Slashdot Mirror

← Back to Stories (view on slashdot.org)

Toyota Acceleration and Embedded System Bugs

Posted by Soulskill on from the bugs-that-lead-to-crashes dept.

An anonymous reader writes "David Cummings, a programmer who worked on the Mars Pathfinder project, has written an interesting editorial in the L.A. Times encouraging Toyota to drop claims of software infallibility in their recent acceleration problems. He argues that embedded systems developers must program more defensively, and that companies should stop relying on software for safety. Quoting: 'If Toyota has indeed tested its software as thoroughly as it says without finding any bugs, my response is simple: Keep trying. Find new ways to instrument the software, and come up with more creative tests. The odds are that there are still bugs in the code, which may or may not be related to unintended acceleration. Until these bugs are identified, how can you be certain they are not related to sudden acceleration?'"

51 of 499 comments (clear)

  1. Toyota: by dushkin · · Score: 5, Funny

    Always going forward.

    --
    o hai
    1. Re:Toyota: by mpe · · Score: 4, Insightful

      And even more important - the bug may be a combination of software and hardware. Just ask what may happen if the code suddenly jumps to the wrong address. Do they use ECC memories in the electronics? What about a voltage spike? Driver has wrong socks/pants causing a spark that jumps to the OBD-II connector and messes up the CAN bus?

      Other questions would be "What kind of transducer is measuring the input?"; "How many transducers are there?" and "What output do you get in the case of a failure?"
      Note that there are applications where an unknown throttle setting resulting in full power being applied is the right thing to do. Maybe Toyota through they were building a light aircraft rather than a car...

    2. Re:Toyota: by flappinbooger · · Score: 3, Funny

      Maybe they need to deploy g-locked memory, it's in a car after all. Too many jolts and bumps and it gets the bits all jostled up! Think of the children!

      --
      Flappinbooger isn't my real name
  2. Impossible to test by Darkness404 · · Score: 4, Informative

    Most software is nearly -impossible- to test under flawless conditions. Especially embedded systems with small amounts of CPU power and memory.

    Plus, all this hype around these Toyota acceleration problems is just that, hype.

    --
    Taxation is legalized theft, no more, no less.
    1. Re:Impossible to test by Anonymous Coward · · Score: 5, Insightful

      Right, just hype. Except for those families were killed by the Toyota acceleration problems.

    2. Re:Impossible to test by DeadPixels · · Score: 4, Insightful

      By and large, it would seem that Toyota should probably be looking for exceptional conditions rather than typical ones. Correct me if I'm wrong, but if a relatively small number of vehicles have actually exhibited the acceleration issue, it would seem like any bugs related to that would be in conditions that may not occur very often during typical driving. Seems to me that "outlier" cases or unusual methods of testing would be the best way to start; testing with typical driving conditions might not show anything.

    3. Re:Impossible to test by Darkness404 · · Score: 5, Informative

      ...And if you look at the facts, you can see that all of the symptoms could easily be caused by driver error. Look at this http://www.nytimes.com/2010/03/11/opinion/11schmidt.html?scp=1&sq=driver%20error&st=cse (currently the page doesn't need registration, your results may change in the coming days/hours).

      --
      Taxation is legalized theft, no more, no less.
    4. Re:Impossible to test by WrongSizeGlass · · Score: 4, Interesting

      Exactly. Even a minor revision in a FPGA could result in unforeseen consequences. Who knows, maybe a chip manufacture failed to document a very small change to a product line (or had a typo in the docs). The problem may not be in Toyota's code, just in their cars.

    5. Re:Impossible to test by The+End+Of+Days · · Score: 5, Insightful

      "Unacceptable" is strong. Sad, yes, but this is real life. There is no such thing as zero risk. Taking the attitude that it is somehow achievable despite the utter impossibility is something that makes for a good trial lawyer but a terrible human.

    6. Re:Impossible to test by zappepcs · · Score: 5, Interesting

      There are a couple of things that should be mentioned here. NASA has shown what it takes to make very small, very good code. Sure, they too have failures, but 'nearly' bug free code is quite expensive. Second, writing code is not quite like trying to create a hand crafted dashboard, if the dashboard fades, no one dies. Embedded software is quite a different beast from your normal desktop applications. When you add motion control and interaction with the code, it difference between them gets even more complex. Software in vehicles should be two things:

      Open - let lots of folk see what could be wrong
      Audited - audited to meet specific standards of safety and operation. Not quite the self-defeating government regulations, but more of a case by case issue: if the software has control or input to the control mechanism for the engine, braking system, suspension etc. it must meet minimum standard testing requirements. Any action that _could_ arbitrarily apply mechanical action must be tested and controlled beyond all reasonable testing/doubt. Everything should be tested, down to a pet chewing on the control cable harness.

