's wrong' by Frank Ahrens on the Toyota situation and the difficulties of adequately conveying to Senators and Representatives — most of whom are non-technical — the debugging process. Ahrens interviews Giorgio Rizzoni, an 'expert in failure analysis' at Ohio State, who describes the iterations of testing that NHTSA will likely inflict on the Toyota sample cars they have purchased, and then moves into the realm of software and systems verification: 'He explained that each vehicle contains "layers of computer code that may be added from one model year to next" that control nearly every system, from acceleration to braking to stability. Rizzoni said this software is rigorously tested, but he added: "It is well-known in our community that there is no scientific, firm way of actually completely verifying and validating software."' Ahrens ends the piece with a quote from a 2009 LA Times interview with former UCLA psychology professor Richard Schmidt about how user reports are often unreliable: 'When the driver says they have their foot on the brake, they are just plain wrong. The human motor system is not perfect, and it doesn't always do what it is told.'" Toyota is currently planning an event to challenge evidence presented by professor David W. Gilbert that called into question Toyota's electronic throttle system.

"An event to challenge Evidence"

[Oxford_Comma_Lover]

> Toyota is currently planning an event to challenge evidence ...

Macroscopic events generally don't challenge evidence. They challenge the politics of evidence.

One challenges evidence with small, discrete, verifiable events.

Re:"An event to challenge Evidence"

[Pieroxy]

So GM went under and nobody talked about it. Now Toyota has a massive recall and all about GM is forgotten. Instead of criticizing foreign car makers (even if they deserve it), can the Americans bury decently their own car industry? Isn't that worth a minute of silence?

Re:"An event to challenge Evidence"

[digitalunity]

Don't be stupid. Toyota is marginally more foreign than GM. They both buy parts heavily from foreign manufacturers. Toyota itself, although based in Japan, has been assembling cars right here in the US for over 30 years.

I'd rather buy Toyota than shop at WalMart.

GM isn't forgotten. I'm just hoping they complete this death spiral to its finality. They've been producing a glut of crappy cars(and a few great ones) for a very long time. I blame the auto unions as much as the workers for this - they resisted automation and the end result was a heavily debt saddled company with too many workers and low value products.

I'm ashamed that my government felt compelled to save a company that should have seen its own demise 20 years ago and refused to make the difficult decisions needed to stay competitive.

Re:"An event to challenge Evidence"

[thePowerOfGrayskull]

While your post is offtopic to the comment you're replying to, I agree it was an interesting read. However, the entire testimony has one fundamental flaw: it assumes that because a situation can be induced in which no error code is set, that that exact same situation can occur in the absence of being induced.

The entire testimony is built on that unproven assumption, without venturing to explain how it could occur in normal operations.

Re:"An event to challenge Evidence"

[thePowerOfGrayskull]

An apt comparison might be something like this:

int x = 1;
int y = 2;
// Code proceeds on assumption that x != y

Of course if someone goes in with a debugger and forces x == y, then the code will fail. However, that doesn't mean the scenario is plausible or even possible to begin with.

Sadly, none of the senators reading the report will have enough understanding to realize that simple fact, or even to ask the right questions.

Re:"An event to challenge Evidence"

[blincoln]

Of course if someone goes in with a debugger and forces x == y, then the code will fail. However, that doesn't mean the scenario is plausible or even possible to begin with.

Working with electronic and/or mechanical systems is a lot different than working with pure software code. Read up on switch debouncing to start with, and you may begin to understand. Designers of those systems - especially ones that can kill people when they malfunction - must take into account things like what will happen if there's an electrical short or some other unexpected deviation from the intended design.

Re:"An event to challenge Evidence"

[haruharaharu]

That's why you do things like lock the input/output to sane values and have a default failure mode for just about everything. The thing that bothers me is the idea of a wholly electronic gearshift; I love my manual cars for a lot of reasons, not the least of which is that, with runaway throttle, I can clutch in any time I want to.

Re:"An event to challenge Evidence"

[Lehk228]

but if you sent x and y to a remote system (which a sensor is) then just assumed that when you asked that remote system for x and y that the answer is safe and sane without bothering to check, you are negligent.

What?

[Nadaka]

"It is well-known in our community that there is no scientific, firm way of actually completely verifying and validating software."

