Slashdot Mirror

← Back to Stories (view on slashdot.org)

Toyota Acceleration and Embedded System Bugs

Posted by Soulskill on from the bugs-that-lead-to-crashes dept.

An anonymous reader writes "David Cummings, a programmer who worked on the Mars Pathfinder project, has written an interesting editorial in the L.A. Times encouraging Toyota to drop claims of software infallibility in their recent acceleration problems. He argues that embedded systems developers must program more defensively, and that companies should stop relying on software for safety. Quoting: 'If Toyota has indeed tested its software as thoroughly as it says without finding any bugs, my response is simple: Keep trying. Find new ways to instrument the software, and come up with more creative tests. The odds are that there are still bugs in the code, which may or may not be related to unintended acceleration. Until these bugs are identified, how can you be certain they are not related to sudden acceleration?'"

33 of 499 comments (clear)

  1. Toyota: by dushkin · · Score: 5, Funny

    Always going forward.

    --
    o hai
    1. Re:Toyota: by mpe · · Score: 4, Insightful

      And even more important - the bug may be a combination of software and hardware. Just ask what may happen if the code suddenly jumps to the wrong address. Do they use ECC memories in the electronics? What about a voltage spike? Driver has wrong socks/pants causing a spark that jumps to the OBD-II connector and messes up the CAN bus?

      Other questions would be "What kind of transducer is measuring the input?"; "How many transducers are there?" and "What output do you get in the case of a failure?"
      Note that there are applications where an unknown throttle setting resulting in full power being applied is the right thing to do. Maybe Toyota through they were building a light aircraft rather than a car...

  2. Impossible to test by Darkness404 · · Score: 4, Informative

    Most software is nearly -impossible- to test under flawless conditions. Especially embedded systems with small amounts of CPU power and memory.

    Plus, all this hype around these Toyota acceleration problems is just that, hype.

    --
    Taxation is legalized theft, no more, no less.
    1. Re:Impossible to test by Anonymous Coward · · Score: 5, Insightful

      Right, just hype. Except for those families were killed by the Toyota acceleration problems.

    2. Re:Impossible to test by DeadPixels · · Score: 4, Insightful

      By and large, it would seem that Toyota should probably be looking for exceptional conditions rather than typical ones. Correct me if I'm wrong, but if a relatively small number of vehicles have actually exhibited the acceleration issue, it would seem like any bugs related to that would be in conditions that may not occur very often during typical driving. Seems to me that "outlier" cases or unusual methods of testing would be the best way to start; testing with typical driving conditions might not show anything.

    3. Re:Impossible to test by Darkness404 · · Score: 5, Informative

      ...And if you look at the facts, you can see that all of the symptoms could easily be caused by driver error. Look at this http://www.nytimes.com/2010/03/11/opinion/11schmidt.html?scp=1&sq=driver%20error&st=cse (currently the page doesn't need registration, your results may change in the coming days/hours).

      --
      Taxation is legalized theft, no more, no less.
    4. Re:Impossible to test by WrongSizeGlass · · Score: 4, Interesting

      Exactly. Even a minor revision in a FPGA could result in unforeseen consequences. Who knows, maybe a chip manufacture failed to document a very small change to a product line (or had a typo in the docs). The problem may not be in Toyota's code, just in their cars.

    5. Re:Impossible to test by The+End+Of+Days · · Score: 5, Insightful

      "Unacceptable" is strong. Sad, yes, but this is real life. There is no such thing as zero risk. Taking the attitude that it is somehow achievable despite the utter impossibility is something that makes for a good trial lawyer but a terrible human.

    6. Re:Impossible to test by zappepcs · · Score: 5, Interesting

      There are a couple of things that should be mentioned here. NASA has shown what it takes to make very small, very good code. Sure, they too have failures, but 'nearly' bug free code is quite expensive. Second, writing code is not quite like trying to create a hand crafted dashboard, if the dashboard fades, no one dies. Embedded software is quite a different beast from your normal desktop applications. When you add motion control and interaction with the code, it difference between them gets even more complex. Software in vehicles should be two things:

      Open - let lots of folk see what could be wrong
      Audited - audited to meet specific standards of safety and operation. Not quite the self-defeating government regulations, but more of a case by case issue: if the software has control or input to the control mechanism for the engine, braking system, suspension etc. it must meet minimum standard testing requirements. Any action that _could_ arbitrarily apply mechanical action must be tested and controlled beyond all reasonable testing/doubt. Everything should be tested, down to a pet chewing on the control cable harness.

      Consumers are encouraged to think the vehicles they buy are safe and require no special knowledge of engineering or mechanics to operate. As long as they are given to think that, then passenger vehicles should be made to be just this way.

      The problem for Toyota now is multifaceted. One, they have a PR shitstorm to deal with. Two, there is a dollar effect of this problem. Three, it's now on the shoulders of Toyota to get this part right for the rest of the passenger vehicle making industry.