      Consumers are encouraged to think the vehicles they buy are safe and require no special knowledge of engineering or mechanics to operate. As long as they are given to think that, then passenger vehicles should be made to be just this way.

      The problem for Toyota now is multifaceted. One, they have a PR shitstorm to deal with. Two, there is a dollar effect of this problem. Three, it's now on the shoulders of Toyota to get this part right for the rest of the passenger vehicle making industry.

      It's possible that they might walk away from this fire with only minor long term burns and the reputation for building the safest vehicles. BUT, reading the article of this post and paying attention while doing so is necessary... IMO

      --
      Support NYCountryLawyer RIAA vs People
    7. Re:Impossible to test by causality · · Score: 4, Insightful

      [Some action] doesn't do you any good, so stop it.

      Since when did that ever prevent anyone from doing anything? You must have us confused with some society that generally considers the full implications and long-term repercussions of our decisions...

      --
      It is a miracle that curiosity survives formal education. - Einstein
    8. Re:Impossible to test by cynyr · · Score: 3, Interesting

      I'm still failing to see how the cars got locked in gear? every car i have driven has allowed the driver to shift the car into neutral regardless of everything else. This is both in automatics and definitely in my manual transmission cars(does anyone make a drive by wire clutch, outside of performance/race cars?) I fail to see why this is a huge issue that needs to be solved in the next 10 minutes and be 100%? how is a sticky peddle (software or otherwise) any different from the throttle body getting stuck in the wide open position? what would these people do in that case? The handling after the problem occurs seems to be 100% driver error. TBH the first that that would happen if my car started doing that would be for me to press on the clutch, regardless of it not having one or not, thats a very hard habit to break after driving manuals(not this behavior in an auto usually results in the the break being depressed all the way to the floor). After that i'd put it in neutral and then use the break to slow down and pull over. somewhere in there i'd hopefully get the 4 ways on, but thats a long long way down the list of things that would happen.

      The "PR shitstorm" is way way over-hyped, it would be simple for the news to simply state "Toyota has confirmed an issue effecting the engine speed controls, and have issued a recall. If this happens to you while driving Toyota advises drivers to shift the car into neutral and engage the 4 ways and pull over in a safe location. If your car has a push button start be aware that you will need to hold it down for up to 5 seconds to shut down the engine." The fact that some people have died as a result of poor driving ability is no different than every fall here when it snows and some dumb person forgets that snow is slippery, a terrible thing to have happen, but usually 100% their fault.

      I think the driving tests in this country need to be much more rigorous. They should be done in an unfamiliar car, setup for simulating things like sudden loss of engine power, loss of 90% of the breaks, etc. There should also then be a road test(with other real cars if the closed course goes well.) to see how the driver can handle the conditions of real driving. Places with snow/ice need to have some driving on a slippery surface(rear wheels that can be allowed to rotate would work.) This sort of testing should be repeated every 3-5 years, to ensure that drivers maintain a certain level of driving skill. There needs to also be a raw reflexes/object tracking with a fairly high level of skill needed, anything below a certain level will see that you fail your driving exam. Fines for driving without a license should be steep and the test facilities need to be open at least 2 shifts of the day, if not 2.5 shifts.

      --
      All of the above was encrypted with a Quad ROT-13 method. Unauthorized decryption is in violation of the DMCA.
    9. Re:Impossible to test by Loconut1389 · · Score: 5, Informative