How wrong can you be? Yes there is. Software is fundamentally the composition of many mathematical functions. Its results can be formally proven if the hardware it is running on is assumed (or preferably also proven) to be error free. Don't get me wrong, it would be incredibly cost, labor and time expensive, and require real computer scientists, but it is certainly possible.

Re:What?

[GNUALMAFUERTE]

So, you are saying there's absolutely bug-free software?
That is akin to saying perfection can be achieved. That truth can be absolute.
Those words, are essentially against science. They sound like the thoughts of a delusional, religious person.

There is no such thing as absolute truth or absolute security. 0K is considered the absolute zero, but It'll probably be challenged eventually (And we are having our doubts about it already). c seems to be the upper limit for information transmission ... unless ... (And yes, most of us consider that we'll find a workaround, eventually).

So, you are saying we can absolutely debug that code? No way.

What we can believe in are thresholds. All we can expect is to set a threshold of fair enough security, and live with that. The most likely problem here is that this companies don't hire real programmers. They hire engineers that visually design their systems on crappy applications that are sadly used by the whole industry. None of this guys have any idea of how the underlying code actually works. And the amount of code generated is so huge that reviewing it by hand would require an impressive workforce.

So, they will just continue to patch the issue with a little voodoo.

When the developing strategies of the vb, .net, java and other stupidities of our industry gets out and are applied to critical systems, we should start to worry.

Re:What?

[hey!]

Reminds me of a grad student TA I had in comp sci 100 who announced in the first section that she would not accept termination in any of our requirement lists for the exercises because "you can't tell whether a program will terminate."

I had a little side talk with her after about what the halting problem actually means.

Generally undecidable problems can have decidable special cases. Intractable problems can have both tractable special cases and useful approximations.

I'd say that a man software rated system which could not be verified to be within an acceptable approximation of "safe" is faulty by design.

Re:What?

[Yokaze]

The same way it doesn't "take 100 years to" write code, which takes "every possible code path and input" in account,
it doesn't take it to verify it. Discovering an algorithm might take 100 years, but not writing the code.
Those are separate problems and usually one does the first, not the latter. Especially not in the cited case.

Writing correct code is about implementing an algorithm, which already considers "every possible code path and input"
and implementing it correctly. Software verification is purely checking, whether the written code matches the algorithm
is tedious and time-consuming and error prone in itself, but only takes a simple factor more time, which it took to write the code.
Automated verification is a totally different beast, because there is provably no algorithm for it.

To my understanding, that is the quintessence of the Gödel incompleteness theorems:
There are things, which are intractable for automated systems, which aren't for humans.

The size of the "solution space" is mainly important for testing, which seemed to have failed in the cited case.

Re:What?

[phoenix321]

Given the simplicity of processing the inputs from two pedals for accelerator and brake, I think the time requirement for a formal verification is perfectly affordable for a company the size of Toyota.

As human lives are immediately threatened in even slight and short malfunctions of these devices, and with human lives worth significant amounts of money either through moral obligations or payouts after successful lawsuits, mentioning money and time constraints is an inappropriate way of dealing with criticism and an unsustainable way of doing business.

The entire car system is often quoted as containing 10 million lines of code run on a dozen processors at once and in real-time. Even if this is true, it is not a valid presentation of an intractably large problem or an unaffordable and undue burden on a manufacturer.

10 million lines of code executed on 12 different processors aren't all tasked with monitoring brake and accelerator pedals. If the software was designed properly, it will be compartmentalized, allowing a rigorous verification of the life-threatening functions like accelerator and brake pedal and a simple heuristic testing on non-critical functions like the air conditioning, navigation settings.

On proper software, it is possible to completely verify the software that is necessary for people to survive in the car - accelerator, brake, airbag deployment, power steering and signaling lights. It could be useful economically to also verify the software that is necessary for the car to not damage itself or violate laws and ordinances - valve actuators, engine sensors, additional lights, but that's much less of a priority.

If the software and control system of a modern passenger car does not allow for a complete verification of 2 pedal and 1 steering sensors, 4 brake and 1 steering actuator and 2 brake lights, then this software is unfit for its intended purpose. If the system does not allow specific subset of commands to be scientifically, mathematically verified to work as intended even in cases where non-verified parts of the software return any combination of valid and invalid values, then the subsetting structure of that system must be regarded as a complete failure.

