Toyota Acceleration and Embedded System Bugs

← Back to Stories (view on slashdot.org)

Toyota Acceleration and Embedded System Bugs

Posted by Soulskill on Saturday March 13, 2010 @05:24AM from the bugs-that-lead-to-crashes dept.

An anonymous reader writes "David Cummings, a programmer who worked on the Mars Pathfinder project, has written an interesting editorial in the L.A. Times encouraging Toyota to drop claims of software infallibility in their recent acceleration problems. He argues that embedded systems developers must program more defensively, and that companies should stop relying on software for safety. Quoting: 'If Toyota has indeed tested its software as thoroughly as it says without finding any bugs, my response is simple: Keep trying. Find new ways to instrument the software, and come up with more creative tests. The odds are that there are still bugs in the code, which may or may not be related to unintended acceleration. Until these bugs are identified, how can you be certain they are not related to sudden acceleration?'"

84 of 499 comments (clear)

Toyota: by dushkin · 2010-03-13 05:26 · Score: 5, Funny

Always going forward.

--
o hai
1. Re:Toyota: by Afforess · 2010-03-13 06:00 · Score: 2, Funny
  
  "The race for quality has no finish line- so technically, it's more like a death march."
  
  Not my quote, so I'll give them props: http://www.despair.com/quality.html
  
  --
  If our elected representatives no longer represent us, do we still live in a Democracy?
2. Re:Toyota: by Z00L00K · 2010-03-13 06:53 · Score: 2, Insightful
  
  There will always be another bug.
  And even more important - the bug may be a combination of software and hardware. Just ask what may happen if the code suddenly jumps to the wrong address. Do they use ECC memories in the electronics? What about a voltage spike? Driver has wrong socks/pants causing a spark that jumps to the OBD-II connector and messes up the CAN bus?
  If anything can go wrong - it will. Think outside the box of how bad it can be, then multiply with PI to get a value closer to reality.
  And more examples of how wrong things can get can be found here: http://thedailywtf.com/
  
  --
  If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
3. Re:Toyota: by mmontour · 2010-03-13 07:44 · Score: 2, Informative
  
  And more examples of how wrong things can get can be found here: http://thedailywtf.com/
  
  There are some good examples there, but you'll find more on comp.risks.
4. Re:Toyota: by mpe · 2010-03-13 08:40 · Score: 4, Insightful
  
  And even more important - the bug may be a combination of software and hardware. Just ask what may happen if the code suddenly jumps to the wrong address. Do they use ECC memories in the electronics? What about a voltage spike? Driver has wrong socks/pants causing a spark that jumps to the OBD-II connector and messes up the CAN bus?
  
  Other questions would be "What kind of transducer is measuring the input?"; "How many transducers are there?" and "What output do you get in the case of a failure?"
  Note that there are applications where an unknown throttle setting resulting in full power being applied is the right thing to do. Maybe Toyota through they were building a light aircraft rather than a car...
5. Re:Toyota: by flappinbooger · 2010-03-13 09:41 · Score: 3, Funny
  
  Maybe they need to deploy g-locked memory, it's in a car after all. Too many jolts and bumps and it gets the bits all jostled up! Think of the children!
  
  --
  Flappinbooger isn't my real name
Impossible to test by Darkness404 · 2010-03-13 05:28 · Score: 4, Informative

Most software is nearly -impossible- to test under flawless conditions. Especially embedded systems with small amounts of CPU power and memory.

Plus, all this hype around these Toyota acceleration problems is just that, hype.

--
Taxation is legalized theft, no more, no less.
1. Re:Impossible to test by Anonymous Coward · 2010-03-13 05:33 · Score: 5, Insightful
  
  Right, just hype. Except for those families were killed by the Toyota acceleration problems.
2. Re:Impossible to test by DeadPixels · 2010-03-13 05:33 · Score: 4, Insightful
  
  By and large, it would seem that Toyota should probably be looking for exceptional conditions rather than typical ones. Correct me if I'm wrong, but if a relatively small number of vehicles have actually exhibited the acceleration issue, it would seem like any bugs related to that would be in conditions that may not occur very often during typical driving. Seems to me that "outlier" cases or unusual methods of testing would be the best way to start; testing with typical driving conditions might not show anything.
3. Re:Impossible to test by Darkness404 · 2010-03-13 05:45 · Score: 5, Informative
  
  ...And if you look at the facts, you can see that all of the symptoms could easily be caused by driver error. Look at this http://www.nytimes.com/2010/03/11/opinion/11schmidt.html?scp=1&sq=driver%20error&st=cse (currently the page doesn't need registration, your results may change in the coming days/hours).
  
  --
  Taxation is legalized theft, no more, no less.
4. Re:Impossible to test by WrongSizeGlass · 2010-03-13 05:46 · Score: 4, Interesting
  
  Exactly. Even a minor revision in a FPGA could result in unforeseen consequences. Who knows, maybe a chip manufacture failed to document a very small change to a product line (or had a typo in the docs). The problem may not be in Toyota's code, just in their cars.
5. Re:Impossible to test by The+End+Of+Days · 2010-03-13 06:02 · Score: 5, Insightful
  
  "Unacceptable" is strong. Sad, yes, but this is real life. There is no such thing as zero risk. Taking the attitude that it is somehow achievable despite the utter impossibility is something that makes for a good trial lawyer but a terrible human.
6. Re:Impossible to test by zappepcs · 2010-03-13 06:03 · Score: 5, Interesting
  
  There are a couple of things that should be mentioned here. NASA has shown what it takes to make very small, very good code. Sure, they too have failures, but 'nearly' bug free code is quite expensive. Second, writing code is not quite like trying to create a hand crafted dashboard, if the dashboard fades, no one dies. Embedded software is quite a different beast from your normal desktop applications. When you add motion control and interaction with the code, it difference between them gets even more complex. Software in vehicles should be two things:
  Open - let lots of folk see what could be wrong
  Audited - audited to meet specific standards of safety and operation. Not quite the self-defeating government regulations, but more of a case by case issue: if the software has control or input to the control mechanism for the engine, braking system, suspension etc. it must meet minimum standard testing requirements. Any action that _could_ arbitrarily apply mechanical action must be tested and controlled beyond all reasonable testing/doubt. Everything should be tested, down to a pet chewing on the control cable harness.
  Consumers are encouraged to think the vehicles they buy are safe and require no special knowledge of engineering or mechanics to operate. As long as they are given to think that, then passenger vehicles should be made to be just this way.
  The problem for Toyota now is multifaceted. One, they have a PR shitstorm to deal with. Two, there is a dollar effect of this problem. Three, it's now on the shoulders of Toyota to get this part right for the rest of the passenger vehicle making industry.
  It's possible that they might walk away from this fire with only minor long term burns and the reputation for building the safest vehicles. BUT, reading the article of this post and paying attention while doing so is necessary... IMO
  
  --
  Support NYCountryLawyer RIAA vs People
7. Re:Impossible to test by The+End+Of+Days · 2010-03-13 06:09 · Score: 2, Insightful
  
  Programmers today just give up too easily, and companies cut costs by scriping on testing, ducumentation and verification.
  I'll start with the cheap joke - apparently you didn't learn the lesson too well.
  And then the actual point - this is the real world, sir. Academics may have the luxury of taking as much time as they like to never produce result. That's not how things actually work for the rest of us.
8. Re:Impossible to test by causality · 2010-03-13 06:20 · Score: 4, Insightful
  
  [Some action] doesn't do you any good, so stop it.
  Since when did that ever prevent anyone from doing anything? You must have us confused with some society that generally considers the full implications and long-term repercussions of our decisions...
  