      Indeed. I've done some embedded work myself. I wrote a power supply controller that used DACs to trim the voltage using some analog control ports on the DC to DC converter modules- it also monitored the PowerGood lines on the DC:DC's and linears and was programmed to shut down if one deasserted without a prior command telling it to do so. It had an I2C control network that could request status of bunch of aspects of the board including temperature, voltages, etc. Not wanting to risk blowing out a $10k FPGA with a $4.00 MCU, we had test boards with no FPGA on and some with cheaper FPGAs, and I also had a dev kit with the board on it hooked to a logic analyzer so we could emulate all sorts different scenarios and hopefully protect the FPGAs. Ultimately, a few problems emerged. With a particular combination of testing apparatus and polling rate, the I2C would receive interference and miss or corrupt some data. It was almost impossible to replicate reliably. This in turn exposed an oversight/bug where because of the skipped (as far as the power supply MCU was concerned) bytes, the wrong DAC values were being written, overvolting or undervolting the supplies- but it really only surfaced on the fully populated boards. This lead to a change in the I2C wiring/termination and a move to a keyed and transactional approach that required writing a key value to an address, writing the new data, then optionally reading back the data again, and lastly writing another key to a different address to either commit or roll back. Point is exactly what the parent said, it's very difficult to test some of these things because the problems may be an unusual chain of events or due to very specific circumstance in what's hooked to what and how much power is being drawn in the circuit at the time, etc.

      The other portions of the code that performed monitoring and emergency shutdown caught the overvoltages very quickly and shutdown the FPGA in the span of a couple clocks. In the end we only lost one board, and it was due to ESD despite using proper handling techniques and equipment.

    10. Re:Impossible to test by b4dc0d3r · · Score: 4, Insightful

      "Toyota Knew About Sticking Pedals In Europe A Year Before U.S. Accidents"
      http://consumerist.com/2010/02/toyota-knew-about-sticking-pedals-in-europe-a-year-before-us-accidents.html

      "NEW YORK (CNNMoney.com) -- Toyota has known about brake problems in its popular Prius cars for some time, going so far as to fix it in new production vehicles, but has kept Prius drivers in the dark about the problem until the Japanese government called for an investigation."
      http://money.cnn.com/2010/02/04/autos/prius_timeline/index.htm

      "Toyota says it knew there were problems with accelerator-pedal assemblies from supplier CTS late last year, but not enough to warrant a recall."
      http://www.usatoday.com/money/autos/2010-01-25-toyotalong_st_N.htm

      Your opinion of its likelihood is not relevant. Not only is it likely, evidence points to it being true. You are being disingenuous by phrasing it "no economic gains to be had by killing your customers." A product has a flaw, people die, that happens sometimes. If you issue a recall, you draw attention to the problem and cost yourself money in lost sales, repair costs, and possible lawsuits. "Killing your customers" is a bit different from "hoping that driver error is the official cause, not faulty cars," and you deciding to phrase it that way is an appeal to emotion, not a logical argument.

      You can say we're just arguing semantics, but you're going to have to back up your unlikely opinion with links to convince me.

    11. Re:Impossible to test by The+End+Of+Days · · Score: 3, Insightful

      The articles you linked indicate that Toyota has attempted a number of different fixes for what it believed were several separate acceleration related issues. I don't have to find links to make my case, you made it for me.

    12. Re:Impossible to test by DarkOx · · Score: 4, Insightful

      The is a component of moral empowerment though, you have to consider. Most people are more willing to accept risk if they control the situation, even if the risk is greater. Other people are more accepting of an inherent justice of in the results when something bad happens to someone else who they feel was in control of the situation than when they were not.

      Consider on a per person per mile of travel basis a drunk "walker" is more likely to cause a traffic related fatality than a drunk driver. They do things like stumble off sidewalks into traffic, misjudge the rate of on cumming traffic and run out into busy highways, sit an take a rests on unlit rural roads and more. Still we vilify the drunk driver because when they cause a traffic fatality chances are they are not the individual contributing to the statistic, where as with the walkers they are usually the one killed.

      If we really minimizing risk we would be more condemning of drunk walking than driving because someone is more likely to die. We don't operate that way though, we don't think that way. Many people would take a friends keys, few would forcibly restrain them if they could not be convinced to stay a little longer and sober up, even though that friend would be safer behind the wheel.

      The same thing applies, most of us would be more willing to accept our loved one died because they were not able to control a set of mechanical and hydrolic linkages correctly and quickly enough to avoid and auto accident than we are when a software system fails to do the same, even though the later was far less likely.

      I am not saying that makes sense in moral terms, statistical terms, or anything. In fact the more objectively you look at it the less sense it makes to not use drive by wire and computerized systems but "we" still don't "feel" that way about it.