Auditing 10 million lines of code is intractable.
Having 1 million of these lines of code to control 3 simple sensors and 5 equally simple actuators is bloated.
Not refactoring these parts of the code until they become tractable is lazy.
Not compartmentalizing the system to allow the verification of 3 major functions is unclever and equally lazy.
But employing unverified, non-compartmentalized, bloated and intractably large software in autonomous systems at high kinetic energies is criminal neglect bordering on fraud.

Re:What?

[Anpheus]

The last thing you want is the computer to reset, that is, the one that's controlling the engine, brakes, and power steering along with traction control and other components.

Why?

[Darkness404]

Why exactly is there a congressional case going on about this? It becomes even more worrying when you realize that the US government has a controlling interest in most of Toyota's competitors in the USA. In short, why, in a country where states are going bankrupt, privacy is an illusion, healthcare reform has boiled down to if you are pro or anti Obama, rampant spending and tax increases. In short, why do I care about this? File a class action lawsuit and let the courts settle it. Nothing is worse then a bunch of politicians knowing nothing about engineering, with stock in competitor's companies and large problems they haven't solved wasting their time with this crap.

Re:Why?

[Planesdragon]

Why exactly is there a congressional case going on about this?

1: Because Toyota @#'ed its regulators, and is either malicious or incompetent. The responsive part of the federal government (Congress) is entertaining modifying the regulations, to ensure this doesn't happen with anyone else. (Did YOU know that most cars have a black-box, but Toyota uses a proprietary system that only they can access?)

2: Because there's no real difference between the government of Japan and the business of Japan. JAPAN should be the one hauling their executives before a committee.. but they're too "pro-business" to do that over such a small thing as "unintended acceleration."

3: Because it's an Election Year.

the US government has a controlling interest in most of Toyota's competitors in the USA

The fed has a controlling interest in TWO car companies, and it's the most passive owner either have ever had. Ford, Kia, Honda, and Hyndai are all, well, NOT owned in whole or in part by the federal government.

Oh, and while I don't own a Toyota (and after this, never will), I care because, well, I live in the United States, and drive on the US highways. You know, where the toyotas are randomly accelerating and crashing into other cars and houses and things.

Good time to buy a Toyota

[DogDude]

Of course Toyota is right. The most likely cause of these "sudden acceleration" problems is humans with their foot on the gas pedal. I've owned plenty of Toyotas, and I wish that my current Toyota was in need of replacing right now, because now is a great time to buy one. Unfortunately, my current Toyota only has 150K miles, meaning that I have a good 5-10 years of life in my vehicle. After that... I'll buy another Toyota.

Re:Good time to buy a Toyota

[DrDitto]

I own a Nissan. But my next car will be a Ford. As someone involved with the higher education of engineering students, Ford and GM recruit engineers from American universities and Toyota/Nissan/Honda do not. What do you think will happen if engineering students in this country cannot find jobs? What jobs are more important, hourly manufacturing jobs or higher-end engineering jobs?

Software has no business

[n6kuy]

... being in control of braking and acceleration.

Re:Software has no business

[megla]

If you believe that then man, I hope you never find out how an Airplane works!

Re:Software has no business

[peragrin]

How about fuel air mix? there is software in there to get the best out of fuel efficiency. What about cruise control? there is software that monitors the current speed and adjusts the fuel flow automatically.

if you want a gas guzzlling, monster car with linkages that have a habit of wearing out, then go by a car form the 50's personally today's cars are far safer than anything from back then.

Re:Software has no business

[raddan]

Given the proportion of software-caused car accidents to human-caused accidents, I think we can more reasonably state that humans have no business being in control of braking and acceleration.

Re:Software has no business

[RAMMS+EIN]

``Software has no business ... being in control of braking and acceleration.''

I used to think so, as well. But I've come to realize that it's not software or no software that matters. It's the result. If the result is that I'm safer, I'll take the software. So the real question then is: has the transition to software-controlled braking and acceleration improved or deteriorated safety/reliability/energy efficiency/cost-effectiveness/whatever other metrics are important?

Formal verification?

[Pegasus]

"It is well-known in our community that there is no scientific, firm way of actually completely verifying and validating software."

Um ... did this guy ever heard of formal verification? Or is math proof not good enough for him?