  --
  It is a miracle that curiosity survives formal education. - Einstein
9. Re:Impossible to test by The+End+Of+Days · 2010-03-13 06:35 · Score: 2, Insightful
  
  Toyota's reaction may well be unacceptable to you, but I find it highly unlikely that they were aware of the cause of the problem and left it alone anyway. Even assuming your economic war theory is true, there are no economic gains to be had by killing your customers.
  In any case, this isn't me defending Toyota. Don't argue like a teenage girl.
10. Re:Impossible to test by cynyr · 2010-03-13 07:05 · Score: 3, Interesting
  
  I'm still failing to see how the cars got locked in gear? every car i have driven has allowed the driver to shift the car into neutral regardless of everything else. This is both in automatics and definitely in my manual transmission cars(does anyone make a drive by wire clutch, outside of performance/race cars?) I fail to see why this is a huge issue that needs to be solved in the next 10 minutes and be 100%? how is a sticky peddle (software or otherwise) any different from the throttle body getting stuck in the wide open position? what would these people do in that case? The handling after the problem occurs seems to be 100% driver error. TBH the first that that would happen if my car started doing that would be for me to press on the clutch, regardless of it not having one or not, thats a very hard habit to break after driving manuals(not this behavior in an auto usually results in the the break being depressed all the way to the floor). After that i'd put it in neutral and then use the break to slow down and pull over. somewhere in there i'd hopefully get the 4 ways on, but thats a long long way down the list of things that would happen.
  The "PR shitstorm" is way way over-hyped, it would be simple for the news to simply state "Toyota has confirmed an issue effecting the engine speed controls, and have issued a recall. If this happens to you while driving Toyota advises drivers to shift the car into neutral and engage the 4 ways and pull over in a safe location. If your car has a push button start be aware that you will need to hold it down for up to 5 seconds to shut down the engine." The fact that some people have died as a result of poor driving ability is no different than every fall here when it snows and some dumb person forgets that snow is slippery, a terrible thing to have happen, but usually 100% their fault.
  I think the driving tests in this country need to be much more rigorous. They should be done in an unfamiliar car, setup for simulating things like sudden loss of engine power, loss of 90% of the breaks, etc. There should also then be a road test(with other real cars if the closed course goes well.) to see how the driver can handle the conditions of real driving. Places with snow/ice need to have some driving on a slippery surface(rear wheels that can be allowed to rotate would work.) This sort of testing should be repeated every 3-5 years, to ensure that drivers maintain a certain level of driving skill. There needs to also be a raw reflexes/object tracking with a fairly high level of skill needed, anything below a certain level will see that you fail your driving exam. Fines for driving without a license should be steep and the test facilities need to be open at least 2 shifts of the day, if not 2.5 shifts.
  
  --
  All of the above was encrypted with a Quad ROT-13 method. Unauthorized decryption is in violation of the DMCA.
11. Re:Impossible to test by Loconut1389 · 2010-03-13 07:05 · Score: 5, Informative
  
  Indeed. I've done some embedded work myself. I wrote a power supply controller that used DACs to trim the voltage using some analog control ports on the DC to DC converter modules- it also monitored the PowerGood lines on the DC:DC's and linears and was programmed to shut down if one deasserted without a prior command telling it to do so. It had an I2C control network that could request status of bunch of aspects of the board including temperature, voltages, etc. Not wanting to risk blowing out a $10k FPGA with a $4.00 MCU, we had test boards with no FPGA on and some with cheaper FPGAs, and I also had a dev kit with the board on it hooked to a logic analyzer so we could emulate all sorts different scenarios and hopefully protect the FPGAs. Ultimately, a few problems emerged. With a particular combination of testing apparatus and polling rate, the I2C would receive interference and miss or corrupt some data. It was almost impossible to replicate reliably. This in turn exposed an oversight/bug where because of the skipped (as far as the power supply MCU was concerned) bytes, the wrong DAC values were being written, overvolting or undervolting the supplies- but it really only surfaced on the fully populated boards. This lead to a change in the I2C wiring/termination and a move to a keyed and transactional approach that required writing a key value to an address, writing the new data, then optionally reading back the data again, and lastly writing another key to a different address to either commit or roll back. Point is exactly what the parent said, it's very difficult to test some of these things because the problems may be an unusual chain of events or due to very specific circumstance in what's hooked to what and how much power is being drawn in the circuit at the time, etc.
  The other portions of the code that performed monitoring and emergency shutdown caught the overvoltages very quickly and shutdown the FPGA in the span of a couple clocks. In the end we only lost one board, and it was due to ESD despite using proper handling techniques and equipment.
12. Re:Impossible to test by b4dc0d3r · 2010-03-13 07:10 · Score: 4, Insightful
  
  "Toyota Knew About Sticking Pedals In Europe A Year Before U.S. Accidents"
  http://consumerist.com/2010/02/toyota-knew-about-sticking-pedals-in-europe-a-year-before-us-accidents.html
  "NEW YORK (CNNMoney.com) -- Toyota has known about brake problems in its popular Prius cars for some time, going so far as to fix it in new production vehicles, but has kept Prius drivers in the dark about the problem until the Japanese government called for an investigation."
  http://money.cnn.com/2010/02/04/autos/prius_timeline/index.htm
  "Toyota says it knew there were problems with accelerator-pedal assemblies from supplier CTS late last year, but not enough to warrant a recall."
  http://www.usatoday.com/money/autos/2010-01-25-toyotalong_st_N.htm
  
  Your opinion of its likelihood is not relevant. Not only is it likely, evidence points to it being true. You are being disingenuous by phrasing it "no economic gains to be had by killing your customers." A product has a flaw, people die, that happens sometimes. If you issue a recall, you draw attention to the problem and cost yourself money in lost sales, repair costs, and possible lawsuits. "Killing your customers" is a bit different from "hoping that driver error is the official cause, not faulty cars," and you deciding to phrase it that way is an appeal to emotion, not a logical argument.
  You can say we're just arguing semantics, but you're going to have to back up your unlikely opinion with links to convince me.
13. Re:Impossible to test by cynyr · 2010-03-13 07:11 · Score: 2, Insightful
  
  driver error in the way the effects were handled. why are drivers that don't know what to do in the case the car provides more power than intended allowed to drive? Yes, I expect people to know what that little N just above D means. Can't be bothered, I guess you don't need to drive.
  
  --
  All of the above was encrypted with a Quad ROT-13 method. Unauthorized decryption is in violation of the DMCA.
14. Re:Impossible to test by The+End+Of+Days · 2010-03-13 07:20 · Score: 3, Insightful
  
  The articles you linked indicate that Toyota has attempted a number of different fixes for what it believed were several separate acceleration related issues. I don't have to find links to make my case, you made it for me.
15. Re:Impossible to test by DarkOx · 2010-03-13 07:25 · Score: 4, Insightful
  
  The is a component of moral empowerment though, you have to consider. Most people are more willing to accept risk if they control the situation, even if the risk is greater. Other people are more accepting of an inherent justice of in the results when something bad happens to someone else who they feel was in control of the situation than when they were not.
  Consider on a per person per mile of travel basis a drunk "walker" is more likely to cause a traffic related fatality than a drunk driver. They do things like stumble off sidewalks into traffic, misjudge the rate of on cumming traffic and run out into busy highways, sit an take a rests on unlit rural roads and more. Still we vilify the drunk driver because when they cause a traffic fatality chances are they are not the individual contributing to the statistic, where as with the walkers they are usually the one killed.
  If we really minimizing risk we would be more condemning of drunk walking than driving because someone is more likely to die. We don't operate that way though, we don't think that way. Many people would take a friends keys, few would forcibly restrain them if they could not be convinced to stay a little longer and sober up, even though that friend would be safer behind the wheel.
  The same thing applies, most of us would be more willing to accept our loved one died because they were not able to control a set of mechanical and hydrolic linkages correctly and quickly enough to avoid and auto accident than we are when a software system fails to do the same, even though the later was far less likely.
  I am not saying that makes sense in moral terms, statistical terms, or anything. In fact the more objectively you look at it the less sense it makes to not use drive by wire and computerized systems but "we" still don't "feel" that way about it.
  