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
    13. Re:Impossible to test by AigariusDebian · · Score: 4, Informative

      If a driver dials 911 on his cell phone before even trying to put the car in Neutral, then yeah - it is a driver error.

      (The last case on the news - a driver called 911 on his cell phone because his car was accelerating out of control. When prompted by the operator if he had tried putting the car in Neutral, he said no and even refused to do so when ordered to do it by the operator.)

    14. Re:Impossible to test by Gordonjcp · · Score: 5, Informative

      Every production car on the road has sufficient braking power to stall the engine in any gear at any throttle setting. Put your foot on the brake, and the car will stop. You may need new discs and pads after that.

    15. Re:Impossible to test by dbug78 · · Score: 3, Informative

      Here's Mike Allen of Popular Mechanics demonstrating what happens when you shift an automatic Camry into neutral with the gas pedal floored.

      http://www.youtube.com/watch?v=NOMYjiCiTYg

      It doesn't, in fact, prevent you from shifting to neutral as you can tell by the sound of the engine butting heads with the rev-limiter.

    16. Re:Impossible to test by RAMMS+EIN · · Score: 3, Funny

      ``In exceptional conditions I would certainly include what the driver is wearing.''

      I can see it now. Recall those drivers who called 911 when their vehicle accelerated out of control?

      Driver: Help! My car is accelerating out of control!
      911-person: What are you wearing?

      --
      Please correct me if I got my facts wrong.
    17. Re:Impossible to test by konaforever · · Score: 4, Informative

      Automatic trannies in these cars use the shifter as advice only. If shifted into neutral at speed, the engine would spin out, which is very damaging..

      It doesn't seem you know much about cars. First of all, "spin out" isn't an automotive term. And 2nd, what do you mean by "spin out"? Modern cars have a rpm limiter which limits the RPM of the engine to some preset RPM limit. Have you ever driving a manual and hit the RPM limiter? It'll cut power to the engine. Same thing with neutral. An engine will not be damaged if you gas it in neutral, even to the RPM limit.

    18. Re:Impossible to test by Animaether · · Score: 3, Informative

      You're one of those types that hit a wikipedia page, see some claimed fact without attribution, slap a [citation needed] on it, and then bugger off, aren't you?

      You could just hit a search engine with some key words to see if you can find any corroborating source(s), of course:
      http://news.google.com/news?q=toyota%20911%20neutral

      Oh hey, look at that.

      uring the 911 call, the operator urged Mr. Sikes to shift the car into neutral. He later said he was afraid doing so might cause the car to "flip" or shift into reverse.

      - http://online.wsj.com/article/SB10001424052748704734304575120001542947616.html?mod=googlenews_wsj

    19. Re:Impossible to test by dokebi · · Score: 3, Interesting

      You do realize that Prius's gear level is just a joystick, right? There is nothing mechanically connected, which means that if the computer is confused, then _there is nothing the driver can do_, except stomp on the breaks.

      Actually there is. The car turns itself off if you hold the power button for 3 seconds. But in a panic situation, a person would most likely press the button repeatedly, instead of holding it steady for 3 long seconds. Other manufactures turn off on rapid button press in a short time, instead, which seems better.

      --
      In Soviet Russia, articles before post read *you*!
    20. Re:Impossible to test by toddestan · · Score: 3, Insightful

      Judging by how the power button appears to work in the Prius, I would guess all that it does is tell the computer to shut down the engine. It's not like a typical car where the turning the key to Acc or off would cut the power to several critical systems. So if the computer is messed up to the point where the gear shift selector is not working, I wouldn't count on the power button to help you either.

    21. Re:Impossible to test by FleaPlus · · Score: 4, Interesting

      (The last case on the news - a driver called 911 on his cell phone because his car was accelerating out of control. When prompted by the operator if he had tried putting the car in Neutral, he said no and even refused to do so when ordered to do it by the operator.)