Re:Anyone else think it odd?

[sciguy125]

Why does the vehicle ABS (from what I know from the news) get tripped up on instant breaking?

You're confusing two different issues. Some (many) models have having an accelerator problem. Supposedly, the car takes off and there's no way to stop it.

Then, there's the brake issue with the Prius. If you press on the brake lightly, it only uses the regenerative braking (electric). If you hit a pothole, the ABS kicks in and there's a switchover to the friction brakes. You temporarily lose some braking force and it feels like the car is floating or (as some have reported) accelerating.

I own the affected Prius model. I've experienced the issue and I don't think it's a problem. It was a little unnerving until I realized what it was. If I really need to stop sooner when the brakes "fail", all I have to do is hit the pedal harder and it does what I expect.

Re:Anyone else think it odd?

[couchslug]

I find it interesting that, in quest of featuritis, designers implement consumer-quality systems that lack VERY SIMPLE safeguards. Direct physical connection of steering columns, braking systems, and throttles (so they act as a stopcock, it's good enough for jet fighters!) should be mandatory.

Yes, I know some commercial systems have done acceptably, but consumer shit will NEVER be of that quality due to price competition, and consumers won't maintain their vehicles like aircraft.

Re:dismissing user reports?

[Rich0]

Humans are fallible. You can't dismiss user reports. You can review them skeptically, or examine them for trends.

EVERYBODY knows that cell phones cause cancer. So, why hasn't somebody fixed that?

EVERYBODY knows that vaccines cause autism. So, why hasn't somebody fixed that?

EVERYBODY knows that they're smarter than average. So, how did the last few presidents get elected? :)

Little attention was given. Read Consumer Reports.

[Futurepower(R)]

General Motors has been making cars with poor reliability literally since I was a child. Read your library's old copies of Consumer Reports for verification.

Insufficient attention was given to the poor reliability of G.M. cars, in my opinion.

As long as G.M. cars could continue to be sold, making unreliable cars was more profitable. That's similar to making a sloppy computer operating system that is vulnerable to attacks. The sloppiness helps sell new versions.

Re:Can't be verified as safe?

[ediron2]

Erroneus wrote:

(mumble mumble) created a system (mumble) threaten lives (mumble) cannot be tested or verified adequately (mumble) sounds like cause to deny sales

Wow. Just wow. Never has a nick been so apt.

This isn't a Toyota thing. It isn't even exclusive to the auto industry. System complexity was where so many cliches like "Fast, complete, cheap: pick any two" come from.

Sure, we can put missile-guidance software protocols into all sorts of software development; If I remember the metric, every line of code costs 10x as much as in general industry.

Another thought: Airbags took 15 years to get acceptance from their 1970's invention -- the industry quickly realized their safety value, but nobody wanted to pony up $800 (1980 estimated per-car cost) or increase the cost of a car to eat that cost.

And don't even get me started on FAA vs. adequate safety. Or Seldane and the FDA.

tl;dr: Toyota *DOES* test extensively. Shit happens.

Re:Gods fault

[morari]

The real problem is people who think that not having any sort of actual linkage is a good idea. Vehicles have only become more and more problematic since the late 70s due to increased reliance on electronics in place of actual mechanical parts.

Shift to neutral.

How bloody difficult is it to shift to neutral in an automatic or put the clutch in on a manual? I can do either of these tasks in a fraction of a second when I find there's a problem.

Isn't this taught in Driver's Ed? I know I was taught to do this if my car ever goes nuts or the gas pedal gets stuck down. Sure it's bad for the engine to be running it that high, but it's a lot better for it than being crunched into a wall or car is.

Really?

[Kupfernigk]

You do know modern jet fighters are dynamically unstable and can't be flown mechanically, they must use fly by wire? You do know that if the Airbus that came down in the Hudson had been a previous generation aircraft most of the people on board would probably have died, because the Airbus computer is able to support landing on water and most aircraft aren't?

The simple fact is that overall a Prius with its minor brake transfer problem is far safer than any pre-ABS/traction control car. The fault is far less serious than, say, brake fade in drum brakes. And I don't even own a Toyota. You don't need any kind of tinfoil hat to think this is about bashing the part of the motor industry that is not US-owned.