  --
  Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
16. Re:Impossible to test by colfer · 2010-03-13 07:36 · Score: 2, Informative
  
  Automatic trannies in these cars use the shifter as advice only. If shifted into neutral at speed, the engine would spin out, which is very damaging. So the software prevents that. Oops. Note, most cars in the US have automatic transmissions.
  Still, the best steps are check the pedal, try neutral, try cutting the engine (tap tap tap, hold, or whatever it takes if it is a button), and use the brake forcefully and completely, before the pads have a chance to heat up. Assuming you have the /!right/ pedal.
17. Re:Impossible to test by AigariusDebian · 2010-03-13 07:49 · Score: 4, Informative
  
  If a driver dials 911 on his cell phone before even trying to put the car in Neutral, then yeah - it is a driver error.
  (The last case on the news - a driver called 911 on his cell phone because his car was accelerating out of control. When prompted by the operator if he had tried putting the car in Neutral, he said no and even refused to do so when ordered to do it by the operator.)
18. Re:Impossible to test by zappepcs · 2010-03-13 08:07 · Score: 2, Insightful
  
  The "PR shitstorm" is way way over-hyped, it would be simple for the news to simply state "Toyota has confirmed an issue effecting the engine speed controls, and have issued a recall. If this happens to you while driving Toyota advises drivers to shift the car into neutral and engage the 4 ways and pull over in a safe location. If your car has a push button start be aware that you will need to hold it down for up to 5 seconds to shut down the engine." The fact that some people have died as a result of poor driving ability is no different than every fall here when it snows and some dumb person forgets that snow is slippery, a terrible thing to have happen, but usually 100% their fault.
  You don't know much about the main stream media in the US, do you?
  
  --
  Support NYCountryLawyer RIAA vs People
19. Re:Impossible to test by Gordonjcp · 2010-03-13 09:30 · Score: 5, Informative
  
  Every production car on the road has sufficient braking power to stall the engine in any gear at any throttle setting. Put your foot on the brake, and the car will stop. You may need new discs and pads after that.
20. Re:Impossible to test by dbug78 · 2010-03-13 09:43 · Score: 3, Informative
  
  Here's Mike Allen of Popular Mechanics demonstrating what happens when you shift an automatic Camry into neutral with the gas pedal floored.
  
  http://www.youtube.com/watch?v=NOMYjiCiTYg
  
  It doesn't, in fact, prevent you from shifting to neutral as you can tell by the sound of the engine butting heads with the rev-limiter.
21. Re:Impossible to test by RAMMS+EIN · 2010-03-13 09:57 · Score: 3, Funny
  
  ``In exceptional conditions I would certainly include what the driver is wearing.''
  I can see it now. Recall those drivers who called 911 when their vehicle accelerated out of control?
  Driver: Help! My car is accelerating out of control!
  911-person: What are you wearing?
  
  --
  Please correct me if I got my facts wrong.
22. Re:Impossible to test by Anonymous Coward · 2010-03-13 10:28 · Score: 2, Interesting
  
  I have done similar type of power sequencer design monitoring ~15 rails. I had worked on the idea on using a microcontroller a year before that, but I realized the problem is how to verify the design to work correctly.
  When finally I was actually tasked at the design, I did not use a microcontroller. It uses a special chip with PAL logic and programmable analog comparators. I even have to fake a state machine using time delays. It was very primitive, but it worked exactly as intended. It even save a few board during the initial prototype stages.
  Oh yes, it also work beautifully on sequencing down all the power rails when you pull the card out or the 2 main power fails. I can do that in a few microseconds, but your typical software type cannot guarantee their interrupt latency to do.
23. Re:Impossible to test by sjames · 2010-03-13 11:06 · Score: 2, Insightful
  
  Actually, these days the engine won't blow if you suddenly shift into neutral due to rev limits in the engine controller, but that just makes any refusal to shift into neutral at speed even less excusable.
  Defensive programming would include making a shift into neutral at speed override the accelerator position much like Toyota is doing (after the fact) with the brakes. Of course if the part of the software dealing with driver input is wedged, that won't help.
  The other issue is the start button. Apparently you have to press and hold it for 3 seconds. We all know that now, but apparently that info is buried in the owners manual. It also defies psychology. In a panic situation where time is badly distorted for the driver, they are to patiently press and hold the button. The natural behavior is to press rapid fire.
  I have had the throttle stick open on an old car once. Not wide open, but I released the accelerator and it had no effect. I turned the car off and pulled over. The ignition switch (being a mechanical device) behaved the same way it always does when turned, so there was no confusion. There's a lot of good in a positive action user interface. I was easily able to unstick the throttle cable and continue on my way.
24. Re:Impossible to test by konaforever · 2010-03-13 13:52 · Score: 4, Informative
  
  Automatic trannies in these cars use the shifter as advice only. If shifted into neutral at speed, the engine would spin out, which is very damaging..
  It doesn't seem you know much about cars. First of all, "spin out" isn't an automotive term. And 2nd, what do you mean by "spin out"? Modern cars have a rpm limiter which limits the RPM of the engine to some preset RPM limit. Have you ever driving a manual and hit the RPM limiter? It'll cut power to the engine. Same thing with neutral. An engine will not be damaged if you gas it in neutral, even to the RPM limit.
25. Re:Impossible to test by Animaether · 2010-03-13 14:32 · Score: 3, Informative
  
  You're one of those types that hit a wikipedia page, see some claimed fact without attribution, slap a [citation needed] on it, and then bugger off, aren't you?
  You could just hit a search engine with some key words to see if you can find any corroborating source(s), of course:
  http://news.google.com/news?q=toyota%20911%20neutral
  Oh hey, look at that.
  
  uring the 911 call, the operator urged Mr. Sikes to shift the car into neutral. He later said he was afraid doing so might cause the car to "flip" or shift into reverse.
  - http://online.wsj.com/article/SB10001424052748704734304575120001542947616.html?mod=googlenews_wsj
26. Re:Impossible to test by dokebi · 2010-03-13 14:48 · Score: 3, Interesting
  
  You do realize that Prius's gear level is just a joystick, right? There is nothing mechanically connected, which means that if the computer is confused, then _there is nothing the driver can do_, except stomp on the breaks.
  Actually there is. The car turns itself off if you hold the power button for 3 seconds. But in a panic situation, a person would most likely press the button repeatedly, instead of holding it steady for 3 long seconds. Other manufactures turn off on rapid button press in a short time, instead, which seems better.
  
