Slashdot Mirror

← Back to Stories (view on slashdot.org)

Toyota Acceleration and Embedded System Bugs

Posted by Soulskill on from the bugs-that-lead-to-crashes dept.

An anonymous reader writes "David Cummings, a programmer who worked on the Mars Pathfinder project, has written an interesting editorial in the L.A. Times encouraging Toyota to drop claims of software infallibility in their recent acceleration problems. He argues that embedded systems developers must program more defensively, and that companies should stop relying on software for safety. Quoting: 'If Toyota has indeed tested its software as thoroughly as it says without finding any bugs, my response is simple: Keep trying. Find new ways to instrument the software, and come up with more creative tests. The odds are that there are still bugs in the code, which may or may not be related to unintended acceleration. Until these bugs are identified, how can you be certain they are not related to sudden acceleration?'"

9 of 499 comments (clear)

  1. Another interesting statistic by homer_s · · Score: 5, Interesting
    From here :

    In the 24 cases where driver age was reported or readily inferred, the drivers included those of the ages 60, 61, 63, 66, 68, 71, 72, 72, 77, 79, 83, 85, 89—and I’m leaving out the son whose age wasn’t identified, but whose 94-year-old father died as a passenger.

    These “electronic defects” apparently discriminate against the elderly, just as the sudden acceleration of Audis and GM autos did before them. (If computers are going to discriminate against anyone, they should be picking on the young, who are more likely to take up arms against the rise of the machines and future Terminators).

    Some more data here

  2. Re:Impossible to test by WrongSizeGlass · · Score: 4, Interesting

    Exactly. Even a minor revision in a FPGA could result in unforeseen consequences. Who knows, maybe a chip manufacture failed to document a very small change to a product line (or had a typo in the docs). The problem may not be in Toyota's code, just in their cars.

  3. Re:Impossible to test by zappepcs · · Score: 5, Interesting

    There are a couple of things that should be mentioned here. NASA has shown what it takes to make very small, very good code. Sure, they too have failures, but 'nearly' bug free code is quite expensive. Second, writing code is not quite like trying to create a hand crafted dashboard, if the dashboard fades, no one dies. Embedded software is quite a different beast from your normal desktop applications. When you add motion control and interaction with the code, it difference between them gets even more complex. Software in vehicles should be two things:

    Open - let lots of folk see what could be wrong
    Audited - audited to meet specific standards of safety and operation. Not quite the self-defeating government regulations, but more of a case by case issue: if the software has control or input to the control mechanism for the engine, braking system, suspension etc. it must meet minimum standard testing requirements. Any action that _could_ arbitrarily apply mechanical action must be tested and controlled beyond all reasonable testing/doubt. Everything should be tested, down to a pet chewing on the control cable harness.

    Consumers are encouraged to think the vehicles they buy are safe and require no special knowledge of engineering or mechanics to operate. As long as they are given to think that, then passenger vehicles should be made to be just this way.

    The problem for Toyota now is multifaceted. One, they have a PR shitstorm to deal with. Two, there is a dollar effect of this problem. Three, it's now on the shoulders of Toyota to get this part right for the rest of the passenger vehicle making industry.

    It's possible that they might walk away from this fire with only minor long term burns and the reputation for building the safest vehicles. BUT, reading the article of this post and paying attention while doing so is necessary... IMO

    --
    Support NYCountryLawyer RIAA vs People
  4. Re:Boeing versus Airbus by roman_mir · · Score: 5, Interesting

    A year ago I was watching one of Discovery programs I think and they had a couple of guys who supposedly implemented a piece of software, that would allow an airplane to fly and land safely if for some reason, while in the air, the tale would brake off or rudder would just stop working. They relied on a fly by wire airplane of-course and controlled the yaw with all other surfaces by applying very slight changes to the motion. They were saying a human could do this if extremely lucky, but software was able to do it almost always.

    Just something to think about.

    --
    You can't handle the truth.
  5. Other lessons from Boeing by Beryllium+Sphere(tm) · · Score: 4, Interesting

    I worked on an embedded flight system there, and deeply respected people like your dad.

    Boeing works under the eye of a certification authority who has to approve the safety of a design including, at least in the system I worked on, human factors. If there's anything comparable for cars, I haven't heard of it.

    Boeing would not have made a pilot have to guess at how to turn an engine off (people with older cars, it's no longer a matter of turning a key).

    Inputs were checked for consistency and validity. The specs would have anticipated what to do if the accelerator and brake were both full on at the same time.

    There was a culture of worst-case planning and redundancy.

    Also, if Boeing built a car, it would have a flight data recorder which investigators could examine and say for example "Looks like both(*) potentiometers on the accelerator went hard over at the same time, so we go look on the branches of the fault tree where there's a common-mode failure in the potentiometers or the pedal is down due to mechanical or pilot error".

    (*) If I remember correctly from my obsessive pre-purchase research on Priuses, there are two separate sensors for accelerator position.