      It's starting to look increasingly likely that this latest case was a hoax:

      http://en.wikipedia.org/wiki/Toyota_Prius#Brake_fix_and_acceleration

      On March 8, 2010, a 2008 Prius allegedly uncontrollably accelerated to 94 miles per hour on a California Highway (US), and the Prius had to be stopped with the verbal assistance of the California Highway Patrol as news cameras watched [86]. Subsequent to the event, media investigations uncovered suspicious information about the alleged runaway Prius driver, 61-year old James Sikes, including false police reports, suspect insurance claims, theft and fraud allegations, television aspirations, and bankruptcy.[87][88] Sikes was found to be US$19,000 behind in his Prius car payments and had $US700,000 in accumulated debt.[87] Sikes stated he wanted a new car as compensation for the incident.[87][89] Analyses by Edmunds.com and Forbes found Sikes' acceleration claims and fears of shifting to neutral implausible, with Edmunds concluding that "in other words, this is BS",[90] and Forbes comparing it to the balloon boy hoax.[88]

    22. Re:Impossible to test by arkenian · · Score: 3, Informative

      Except that drive-by-wire systems have absolutely no possibility of making the operation of the car safer (more efficient, sure, but that's it) and many many ways in which to make it less safe, so you're wrong about it making more sense to use drive-by-wire. I can't figure out what you're thinking with that statement.

      That's flat-out not true. Traction Control and brakes and power synchronizing together (which is a lot of what drive-by-wire DOES) absolutely, in most cases, makes the average driver safer. Personally, I'm inclined to think that as drive-by-wire improves (until eventually, hopefully, the really dangerous part (i.e. the driver) will go away), we will in general progress to fewer accidents per car-mile but, unfortunately, far more catastrophic ones.

  3. Infallible fail. by jeckled · · Score: 5, Insightful

    Drive by wire is great and all, but I'd feel much better with a physical fail-safe than their "infallible" software. I am aware of the physical remedies for the issue, but I'd like to see the brake pedal override the accelerator.

    1. Re:Infallible fail. by shrimppesto · · Score: 4, Informative

      i'd feel much better with drivers who know they should pop the car into NEUTRAL if it starts accelerating out of control for any reason, rather than trying to stand on the brake pedals while dialing 911 ...

    2. Re:Infallible fail. by timeOday · · Score: 3, Informative
      You could be referring specifically to last week's incident, which I found fishy from the start:

      Skeptics of Sikes also cite the 911 tape that was released shortly after the incident. During the tape, the dispatcher repeatedly told Sikes to put the car in neutral in order to stop it from accelerating. Sikes did not comply with her instructions or the instructions of the officer on the scene who told him to do the same thing via his public address system as they tore down the highway.... Sikes claimed he thought that would "flip the car."

      Beyond the call itself, the Associated Press reports that Sikes's car was equipped with a brake override system, something that should have slowed the car down once he stomped on the brake pedal.

  4. Another interesting statistic by homer_s · · Score: 5, Interesting
    From here :

    In the 24 cases where driver age was reported or readily inferred, the drivers included those of the ages 60, 61, 63, 66, 68, 71, 72, 72, 77, 79, 83, 85, 89—and I’m leaving out the son whose age wasn’t identified, but whose 94-year-old father died as a passenger.

    These “electronic defects” apparently discriminate against the elderly, just as the sudden acceleration of Audis and GM autos did before them. (If computers are going to discriminate against anyone, they should be picking on the young, who are more likely to take up arms against the rise of the machines and future Terminators).

    Some more data here

    1. Re:Another interesting statistic by maxume · · Score: 4, Insightful

      Be careful to note that the 24 cases discussed there are only the ones that have led to serious incidents.

      --
      Nerd rage is the funniest rage.
    2. Re:Another interesting statistic by WrongSizeGlass · · Score: 3, Funny

      Now, come on. We can't blame age for this. I plan to be that old one day ... as long as I don't buy a Toyota, that is.

    3. Re:Another interesting statistic by maxume · · Score: 5, Informative

      To me it suggests that older drivers are having more difficulty coping with the situation once it arises.

      Forbes says that the guy who got himself plastered all over cable last week was 'afraid' to put the vehicle into neutral, or to turn off the engine:

      http://www.forbes.com/2010/03/12/toyota-autos-hoax-media-opinions-contributors-michael-fumento.html?boxes=financechannelforbes

      (They link the 911 recording:

      http://www.thetruthaboutcars.com/the-jim-sikes-911-call-23-minutes-of-unintended-acceleration/

      )

      So apparently being an idiot is also a likely factor in the failing to cope with the incident before it becomes lethal.

      But they key observation is that the higher number of fatalities among older drivers doesn't really point to the source of the problem being driver error (rather, the driver error is in failing to deal with the situation once it arises).