  --
  In Soviet Russia, articles before post read *you*!
27. Re:Impossible to test by toddestan · 2010-03-13 17:12 · Score: 3, Insightful
  
  Judging by how the power button appears to work in the Prius, I would guess all that it does is tell the computer to shut down the engine. It's not like a typical car where the turning the key to Acc or off would cut the power to several critical systems. So if the computer is messed up to the point where the gear shift selector is not working, I wouldn't count on the power button to help you either.
28. Re:Impossible to test by FleaPlus · 2010-03-13 18:51 · Score: 4, Interesting
  
  (The last case on the news - a driver called 911 on his cell phone because his car was accelerating out of control. When prompted by the operator if he had tried putting the car in Neutral, he said no and even refused to do so when ordered to do it by the operator.)
  It's starting to look increasingly likely that this latest case was a hoax:
  http://en.wikipedia.org/wiki/Toyota_Prius#Brake_fix_and_acceleration
  
  On March 8, 2010, a 2008 Prius allegedly uncontrollably accelerated to 94 miles per hour on a California Highway (US), and the Prius had to be stopped with the verbal assistance of the California Highway Patrol as news cameras watched [86]. Subsequent to the event, media investigations uncovered suspicious information about the alleged runaway Prius driver, 61-year old James Sikes, including false police reports, suspect insurance claims, theft and fraud allegations, television aspirations, and bankruptcy.[87][88] Sikes was found to be US$19,000 behind in his Prius car payments and had $US700,000 in accumulated debt.[87] Sikes stated he wanted a new car as compensation for the incident.[87][89] Analyses by Edmunds.com and Forbes found Sikes' acceleration claims and fears of shifting to neutral implausible, with Edmunds concluding that "in other words, this is BS",[90] and Forbes comparing it to the balloon boy hoax.[88]
29. Re:Impossible to test by metaforest · 2010-03-13 20:06 · Score: 2, Interesting
  
  could be any number of causes.
  Here's an example from my own experience:
  I once had some embedded CODE that failed only when the system was off, and exposed to sub-freezing temps for several days.
  If it was off under any other conditions it would start up and work correctly.
  Turns out it was an uninitialized global variable, the compiler was not warning me about it, though it would for local variables.
  Now one might expect that this would fail randomly on power up since the contents of SRAM is undefined... most programmers will assume it's random. It's not really random. There's often only a few values that a SRAM cell will take on typically at room temperature. Additionally as others have noted, SRAM can have a slight "memory effect" it also will sip holding current from decoupling capacitors long after other devices around it are well below their minimum forward Vth voltage. So in every case during in house testing the functions that used this variable managed to see a positive value on power-up which caused their first calculation on power-up to be wrong, but had no material impact on the output since it wasn't ever wrong enough to be noticed, or cause the system to mis-operate.
  Then the system was deployed. The first few weeks the system was fine. It was late summer at the customer's site. The customer feedback was that it was working perfectly. We deployed another few units. Also working fine. Then summer ended. Fall First cold-snap of fall took place over a weekend. On monday morning all of the systems were started by their operators and crashed. Then restarted normally.
  Lots of head scratching. No more failures that whole week. But something was clearly up. We couldn't reproduce the problem in the lab... We didn't know about the cold snap either. A week went by. No one spotted the bum variable. The following Monday no failures. No failures for a few more weeks. Still no one spotted the bum variable, code and hardware passed review.
  Then the site got their second sub-freezing cold-snap on a weekend... This one we knew about before hand... our on-site rep mentioned during a conference call that it might snow over the weekend. Internally our team was still looking for answers, but without more failures we just didn't know what to look for. We'd left systems off for weeks at a time and they never failed to start.
  The hardware guys froze them, and over heated them. Kicked them around the lab.... none of them showed the failure seen by the customer.
  The Rep called on monday and said all of the units failed to start the first time. The rest of the week they were fine.
  Hardware team put three units in the freezer and left them there for three days. To replicate the weekend conditions. All three failed to boot. Hardware probed the frozen boards... code checksum was fine.... everything looked fine. The code was crashing though, and we got a call chain out of the device.
  So I went in and looked again.... this time I spotted the uninitialized variable.
  Turns out it could only crash when the variable had a negative value in it. Turns out if really cold AND the system was left off long enough for all the capacitors to drain then on power-up the SRAM in this particular device would come ready with a majority of it's bits set high. If it was above freezing... the majority of bits were low. In over-night freezes there was enough capacitance on the board to keep the RAM holding.
  We had the on-sight rep re-flash the systems with the new code.... bug killed.
  This was not a complex system and it was not required to meet Safety-of-Life standards. It had about 8K of code and 2K of active data, and three active IC packages.
30. Re:Impossible to test by arkenian · 2010-03-13 22:25 · Score: 3, Informative
  
  Except that drive-by-wire systems have absolutely no possibility of making the operation of the car safer (more efficient, sure, but that's it) and many many ways in which to make it less safe, so you're wrong about it making more sense to use drive-by-wire. I can't figure out what you're thinking with that statement.
  That's flat-out not true. Traction Control and brakes and power synchronizing together (which is a lot of what drive-by-wire DOES) absolutely, in most cases, makes the average driver safer. Personally, I'm inclined to think that as drive-by-wire improves (until eventually, hopefully, the really dangerous part (i.e. the driver) will go away), we will in general progress to fewer accidents per car-mile but, unfortunately, far more catastrophic ones.
Infallible fail. by jeckled · 2010-03-13 05:32 · Score: 5, Insightful

Drive by wire is great and all, but I'd feel much better with a physical fail-safe than their "infallible" software. I am aware of the physical remedies for the issue, but I'd like to see the brake pedal override the accelerator.
1. Re:Infallible fail. by shrimppesto · 2010-03-13 06:09 · Score: 4, Informative
  
  i'd feel much better with drivers who know they should pop the car into NEUTRAL if it starts accelerating out of control for any reason, rather than trying to stand on the brake pedals while dialing 911 ...
2. Re:Infallible fail. by timeOday · 2010-03-13 07:25 · Score: 3, Informative
  
  You could be referring specifically to last week's incident, which I found fishy from the start:
  
  Skeptics of Sikes also cite the 911 tape that was released shortly after the incident. During the tape, the dispatcher repeatedly told Sikes to put the car in neutral in order to stop it from accelerating. Sikes did not comply with her instructions or the instructions of the officer on the scene who told him to do the same thing via his public address system as they tore down the highway.... Sikes claimed he thought that would "flip the car."
  Beyond the call itself, the Associated Press reports that Sikes's car was equipped with a brake override system, something that should have slowed the car down once he stomped on the brake pedal.
3. Re:Infallible fail. by jc42 · 2010-03-13 12:18 · Score: 2, Interesting
  
  i'd feel much better with drivers who know they should pop the car into NEUTRAL if it starts accelerating out of control for any reason, ...
  Except we have testimony from any number of the Toyota acceleration victims that they had put the transmission into the "N" position, but the car just ignored it and kept accelerating. They also claimed that they knew how to use the brake, but the car also ignored that.
  As a software guy, I'm quite familiar with ways that software will do things like this, and I find the testimony quite credible. But we might consider that the victims might be lying to us. Or that the auto company might be lying. Or both.
  Myself, I'd believe them all better if there were "black box" recording devices with logs of the incidents. Rumors have it that some auto manufacturers are considering such gadgetry. But of course it would add to the price of a car and make it less competitive in a price-conscious market. So we might not see such recording devices soon, or if we do, they'll be very limited and won't be able to answer the sorts of questions that people are asking here.
  In any case, it's a bit bemusing to see people automatically attributing failures of a "drive-by-wire" vehicle to 100% driver error. The cars we're talking about are controlled by computers, not by people; the driver is just there to give advice to the computers. How often have you pressed a button on your computer, and seen nothing happen in response? We're hearing the testimony of people saying that this happened with their computer-controlled car. Anyone with any experience at all with commercially-built computer systems would believe the "user", not the manufacturer, because we have far too much experience with commercially-built computers to believe otherwise.
  OTOH, the CS guys will tell us that are a lot of really stupid computer users out there. And most of them are also drivers ...
  
  --
  Those who do study history are doomed to stand helplessly by while everyone else repeats it.
Another interesting statistic by homer_s · 2010-03-13 05:33 · Score: 5, Interesting

From here :

In the 24 cases where driver age was reported or readily inferred, the drivers included those of the ages 60, 61, 63, 66, 68, 71, 72, 72, 77, 79, 83, 85, 89—and I’m leaving out the son whose age wasn’t identified, but whose 94-year-old father died as a passenger.

These “electronic defects” apparently discriminate against the elderly, just as the sudden acceleration of Audis and GM autos did before them. (If computers are going to discriminate against anyone, they should be picking on the young, who are more likely to take up arms against the rise of the machines and future Terminators).