Example - car brought to dealer

[raftpeople]

Here is an example of a person that brought a car to the dealer while it was pegged - mechanic played with pedal and studied the situation:

http://www.leftlanenews.com/feds-investigate-toyota-electronics-for-unintended-acceleration.html

Re:Little attention was given. Read Consumer Repor

[ircmaxell]

The thing you're missing, is the level of those defects. The problems that GM had with quality were almost never safety related (And when they were, they weren't major and were fixed rapidly). Say what you want that their cars sucked, but in the 100 years they have been selling cars in the USA, they have never had as major of an issue such as this. Ford has (Remember the exploding gas tanks?). Chrysler has (They had an issue with cruise control that caused some accidents). I'm not saying that GM is good (I got rid of my last GM car 2 years ago, and I don't know if I will buy another one). What I am saying is that comparing quality by shear number of defects (As consumer reports does) is ignoring the much more important bigger picture...

Re:V&V

[timeOday]

Your whole post is based on the false notion that anything can be exhaustively tested. It can't. Not just the software in cars, but also the mechanical systems in them, the aerodynamics and control systems aboard aircraft, anything... there is simply no point at which you can say you tested every possible unforeseen circumstance and you're all done. Of course that doesn't absolve them from doing everything within reason.

The whole Toyota situation has become irrational. People knowingly sell and buy cars with varying levels of safety every single day. The safety differences between all the different models of cars on the road, of varying sizes, ages, and safety features, utterly swaps any marginal risk Toyota is even alleged to have caused. Go ahead and take the model Toyota has recalled the most of, and I guarantee I can find many, many other makes/models with many more deaths per million miles driven. Again, certainly Toyota should fix it. But at some point, paranoia on one small issue just diverts resources away from other bigger problems.

Black Box Info

[hduff]

Toyota should be more forthcoming with the black box info on these cars to validate exactly what the driver was doing at the time of the accident. But they won't because lawyers would be all over that data to file lawsuits. still, knowing the truth is best for all involved. Far less finger pointing; far better remediation of the problem.

Re:Anyone else think it odd?

[nxtw]

I find it interesting that, in quest of featuritis, designers implement consumer-quality systems that lack VERY SIMPLE safeguards. Direct physical connection of steering columns, braking systems, and throttles (so they act as a stopcock, it's good enough for jet fighters!) should be mandatory.

The positive effect of computer controlled systems far outweighs the risks. ABS, electronic stability control, etc. were introduced because they reduce accident rates. Period.

Without computer-controlled systems, todays' cars would be dirtier and less safe.

70s nostalgia

[sjbe]

The real problem is people who think that not having any sort of actual linkage is a good idea.

A mechanical linkage is not necessarily more reliable or safer. The fact that you can put your hands on it doesn't by itself make it better or worse. You are making an assumption based on your intuition that you cannot back up with data.

Vehicles have only become more and more problematic since the late 70s due to increased reliance on electronics in place of actual mechanical parts.

Nice sound bite but problematic in what way? Cars today are in general demonstrably more reliable, last longer, rust less, are (generally) safer in crashes, more powerful, and emit less pollution. At one point I made my living selling classic cars from the 70s and earlier. I'm very familiar with them first hand. You might like the styling better but performance-wise they are inferior to modern cars in almost every way I can think of.

AC not a troll

[DriedClexler]

While the tone could have been nicer, the AC was correct at least here:

if you have enough time to call 911 you have enough time to stop the car

Yes you probably might forget "the trick" they taught you in driver's ed when you're panicking. I probably would.

Yes people are being tremendously callous when they scoff that "Duh, why didn't you just put it in neutral lolz"

Still, if you really can't come up with SOMETHING to avert plowing into an intersection at 135 mph in the 60+ seconds they had, and you seriously expect someone miles away to get to you in two seconds, well, you were probably living on borrowed time anyway.

Re:Gods fault

[canadian_right]

Wrong. Cars have become MUCH more reliable over the years. Lots can go wrong with mechanical systems. A spring breaks, a rod binds, whatever. A friend had a car break the throttle return spring on a old muscle car and it took off like a rocket, hit a k-rail, ripped off both front wheels, went airborne and landed on a nice Cadillac.

Know what a tune-up is? You used to have to do one at least once a year to keep your car going. Not really done anymore.

I could go on like this for quite a while. I like working on old cars because they are simple. But the new cars are more reliable.