      --
      Nerd rage is the funniest rage.
    4. Re:Another interesting statistic by causality · · Score: 4, Insightful

      To me it suggests that older drivers are having more difficulty coping with the situation once it arises.

      Forbes says that the guy who got himself plastered all over cable last week was 'afraid' to put the vehicle into neutral, or to turn off the engine:

      That part is strange. Uncontrolled acceleration is a much greater risk to life and limb than the red-lined/blown engine you might get if it were put into neutral with the throttle wide open. Being "afraid to try neutral" makes no sense.

      They link the 911 recording

      Just an irrelevant side note: I've always found it low-class and tacky that phone calls made to 911 become publically available, especially when you hear them on the news. The message is, "hey sir or madam, remember that moment when you were highly emotional and had no idea if you were going to live or die? Well, we've got great news! That highly personal moment of reflection on your own mortality is now a public spectacle for millions of people! It's okay, we make a profit from this! No we won't share that profit with you..."

      I realize it's a government service funded by taxpayer dollars. That explains how this is possible. It fails to explain how this is the best or most honorable thing to do.

      So apparently being an idiot is also a likely factor in the failing to cope with the incident before it becomes lethal.

      That part generally shouldn't be a surprise. I'd imagine it also helps if you can keep calm and avoid panicking, as panicky people often fail at things they could do easily if they were not in a state of deer-in-headlights fear.

      But they key observation is that the higher number of fatalities among older drivers doesn't really point to the source of the problem being driver error (rather, the driver error is in failing to deal with the situation once it arises).

      Nor does it explain why older drivers were disproportionately affected. Possibly the Toyota brand is more popular among older drivers because it historically has retained a decent resale value. While nothing the driver does should ever cause this kind of uncontrollable automatic acceleration, perhaps older drivers tend to have habits that somehow manifest whatever the actual underlying problem is. There are a lot of coincidences and correlations being pointed out in this discussion but unfortunately there seems to be little certainty about whether they are more than that.

      --
      It is a miracle that curiosity survives formal education. - Einstein
  5. Testing. by Ihlosi · · Score: 4, Insightful

    Testing only confirms the absence of known bugs. Never forget that.

  6. Logic of Testing by Renegade+Lisp · · Score: 4, Insightful

    David Cummings does seem to know what he's talking about, but as it is written, there is some strange logic in the article.

    If Toyota has indeed tested its software as thoroughly as it says without finding any bugs, my response is simple: Keep trying.

    Testing cannot prove the absence of bugs, only their presence. There are two things that do not follow from this:

    • If you don't find any bugs, then your software doesn't have any.
    • If you don't find any bugs, then there must be some left in your software.

    It sounds to me as if Toyota is saying the former, while Cummings says the latter. Neither is a correct conclusion.

    1. Re:Logic of Testing by marcansoft · · Score: 4, Insightful

      Given practical software engineering conditions though, a) is highly unlikely while b) is highly likely.

    2. Re:Logic of Testing by Renegade+Lisp · · Score: 3, Insightful

      I'll grant you that, but what I don't understand is this:

      If you test, and do find some bugs, does that allow you to put any more trust in your software than if you tested and didn't find any?

  7. Boeing versus Airbus by goombah99 · · Score: 5, Insightful

    I'm loving this conversation here because I've gotten crucified in slashdot before for making simmilar comments to the whole thread here. I grew up in a family of top managers of Boeing systems engineers. They hated computers. My dad never even learned how to turn one on. He hired other monkey to use the computers. As A child I was regailed with wonderful stories of every hard lesson in safety my dad had learned over his lifetime. He loved world war II because they got to use cutting edge designs for balls out performance yet at the same time learned how to make things reliable by disecting the accident. He would tell me about the accident that taught them that the engine pumps need to be at full speed but flow stalled on take off so that there's no lag when you hot swap after a pump fails. He told me of the accident where they learned not to route 100% of the control system wiring through any one junction box. etc...

    Probably because of all these hard won lessons boeing for years insisted on fully mechanical or hydraulic flight surface controls. Whereas Airbus and other jumped on the fly-by-wire concept early. My dad would spit after hearing some youg person tout all the advantages of fly by wire. He knew them perfectly well. He was big on accepting new innovations to reduce fuel costs and increas performance. He was not a luddite. But he had a safety background that told him these electonic systems were hard as hell to validate and hard as hell to make truly independent from each other.