  6. Speaking as an embedded programmer here... by dbc · · Score: 3, Interesting

    ... why does everyone assume it is a software bug? I agree that it very well could be an undiscovered software bug. But there are so many more sources of erroneous behavior in an embedded system that *even* *if* the software were flawless (ummm... just go with me a minute... :) an automotive environment can cause all manner of strange glitches. I work with robots, lots of DC motors causing commutation noise on the power supply, long (several inch) distances between units that must talk to each other and therefore may have a different opinion as to ground reference voltage... many things can get wacky. Even flawless code needs a watchdog timer to get you out of weird states that power glitches that put you into. Power supply spikes can cause the program counter to jump to very odd places, with odd, corrupted stuff in RAM. Ground level shifting can cause communication glitches. CAN bus is *extremely* robust, so bad data should not get through... but what does get through? Does the system as a whole get into a weird state if packets drop?

  7. Re:Impossible to test by cynyr · · Score: 3, Interesting

    I'm still failing to see how the cars got locked in gear? every car i have driven has allowed the driver to shift the car into neutral regardless of everything else. This is both in automatics and definitely in my manual transmission cars(does anyone make a drive by wire clutch, outside of performance/race cars?) I fail to see why this is a huge issue that needs to be solved in the next 10 minutes and be 100%? how is a sticky peddle (software or otherwise) any different from the throttle body getting stuck in the wide open position? what would these people do in that case? The handling after the problem occurs seems to be 100% driver error. TBH the first that that would happen if my car started doing that would be for me to press on the clutch, regardless of it not having one or not, thats a very hard habit to break after driving manuals(not this behavior in an auto usually results in the the break being depressed all the way to the floor). After that i'd put it in neutral and then use the break to slow down and pull over. somewhere in there i'd hopefully get the 4 ways on, but thats a long long way down the list of things that would happen.

    The "PR shitstorm" is way way over-hyped, it would be simple for the news to simply state "Toyota has confirmed an issue effecting the engine speed controls, and have issued a recall. If this happens to you while driving Toyota advises drivers to shift the car into neutral and engage the 4 ways and pull over in a safe location. If your car has a push button start be aware that you will need to hold it down for up to 5 seconds to shut down the engine." The fact that some people have died as a result of poor driving ability is no different than every fall here when it snows and some dumb person forgets that snow is slippery, a terrible thing to have happen, but usually 100% their fault.

    I think the driving tests in this country need to be much more rigorous. They should be done in an unfamiliar car, setup for simulating things like sudden loss of engine power, loss of 90% of the breaks, etc. There should also then be a road test(with other real cars if the closed course goes well.) to see how the driver can handle the conditions of real driving. Places with snow/ice need to have some driving on a slippery surface(rear wheels that can be allowed to rotate would work.) This sort of testing should be repeated every 3-5 years, to ensure that drivers maintain a certain level of driving skill. There needs to also be a raw reflexes/object tracking with a fairly high level of skill needed, anything below a certain level will see that you fail your driving exam. Fines for driving without a license should be steep and the test facilities need to be open at least 2 shifts of the day, if not 2.5 shifts.

    --
    All of the above was encrypted with a Quad ROT-13 method. Unauthorized decryption is in violation of the DMCA.
  8. Re:Impossible to test by dokebi · · Score: 3, Interesting

    You do realize that Prius's gear level is just a joystick, right? There is nothing mechanically connected, which means that if the computer is confused, then _there is nothing the driver can do_, except stomp on the breaks.

    Actually there is. The car turns itself off if you hold the power button for 3 seconds. But in a panic situation, a person would most likely press the button repeatedly, instead of holding it steady for 3 long seconds. Other manufactures turn off on rapid button press in a short time, instead, which seems better.

    --
    In Soviet Russia, articles before post read *you*!
  9. Re:Impossible to test by FleaPlus · · Score: 4, Interesting

    (The last case on the news - a driver called 911 on his cell phone because his car was accelerating out of control. When prompted by the operator if he had tried putting the car in Neutral, he said no and even refused to do so when ordered to do it by the operator.)

    It's starting to look increasingly likely that this latest case was a hoax:

    http://en.wikipedia.org/wiki/Toyota_Prius#Brake_fix_and_acceleration

    On March 8, 2010, a 2008 Prius allegedly uncontrollably accelerated to 94 miles per hour on a California Highway (US), and the Prius had to be stopped with the verbal assistance of the California Highway Patrol as news cameras watched [86]. Subsequent to the event, media investigations uncovered suspicious information about the alleged runaway Prius driver, 61-year old James Sikes, including false police reports, suspect insurance claims, theft and fraud allegations, television aspirations, and bankruptcy.[87][88] Sikes was found to be US$19,000 behind in his Prius car payments and had $US700,000 in accumulated debt.[87] Sikes stated he wanted a new car as compensation for the incident.[87][89] Analyses by Edmunds.com and Forbes found Sikes' acceleration claims and fears of shifting to neutral implausible, with Edmunds concluding that "in other words, this is BS",[90] and Forbes comparing it to the balloon boy hoax.[88]