Some more data here
1. Re:Another interesting statistic by maxume · 2010-03-13 05:35 · Score: 4, Insightful
  
  Be careful to note that the 24 cases discussed there are only the ones that have led to serious incidents.
  
  --
  Nerd rage is the funniest rage.
2. Re:Another interesting statistic by WrongSizeGlass · 2010-03-13 05:49 · Score: 3, Funny
  
  Now, come on. We can't blame age for this. I plan to be that old one day ... as long as I don't buy a Toyota, that is.
3. Re:Another interesting statistic by f16c · 2010-03-13 05:53 · Score: 2, Informative
  
  Something to understand about those statistics: This is a self selected group based largely on income. Camrys may be everywhere but Prius' tend to be expensive.
  
  --
  bob@Osprey:~>
4. Re:Another interesting statistic by maxume · 2010-03-13 06:19 · Score: 5, Informative
  
  To me it suggests that older drivers are having more difficulty coping with the situation once it arises.
  Forbes says that the guy who got himself plastered all over cable last week was 'afraid' to put the vehicle into neutral, or to turn off the engine:
  http://www.forbes.com/2010/03/12/toyota-autos-hoax-media-opinions-contributors-michael-fumento.html?boxes=financechannelforbes
  (They link the 911 recording:
  http://www.thetruthaboutcars.com/the-jim-sikes-911-call-23-minutes-of-unintended-acceleration/
  )
  So apparently being an idiot is also a likely factor in the failing to cope with the incident before it becomes lethal.
  But they key observation is that the higher number of fatalities among older drivers doesn't really point to the source of the problem being driver error (rather, the driver error is in failing to deal with the situation once it arises).
  
  --
  Nerd rage is the funniest rage.
5. Re:Another interesting statistic by causality · 2010-03-13 06:43 · Score: 4, Insightful
  
  To me it suggests that older drivers are having more difficulty coping with the situation once it arises.
  
  Forbes says that the guy who got himself plastered all over cable last week was 'afraid' to put the vehicle into neutral, or to turn off the engine:
  That part is strange. Uncontrolled acceleration is a much greater risk to life and limb than the red-lined/blown engine you might get if it were put into neutral with the throttle wide open. Being "afraid to try neutral" makes no sense.
  
  They link the 911 recording
  Just an irrelevant side note: I've always found it low-class and tacky that phone calls made to 911 become publically available, especially when you hear them on the news. The message is, "hey sir or madam, remember that moment when you were highly emotional and had no idea if you were going to live or die? Well, we've got great news! That highly personal moment of reflection on your own mortality is now a public spectacle for millions of people! It's okay, we make a profit from this! No we won't share that profit with you..."
  
  I realize it's a government service funded by taxpayer dollars. That explains how this is possible. It fails to explain how this is the best or most honorable thing to do.
  
  So apparently being an idiot is also a likely factor in the failing to cope with the incident before it becomes lethal.
  That part generally shouldn't be a surprise. I'd imagine it also helps if you can keep calm and avoid panicking, as panicky people often fail at things they could do easily if they were not in a state of deer-in-headlights fear.
  
  But they key observation is that the higher number of fatalities among older drivers doesn't really point to the source of the problem being driver error (rather, the driver error is in failing to deal with the situation once it arises).
  Nor does it explain why older drivers were disproportionately affected. Possibly the Toyota brand is more popular among older drivers because it historically has retained a decent resale value. While nothing the driver does should ever cause this kind of uncontrollable automatic acceleration, perhaps older drivers tend to have habits that somehow manifest whatever the actual underlying problem is. There are a lot of coincidences and correlations being pointed out in this discussion but unfortunately there seems to be little certainty about whether they are more than that.
  
  --
  It is a miracle that curiosity survives formal education. - Einstein
Testing. by Ihlosi · 2010-03-13 05:34 · Score: 4, Insightful

Testing only confirms the absence of known bugs. Never forget that.
Logic of Testing by Renegade+Lisp · 2010-03-13 05:38 · Score: 4, Insightful
David Cummings does seem to know what he's talking about, but as it is written, there is some strange logic in the article.

If Toyota has indeed tested its software as thoroughly as it says without finding any bugs, my response is simple: Keep trying.
Testing cannot prove the absence of bugs, only their presence. There are two things that do not follow from this:
- If you don't find any bugs, then your software doesn't have any.
- If you don't find any bugs, then there must be some left in your software.
It sounds to me as if Toyota is saying the former, while Cummings says the latter. Neither is a correct conclusion.
1. Re:Logic of Testing by marcansoft · 2010-03-13 05:43 · Score: 4, Insightful
  
  Given practical software engineering conditions though, a) is highly unlikely while b) is highly likely.
2. Re:Logic of Testing by Renegade+Lisp · 2010-03-13 05:52 · Score: 3, Insightful
  
  I'll grant you that, but what I don't understand is this:
  If you test, and do find some bugs, does that allow you to put any more trust in your software than if you tested and didn't find any?
Re:I agree on non-software fail-safes by peragrin · 2010-03-13 05:51 · Score: 2, Informative

technically that is what part of the update does. It forces the computer to always choose the brake over the accelerator when both pedals are registering. So if the car does accelerate a tap on the brakes should disengage it.

--
i thought once I was found, but it was only a dream.
From the days of "winmodems" by A_Non_Moose · 2010-03-13 05:53 · Score: 2, Interesting

I've said time and time again, "Never replace hardware with software" because
something dedicated to the task will always work better, or be less failure
prone (more often than not).
Would Toyota be having these problems with an accelerator cable vs electronic?
99% sure the answer is "no"...heck the solution is add some grease, make sure
it isn't pinched/looped too tightly and/or add tension to the pedal side.
Or, replace the damn cable with a new one...a 20 to 30 minute task.
(less than 10min on a motorcycle)
Oh, well, what do I know? I'm just a CS major with real world experience, pay
no attention to the man behind the keyboard!!!

--
Have you read the moderator guidelines? Well, have you, PUNK? (and I want a Karma: Gnarly option)
1. Re:From the days of "winmodems" by DerekLyons · 2010-03-13 07:32 · Score: 3, Insightful
  
  I've said time and time again, "Never replace hardware with software" because
  something dedicated to the task will always work better, or be less failure
  prone (more often than not).
  On the flip side, the USN replaced complicated and heavy hardware analog computing systems for [SSBN] missile guidance systems with software running on a digital computer, and MTBF went through the roof and maintenance man hours and MTTR through the floor. The same thing happened when they replaced the analog torpedo fire controls with digital ones. The same thing happened again when the hovering system controls were upgraded to digital.
  
  Now, before you claim that is a limited set of examples, I invite you to consider the millions of incident free flight hours accumulated by fly-by-wire aircraft. Or the replacement of DIP switches in PC's with software configuration. Etc... Etc...
2. Re:From the days of "winmodems" by John+Hasler · 2010-03-13 11:18 · Score: 2, Interesting
  
  > Would Toyota be having these problems with an accelerator cable vs
  > electronic?
  GM once had a very similar problem with a 70s car with a cable. An engine mount failure would allow the engine to rotate under acceleration in such a way as to yank the cable to full throttle and then jam it, causing the car to run away. The resulting collision would knock the cable free and as collisions often break engine mounts, the evidence disappeared.
  Computerized systems are usually more reliable than mechanical ones, but they must be competently engineered.
  