    For example they often used triple redundant computers and if one of them disagreed the other two would vote it off the island and stop listening to it. From what I've read it's now suspected that the latest airbus crash in the pacific had one of it's root problem in the voting nexus where a superior computer over ruled a more primitive safety system.

    While we all know that computer software validation is hard if not impossible. It's not something we readily admit here on slash dot. It's because for years people like my dad would throttle the innovations the computer engineeers wanted to implement. I think as a result there became this culture of computer engineers that presented the case that embedded computing could be made safer than it really could be to offset that.

    So now we come full circle and have to admit there is this middle ground. Just because a computer can improve perfromance does not mean it's reliable and safe. The old guys had a point after all when it came to safety.

    Next week I'll tell you about how the ancient shocking lesson of the British Commet aluminum aircraft wings falling off led to the unanticipated discovery of metal fatigue and probably was the reason Boeing was slow to move to composite materials in commercial aircraft (but not in military aircraft). In hind sight we have heard of many tales of the composite tails of plane falling off as the reason for the loss of control before a crash. Conversely, composite wings on UAVs allow them to absorb a lot of bullet holes with no loss of control and to operate under higher perfromance conditions.

    The point is that safety and performance are trade offs when both are pushed to the limit. The old guys know a lot more about safety than you might expect. The young guys are all about performance.

    --
    Some drink at the fountain of knowledge. Others just gargle.
    1. Re:Boeing versus Airbus by roman_mir · · Score: 5, Interesting

      A year ago I was watching one of Discovery programs I think and they had a couple of guys who supposedly implemented a piece of software, that would allow an airplane to fly and land safely if for some reason, while in the air, the tale would brake off or rudder would just stop working. They relied on a fly by wire airplane of-course and controlled the yaw with all other surfaces by applying very slight changes to the motion. They were saying a human could do this if extremely lucky, but software was able to do it almost always.

      Just something to think about.

      --
      You can't handle the truth.
    2. Re:Boeing versus Airbus by MartinSchou · · Score: 4, Insightful

      I'm pretty sure that the tail of an airplane falling off is an unanticipated scenario that humans cannot deal with either ;)

    3. Re:Boeing versus Airbus by timeOday · · Score: 4, Insightful

      You make it sound as computers killed a golden era of safe engineering, as if perhaps we should go back. Let's keep some perspective here. Were cars back then simple, predictable, and solid? Perhaps. They were also death traps. How do the deaths with a suspected link to throttle software stack up statistically to those saved by anti-lock brakes? How does Toyota safety - on any model you choose - stack up to the competition when measured in deaths per millions of miles? I doubt this problem is even enough to appear in those big-picture statistics.

    4. Re:Boeing versus Airbus by DerekLyons · · Score: 4, Informative

      Next week I'll tell you about how the ancient shocking lesson of the British Commet aluminum aircraft wings falling off led to the unanticipated discovery of metal fatigue and probably was the reason Boeing was slow to move to composite materials in commercial aircraft (but not in military aircraft).

      This one comment makes me wonder about the veracity of the balance of your account.

      1. Metal fatigue was known about long before the Comet took wing in 1949.
      2. The fatigue cracks on the Comet's occurred at skin penetrations (windows and hatches).

      In hind sight we have heard of many tales of the composite tails of plane falling off as the reason for the loss of control before a crash.

      Then there is crunchy bit of FUD, which fails to mention that more than a few of those accidents are also associated with extreme control surface movements (inducing extreme stresses) prior to the failure.

    5. Re:Boeing versus Airbus by DerekLyons · · Score: 3, Insightful

      Derek, as you might have noticed I was keeping it short on the comet disaster.

      One can be short without being wrong. You were both short *and* wrong.
       

      The people who built the Comet we no dummies so clearly they discovered a scaling issue in metal no one had encountered before nor new how to design for at that time.

      No, actually they discovered (as is widely documented in aviation histories) that they failed to correctly account for the stresses caused by multiple pressurization and depressurization cycles. They knew perfectly well how to design for metal fatigue, but lacked information on how that fatigue would manifest itself.
       

      The point I was making was that just because you can't foresee a problem in something new does not mean you cant anticipate there might be problems you can't foresee. The switch to composites opened up the same sort of issues that the comet did.