  --
  Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Re:Maybe it's not a bug, maybe it's an Easter Egg. by Anonymous Coward · 2010-03-13 05:55 · Score: 2, Insightful

The type of people that purposely hide bugs that will likely kill several people are the same type of people you can't really "appease" no matter what you do.
Boeing versus Airbus by goombah99 · 2010-03-13 05:55 · Score: 5, Insightful

I'm loving this conversation here because I've gotten crucified in slashdot before for making simmilar comments to the whole thread here. I grew up in a family of top managers of Boeing systems engineers. They hated computers. My dad never even learned how to turn one on. He hired other monkey to use the computers. As A child I was regailed with wonderful stories of every hard lesson in safety my dad had learned over his lifetime. He loved world war II because they got to use cutting edge designs for balls out performance yet at the same time learned how to make things reliable by disecting the accident. He would tell me about the accident that taught them that the engine pumps need to be at full speed but flow stalled on take off so that there's no lag when you hot swap after a pump fails. He told me of the accident where they learned not to route 100% of the control system wiring through any one junction box. etc...
Probably because of all these hard won lessons boeing for years insisted on fully mechanical or hydraulic flight surface controls. Whereas Airbus and other jumped on the fly-by-wire concept early. My dad would spit after hearing some youg person tout all the advantages of fly by wire. He knew them perfectly well. He was big on accepting new innovations to reduce fuel costs and increas performance. He was not a luddite. But he had a safety background that told him these electonic systems were hard as hell to validate and hard as hell to make truly independent from each other.
For example they often used triple redundant computers and if one of them disagreed the other two would vote it off the island and stop listening to it. From what I've read it's now suspected that the latest airbus crash in the pacific had one of it's root problem in the voting nexus where a superior computer over ruled a more primitive safety system.
While we all know that computer software validation is hard if not impossible. It's not something we readily admit here on slash dot. It's because for years people like my dad would throttle the innovations the computer engineeers wanted to implement. I think as a result there became this culture of computer engineers that presented the case that embedded computing could be made safer than it really could be to offset that.
So now we come full circle and have to admit there is this middle ground. Just because a computer can improve perfromance does not mean it's reliable and safe. The old guys had a point after all when it came to safety.
Next week I'll tell you about how the ancient shocking lesson of the British Commet aluminum aircraft wings falling off led to the unanticipated discovery of metal fatigue and probably was the reason Boeing was slow to move to composite materials in commercial aircraft (but not in military aircraft). In hind sight we have heard of many tales of the composite tails of plane falling off as the reason for the loss of control before a crash. Conversely, composite wings on UAVs allow them to absorb a lot of bullet holes with no loss of control and to operate under higher perfromance conditions.
The point is that safety and performance are trade offs when both are pushed to the limit. The old guys know a lot more about safety than you might expect. The young guys are all about performance.

--
Some drink at the fountain of knowledge. Others just gargle.
1. Re:Boeing versus Airbus by roman_mir · 2010-03-13 06:23 · Score: 5, Interesting
  
  A year ago I was watching one of Discovery programs I think and they had a couple of guys who supposedly implemented a piece of software, that would allow an airplane to fly and land safely if for some reason, while in the air, the tale would brake off or rudder would just stop working. They relied on a fly by wire airplane of-course and controlled the yaw with all other surfaces by applying very slight changes to the motion. They were saying a human could do this if extremely lucky, but software was able to do it almost always.
  Just something to think about.
  
  --
  You can't handle the truth.
2. Re:Boeing versus Airbus by MartinSchou · 2010-03-13 07:14 · Score: 4, Insightful
  
  I'm pretty sure that the tail of an airplane falling off is an unanticipated scenario that humans cannot deal with either ;)
3. Re:Boeing versus Airbus by timeOday · 2010-03-13 07:18 · Score: 4, Insightful
  
  You make it sound as computers killed a golden era of safe engineering, as if perhaps we should go back. Let's keep some perspective here. Were cars back then simple, predictable, and solid? Perhaps. They were also death traps. How do the deaths with a suspected link to throttle software stack up statistically to those saved by anti-lock brakes? How does Toyota safety - on any model you choose - stack up to the competition when measured in deaths per millions of miles? I doubt this problem is even enough to appear in those big-picture statistics.
4. Re:Boeing versus Airbus by roman_mir · 2010-03-13 07:19 · Score: 2, Informative
  
  Yep, normally that results in death
  
  --
  You can't handle the truth.
5. Re:Boeing versus Airbus by DerekLyons · 2010-03-13 07:20 · Score: 4, Informative
  Next week I'll tell you about how the ancient shocking lesson of the British Commet aluminum aircraft wings falling off led to the unanticipated discovery of metal fatigue and probably was the reason Boeing was slow to move to composite materials in commercial aircraft (but not in military aircraft).
  This one comment makes me wonder about the veracity of the balance of your account.
  
  Metal fatigue was known about long before the Comet took wing in 1949.
  The fatigue cracks on the Comet's occurred at skin penetrations (windows and hatches).
  
  In hind sight we have heard of many tales of the composite tails of plane falling off as the reason for the loss of control before a crash.
  Then there is crunchy bit of FUD, which fails to mention that more than a few of those accidents are also associated with extreme control surface movements (inducing extreme stresses) prior to the failure.
6. Re:Boeing versus Airbus by b4dc0d3r · 2010-03-13 07:26 · Score: 2, Insightful
  
  Justifying something based on its performance on outlier conditions has never been a good idea. The number of accidents where the tail falls off is probably greater than the number of accidents where the tail falls off and the software would be able to compensate.
  Maybe having the "oh shit" button turn this on would be a good idea, but I think if you look at the number of crashes and their causes, you'd want to build redundancy in the rudder or strengthen the tail.
7. Re:Boeing versus Airbus by MaskedSlacker · 2010-03-13 08:11 · Score: 2, Informative
  
  No, it was an example of one the computer CAN deal with (if it's anticipated in the programming.
  A computer is limited by the creativity of the guy writing the IF THEN statements (setting aside the possibly of adaptive AI, but that raises other issues).
8. Re:Boeing versus Airbus by goombah99 · 2010-03-13 08:48 · Score: 2, Informative
  
  Derek, as you might have noticed I was keeping it short on the comet disaster. But to expand. yes of course metal fatigue as a phenomena was known before the Comet disaster. What my Dad told me was they learned that they did not know about how to design for it yet. They did not have any computer modeling to know what flight stress really did to winds and to metal. they hardly had any way to measure material strength changes in-place. The people who built the Comet we no dummies so clearly they discovered a scaling issue in metal no one had encountered before nor new how to design for at that time. The point I was making was that just because you can't foresee a problem in something new does not mean you cant anticipate there might be problems you can't foresee. The switch to composites opened up the same sort of issues that the comet did.
  
  --
  Some drink at the fountain of knowledge. Others just gargle.
9. Re:Boeing versus Airbus by X0563511 · 2010-03-13 09:15 · Score: 2, Interesting
  
  I have an example.
  In a simulator (yes, a simulator) I was flying a VTOL type aircraft. Pulled a turn at too great a speed and broke off a few control surfaces. Maddening spin, completely unrecoverable (at least for me).
  Tapped the button to enable "artificial stabilization" - which in this craft, enabled "puffers" charged with compressed air (driven by the engines, which still worked) - the computer control algorithms managed to use the remaining control surfaces and these puffers to level the craft and reduce the yaw spin to about 5 degrees/second.
  Because of the VTOL nature of this craft, I was able to land it with a very survivable sink rate (gear even survived the landing).
  My point? Good luck doing that manually. This simulation anecdote should help back-up your thoughts :)
  (simulator: X-Plane 9)
  (craft: Verticopter)
  (note that a scale model actually flies, it's not just a pipe dream)
  
  --
  For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
10. Re:Boeing versus Airbus by jamesh · 2010-03-13 09:31 · Score: 2, Insightful
  
  Amen. Fly by wire can never be perfectly safe - no matter how well a system is designed it can still fail. As long as its safer than the mechanical systems we're still ahead though.
11. Re:Boeing versus Airbus by timeOday · 2010-03-13 10:48 · Score: 2, Insightful
  
  I'm just saying that he was a walking encyclopedia of examples of how even when you think you have thought of everything you haven't.
  