      I merely pointed out how you have the story wrong, not that your point was false.

  8. Re:I agree on non-software fail-safes by WrongSizeGlass · · Score: 3, Funny

    They should just implement a huge red panic button to shut everything off :)

    They could even buy them at Staples. Need to stop your out of control Toyota? That's easy.

  9. Re:I agree on non-software fail-safes by KarmaMB84 · · Score: 4, Insightful

    Unfortunately the update assumes the computer will actually respond to the brake being pressed or any input for that matter. Toyota doesn't know for certain what is causing all of these sudden acceleration problems in which fiddling with the gas pedal, brake and even putting the vehicle in neutral won't stop the vehicle. The software update, while a sensible modification that should've been in the software all along, is sort of a hail mary toward preventing any new cases in updated vehicles.

  10. Re:Help me benefit from media hype by John+Hasler · · Score: 3, Informative

    > And I know how to hit the brakes...

    With the engine past the redline there is very little vacuum to operate the power brakes. Without power assist the brakes may not be able to overcome the engine (this is, IMHO, a fundamental design defect).

    > ...shift into neutral...

    The computer may not let you do that with the car moving and the engine at high rpm. After all, the engine and/or transmission might be damaged (another design defect).

    > ...and/or turn off the key...

    Some of these vehicles don't have keys: just a radio remote. The emergency shutdown procedure is to hold a button down for three seconds (another design defect).

    --
    Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
  11. Other lessons from Boeing by Beryllium+Sphere(tm) · · Score: 4, Interesting

    I worked on an embedded flight system there, and deeply respected people like your dad.

    Boeing works under the eye of a certification authority who has to approve the safety of a design including, at least in the system I worked on, human factors. If there's anything comparable for cars, I haven't heard of it.

    Boeing would not have made a pilot have to guess at how to turn an engine off (people with older cars, it's no longer a matter of turning a key).

    Inputs were checked for consistency and validity. The specs would have anticipated what to do if the accelerator and brake were both full on at the same time.

    There was a culture of worst-case planning and redundancy.

    Also, if Boeing built a car, it would have a flight data recorder which investigators could examine and say for example "Looks like both(*) potentiometers on the accelerator went hard over at the same time, so we go look on the branches of the fault tree where there's a common-mode failure in the potentiometers or the pedal is down due to mechanical or pilot error".

    (*) If I remember correctly from my obsessive pre-purchase research on Priuses, there are two separate sensors for accelerator position.

  12. Speaking as an embedded programmer here... by dbc · · Score: 3, Interesting

    ... why does everyone assume it is a software bug? I agree that it very well could be an undiscovered software bug. But there are so many more sources of erroneous behavior in an embedded system that *even* *if* the software were flawless (ummm... just go with me a minute... :) an automotive environment can cause all manner of strange glitches. I work with robots, lots of DC motors causing commutation noise on the power supply, long (several inch) distances between units that must talk to each other and therefore may have a different opinion as to ground reference voltage... many things can get wacky. Even flawless code needs a watchdog timer to get you out of weird states that power glitches that put you into. Power supply spikes can cause the program counter to jump to very odd places, with odd, corrupted stuff in RAM. Ground level shifting can cause communication glitches. CAN bus is *extremely* robust, so bad data should not get through... but what does get through? Does the system as a whole get into a weird state if packets drop?

  13. Re:Help me benefit from media hype by NewtonsLaw · · Score: 3, Informative

    > With the engine past the redline there is very little vacuum to operate the power brakes. Without power assist the brakes may not be able to overcome the engine

    apparently not true

  14. Re:From the days of "winmodems" by DerekLyons · · Score: 3, Insightful

    I've said time and time again, "Never replace hardware with software" because
    something dedicated to the task will always work better, or be less failure
    prone (more often than not).

    On the flip side, the USN replaced complicated and heavy hardware analog computing systems for [SSBN] missile guidance systems with software running on a digital computer, and MTBF went through the roof and maintenance man hours and MTTR through the floor. The same thing happened when they replaced the analog torpedo fire controls with digital ones. The same thing happened again when the hovering system controls were upgraded to digital.
     
    Now, before you claim that is a limited set of examples, I invite you to consider the millions of incident free flight hours accumulated by fly-by-wire aircraft. Or the replacement of DIP switches in PC's with software configuration. Etc... Etc...