  I agree with that wholeheartedly. Statements like "question all assumptions" are about as helpful as "foresee everything and never make mistakes."
  
  Since it's harder to validate computers than physical systems it should make you think twice.
  I question that. It's just that the most complex tasks require software because they are beyond what can be done with mechanical systems alone. For an example of a complex mechanical and software system, look at the Space Shuttle. What brought it down, twice? Mechanical problems, not software glitches.
12. Re:Boeing versus Airbus by DerekLyons · 2010-03-13 11:00 · Score: 3, Insightful
  
  Derek, as you might have noticed I was keeping it short on the comet disaster.
  One can be short without being wrong. You were both short *and* wrong.
  
  The people who built the Comet we no dummies so clearly they discovered a scaling issue in metal no one had encountered before nor new how to design for at that time.
  No, actually they discovered (as is widely documented in aviation histories) that they failed to correctly account for the stresses caused by multiple pressurization and depressurization cycles. They knew perfectly well how to design for metal fatigue, but lacked information on how that fatigue would manifest itself.
  
  The point I was making was that just because you can't foresee a problem in something new does not mean you cant anticipate there might be problems you can't foresee. The switch to composites opened up the same sort of issues that the comet did.
  I merely pointed out how you have the story wrong, not that your point was false.
prove a negative? by sjs132 · 2010-03-13 06:02 · Score: 2, Insightful

Isn't this like proving God doesn't exist?
They can test and test and not get a result that said this is the bug, so they assume that it doesn't exist.

--
--- Relax, that mass muderer is just trying to reduce our carbon footprint, one fetus at a time...
Re:I agree on non-software fail-safes by WrongSizeGlass · 2010-03-13 06:07 · Score: 3, Funny

They should just implement a huge red panic button to shut everything off :)
They could even buy them at Staples. Need to stop your out of control Toyota? That's easy.
Re:I agree on non-software fail-safes by KarmaMB84 · 2010-03-13 06:09 · Score: 4, Insightful

Unfortunately the update assumes the computer will actually respond to the brake being pressed or any input for that matter. Toyota doesn't know for certain what is causing all of these sudden acceleration problems in which fiddling with the gas pedal, brake and even putting the vehicle in neutral won't stop the vehicle. The software update, while a sensible modification that should've been in the software all along, is sort of a hail mary toward preventing any new cases in updated vehicles.
Re:Help me benefit from media hype by John+Hasler · 2010-03-13 06:19 · Score: 3, Informative

> And I know how to hit the brakes...
With the engine past the redline there is very little vacuum to operate the power brakes. Without power assist the brakes may not be able to overcome the engine (this is, IMHO, a fundamental design defect).
> ...shift into neutral...
The computer may not let you do that with the car moving and the engine at high rpm. After all, the engine and/or transmission might be damaged (another design defect).
> ...and/or turn off the key...
Some of these vehicles don't have keys: just a radio remote. The emergency shutdown procedure is to hold a button down for three seconds (another design defect).

--
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Re:Help me benefit from media hype by bitingduck · 2010-03-13 06:28 · Score: 2, Interesting

I used to have a car where the engine would suddenly turn off for no reason while driving, often at exciting moments like getting onto the freeway. It was pretty easy to put it into neutral (it was an automatic), turn the key to "acc" and try to restart the engine (usually with success) without accidentally locking the steering wheel.
It went on for some time until I convinced the repair guys to clean all the electrical connections from the computer to the fuel pump. The car had lived most of it's life in cold places with salty roads, and then the problem appeared in california where mechanics don't think of the effects of salt water. Once the connections were clean it behaved fine.
Other lessons from Boeing by Beryllium+Sphere(tm) · 2010-03-13 06:38 · Score: 4, Interesting

I worked on an embedded flight system there, and deeply respected people like your dad.
Boeing works under the eye of a certification authority who has to approve the safety of a design including, at least in the system I worked on, human factors. If there's anything comparable for cars, I haven't heard of it.
Boeing would not have made a pilot have to guess at how to turn an engine off (people with older cars, it's no longer a matter of turning a key).
Inputs were checked for consistency and validity. The specs would have anticipated what to do if the accelerator and brake were both full on at the same time.
There was a culture of worst-case planning and redundancy.
Also, if Boeing built a car, it would have a flight data recorder which investigators could examine and say for example "Looks like both(*) potentiometers on the accelerator went hard over at the same time, so we go look on the branches of the fault tree where there's a common-mode failure in the potentiometers or the pedal is down due to mechanical or pilot error".
(*) If I remember correctly from my obsessive pre-purchase research on Priuses, there are two separate sensors for accelerator position.
1. Re:Other lessons from Boeing by SIR_Taco · 2010-03-13 10:01 · Score: 2, Informative
  
  Also, if Boeing built a car, it would have a flight data recorder which investigators could examine and say for example "Looks like both(*) potentiometers on the accelerator went hard over at the same time, so we go look on the branches of the fault tree where there's a common-mode failure in the potentiometers or the pedal is down due to mechanical or pilot error".
  From working in the field of emergency response, quite a number of newer cars (somewhere around 2000 they started putting them in) do have a "blackbox" of some kind (some more detailed than others). Having said that, I'm not the one to examine them nor do I pull them out of cars after an accident. But, having talked with the guys that do, they get a surprising amount of data from them. It tells them whether or not the air-bags were deployed, the highest speed before "sudden" deceleration, the time it took the car to come to rest, whether the breaks had been applied, whether the seatbelts were engaged, traction of the tires (if the car has one of those "smart" traction-control features), and all time-stamped (sure there is more, but that's all I can remember from the conversation).
  Just thought I would point that out for those that are unaware.
  Cheers.
  
  --
  I say don't drink and drive, you might spill your drink. Before you get behind the wheel just stop and think.
2. Re:Other lessons from Boeing by pjsanfil · 2010-03-13 14:41 · Score: 2, Insightful
  
  The manual for the Prius explains how to shut it off in an emergency in small text on page 43 after the directions for configuring the entertainment system.
Speaking as an embedded programmer here... by dbc · 2010-03-13 07:00 · Score: 3, Interesting

... why does everyone assume it is a software bug? I agree that it very well could be an undiscovered software bug. But there are so many more sources of erroneous behavior in an embedded system that *even* *if* the software were flawless (ummm... just go with me a minute... :) an automotive environment can cause all manner of strange glitches. I work with robots, lots of DC motors causing commutation noise on the power supply, long (several inch) distances between units that must talk to each other and therefore may have a different opinion as to ground reference voltage... many things can get wacky. Even flawless code needs a watchdog timer to get you out of weird states that power glitches that put you into. Power supply spikes can cause the program counter to jump to very odd places, with odd, corrupted stuff in RAM. Ground level shifting can cause communication glitches. CAN bus is *extremely* robust, so bad data should not get through... but what does get through? Does the system as a whole get into a weird state if packets drop?
Re:Help me benefit from media hype by MachDelta · 2010-03-13 07:06 · Score: 2, Informative

Any vehicle built in the last thirty or fourty years will not allow the steering column to lock unless the transmission is in park. If you're in drive (or neutral) you can only turn it to "off", not all the way to "lock". This was to prevent an errant knee from locking the steering while you're doing 70 on the freeway. Happened to me once, except I was only doing 45 on a bumpy ass gravel road when my knee smacked into my keychain. It was startling, but not particularly dangerous.
Re:Help me benefit from media hype by NewtonsLaw · 2010-03-13 07:17 · Score: 3, Informative

> With the engine past the redline there is very little vacuum to operate the power brakes. Without power assist the brakes may not be able to overcome the engine
apparently not true
Story of an elusive bug... by descubes · 2010-03-13 07:44 · Score: 2, Informative

Several years ago, I designed the software for a real-time automotive test system called HP ECUTEST (I think the official name was HP Design Span DS5470, but let's not waste time on HP's cold dead fish naming conventions). It simulated a car from an electric point of view. You connected an electronic control unit (ECU), and it had basically no way to tell it was not in a real car. Think of it as The Matrix for car electronics.
One of our first customers wanted us to test it with a reliable, proven, tested, tried and true ECU, something that was on the road in cars for several years already. So we did. And I noticed something odd. The ECU worked fine when we "drove" a car normally, but at idle, it would basically slow down, one RPM at a time, until it stopped. However, if I changed the value of the input corresponding to the accelerator pedal, it would reset the idle speed to the default, something like 800rpm.
Finally, after eliminating the possible bugs on our side, we tell the customer. Their first reaction was "no way". But after a week and a demo of the problem, they finally made a connection. They had this elusive bug of some car customers complaining that their car would sometimes stop when idle. It turns out that in a real car, chassis vibrations generally caused minute changes in the input value for the accelerator. So the ECU would correctly recompute its idle speed. However, if there was no change, like if the pedal was more rigid than usual, the bug would trigger.
The root cause was a routine that wanted to optimize idle speed to be as low as possible, but for some reason kept cached data if the accelerator had not changed, so it thought the engine was still running smoothly.
We found such bugs in practically all ECUs we tested for the first time. The most impressive one was in a V8 ECU that was basically a V8 until 1200rpm, then a V7, then a V6, and basically a V2 above 4000 rpm. The customer had hoped we'd find something, because they didn't get all the power they expected from the engine. Obviously. It was hard to find without our system, because the injectors that fired were differnt from cycle to cycle, so more simple instrumentation saw all cylinders running. The root cause here was that the software badly exceeded its real-time envelope... Ouch.

--
-- Did you try Tao3D? http://tao3d.sourceforge.net
It is possible, and is done, but hard/expensive by RobinH · 2010-03-13 09:30 · Score: 2, Interesting
I do industrial automation for a living, and machine guarding/safety is a major component of the job. There are now, in the last few years, software based safety products that are provably just as safe as a hardware only safety products. The key is that it's not just about rigorous testing, it's about correct design. If you want category 4 protection, you need to be sure that:
1. No single component failure can leave the system in an unsafe state
2. The component failure is detected
3. The system cannot be restarted without correcting the failure
Software becomes another component. Therefore you need to have redundancy in your software. Government regulators that certify these safety systems as compliant want to see you prove that a single component (i.e. unit of software) can't malfunction and leave the system in an unsafe state. What a lot of companies do is they have two independent processors each monitoring the inputs to the system in parallel, and each generating the required outputs. The processors are typically sourced from different companies, and the circuit boards are designed by different teams. The software running on each processor is written by a different team. If both processors agree on the outputs, the system drives those outputs, and if not, all power is dropped to everything and the system can't be restarted (may need to be replaced, etc.).
Those of us in the industry were skeptical of software based safety at first, but given the above facts and a decent amount of regulatory oversight, I'm satisfied that it will live up to the design criteria. That doesn't mean an error can't happen, but it makes the probability low enough that we can live with it.
The latest thing is safety systems running their I/O across networks like DeviceNet and even Ethernet/IP (the IP stands for Industrial Protocol, not Internet Protocol). Again, I was at first skeptical, but they use a protocol layering on top of the network using timestamps and redundant processors on both ends with reasonable failure modes that the system is provably safe, within reasonable limits.
So you can make safe embedded systems, but without being able to inspect the design and see that it lives up to these guidelines, Toyota can't ever *prove* that the system is safe.
--
"I have never let my schooling interfere with my education." - Mark Twain
Open Source the damn code -- so that I can test it by Btrot69 · 2010-03-13 09:43 · Score: 2, Insightful

I'm a former professional "software tester from hell" (currently unemployed) -- and I drive a 2007 Camry Hybrid.
Officially, my car does not have a problem -- other than the floor mats -- which are now in my trunk and were never a real problem anyways.
Months before all of this publicity, I complained to my dealer about what seemed like a "sticky throttle" during routine maintenance.
The engine continues to run fast for 3-5 seconds after letting up on the gas.
The dealer actually charged me for the extra inspection, but did not find a problem.
So obviously -- I have some concerns.
I doubt that it is a software bug. It didn't start happening until the car was 2 years old.
But who knows ?
Some of those embedded computers have probably been running since the day the Hybrid battery pack was connected in the factory.
Any software running that long could have become unstable.
But without source code, I am powerless to do anything about it.
I have to rely on the word of Toyota's software QA people -- even though I know the current state of the art of software testing is a JOKE !
If Toyota open sourced the code -- I'd have a lot more confidence -- that with a lot more eyes on it -- the software really was OK.
(and if they offered a reward for finding a problem -- I'd be even more confident)
Now for a quick rant as to WHY the current state of software testing is a joke, and why I have little confidence in ANY corporate software QA.
I write this as a former CSTE -- the QAI's "Certified Software Test (Engineer/Expert)".
I also should say that I love software testing because it is the one part of software development where creativity and intuition still play significant role.
And -- it is one area where techniques and standards are still being developed at a significant pace.
Most software development today is 98% boilerplate and copies of stuff somebody else did.
Engineers translate functional specifications into code based on established design patterns.
There are some basic calculations to ensure good response times and scalability.
Software testers typically create test plans from the same set of functional specs that the engineers use.
They simply validate that everything that is supposed to happen, happens.
Then they might run some performance tests -- but only if management budgeted for a test environment for suitable for performance testing.
Then they stop.
Inevitably -- bugs appear in areas that no one ever expected.
Those are fixed later -- and regression tests are added to the test plan.
But -- almost NO ONE EVER LOOKS FOR THOSE "UNEXPECTED" BUGS -- before software is put into production.
Why ?
Because engineers hate the unexpected and don't typically know how to deal with it.
Micro-managed companies following strict Six Sigma processes (like Toyota) don't know how to create a time and resource budget for a "hunt for the unexpected".
The QAI (Quality Assurance Institute) doesn't help either.
They are run by a bunch of engineers obsessed with a desire to precisely measure and quantify every aspect of software testing.
Their techniques are useful, and largely valid -- but if they don't know HOW to quantify something -- they IGNORE it.
Just ask any CSTE -- "How do you test for race conditions" ?
There is no established technique for this, so the QAI simply IGNORES the issue.
There is no mention of race conditions in the CSTE's CBOK (Certified Body of Knowledge).
I used to work for one the the world's top software QA "gurus" and I once asked him how we test for race conditions -- the answer was --
"we don't, because we don't know how to do it".
Despite this -- intermittent race condition bugs account for a huge portion of real-world bugs !
As programmers make more use of multi-core CPUs and GPUS -- race condition bugs are getting to be more and more common.
And yet -- testing for race conditions and testing for "the unexpected" IS actually possible -- it just
A Most Unusual Bug Indeed by Stormy+Dragon · 2010-03-13 09:46 · Score: 2, Interesting

The Times also helpfully provides a list of all the people who have died in "sudden acceleration" accidents involving Toyotas:
Toyotas, deaths and sudden acceleration
If you look through the list at the ages mentioned, one begins to notice a rather odd pattern: 18, 21, 32, 34, 44, 45, 47, 56, 57, 58, 60, 61, 63, 66, 68, 72, 72, 77, 79, 83, 85, 89
This is a most peculiar bug indeed in that it seems occur primarily when the driver is elderly. Or perhaps, as with previous "sudden acceleration" scares, this will ultimately turn out to be the result of people slamming on the gas when they menat to slam on the brake and then trying to blame the car for their error.