      It's possible that they might walk away from this fire with only minor long term burns and the reputation for building the safest vehicles. BUT, reading the article of this post and paying attention while doing so is necessary... IMO

      --
      Support NYCountryLawyer RIAA vs People
    7. Re:Impossible to test by causality · · Score: 4, Insightful

      [Some action] doesn't do you any good, so stop it.

      Since when did that ever prevent anyone from doing anything? You must have us confused with some society that generally considers the full implications and long-term repercussions of our decisions...

      --
      It is a miracle that curiosity survives formal education. - Einstein
    8. Re:Impossible to test by Loconut1389 · · Score: 5, Informative

      Indeed. I've done some embedded work myself. I wrote a power supply controller that used DACs to trim the voltage using some analog control ports on the DC to DC converter modules- it also monitored the PowerGood lines on the DC:DC's and linears and was programmed to shut down if one deasserted without a prior command telling it to do so. It had an I2C control network that could request status of bunch of aspects of the board including temperature, voltages, etc. Not wanting to risk blowing out a $10k FPGA with a $4.00 MCU, we had test boards with no FPGA on and some with cheaper FPGAs, and I also had a dev kit with the board on it hooked to a logic analyzer so we could emulate all sorts different scenarios and hopefully protect the FPGAs. Ultimately, a few problems emerged. With a particular combination of testing apparatus and polling rate, the I2C would receive interference and miss or corrupt some data. It was almost impossible to replicate reliably. This in turn exposed an oversight/bug where because of the skipped (as far as the power supply MCU was concerned) bytes, the wrong DAC values were being written, overvolting or undervolting the supplies- but it really only surfaced on the fully populated boards. This lead to a change in the I2C wiring/termination and a move to a keyed and transactional approach that required writing a key value to an address, writing the new data, then optionally reading back the data again, and lastly writing another key to a different address to either commit or roll back. Point is exactly what the parent said, it's very difficult to test some of these things because the problems may be an unusual chain of events or due to very specific circumstance in what's hooked to what and how much power is being drawn in the circuit at the time, etc.

      The other portions of the code that performed monitoring and emergency shutdown caught the overvoltages very quickly and shutdown the FPGA in the span of a couple clocks. In the end we only lost one board, and it was due to ESD despite using proper handling techniques and equipment.

    9. Re:Impossible to test by b4dc0d3r · · Score: 4, Insightful

      "Toyota Knew About Sticking Pedals In Europe A Year Before U.S. Accidents"
      http://consumerist.com/2010/02/toyota-knew-about-sticking-pedals-in-europe-a-year-before-us-accidents.html

      "NEW YORK (CNNMoney.com) -- Toyota has known about brake problems in its popular Prius cars for some time, going so far as to fix it in new production vehicles, but has kept Prius drivers in the dark about the problem until the Japanese government called for an investigation."
      http://money.cnn.com/2010/02/04/autos/prius_timeline/index.htm

      "Toyota says it knew there were problems with accelerator-pedal assemblies from supplier CTS late last year, but not enough to warrant a recall."
      http://www.usatoday.com/money/autos/2010-01-25-toyotalong_st_N.htm

      Your opinion of its likelihood is not relevant. Not only is it likely, evidence points to it being true. You are being disingenuous by phrasing it "no economic gains to be had by killing your customers." A product has a flaw, people die, that happens sometimes. If you issue a recall, you draw attention to the problem and cost yourself money in lost sales, repair costs, and possible lawsuits. "Killing your customers" is a bit different from "hoping that driver error is the official cause, not faulty cars," and you deciding to phrase it that way is an appeal to emotion, not a logical argument.

      You can say we're just arguing semantics, but you're going to have to back up your unlikely opinion with links to convince me.

    10. Re:Impossible to test by DarkOx · · Score: 4, Insightful

      The is a component of moral empowerment though, you have to consider. Most people are more willing to accept risk if they control the situation, even if the risk is greater. Other people are more accepting of an inherent justice of in the results when something bad happens to someone else who they feel was in control of the situation than when they were not.

      Consider on a per person per mile of travel basis a drunk "walker" is more likely to cause a traffic related fatality than a drunk driver. They do things like stumble off sidewalks into traffic, misjudge the rate of on cumming traffic and run out into busy highways, sit an take a rests on unlit rural roads and more. Still we vilify the drunk driver because when they cause a traffic fatality chances are they are not the individual contributing to the statistic, where as with the walkers they are usually the one killed.

      If we really minimizing risk we would be more condemning of drunk walking than driving because someone is more likely to die. We don't operate that way though, we don't think that way. Many people would take a friends keys, few would forcibly restrain them if they could not be convinced to stay a little longer and sober up, even though that friend would be safer behind the wheel.

      The same thing applies, most of us would be more willing to accept our loved one died because they were not able to control a set of mechanical and hydrolic linkages correctly and quickly enough to avoid and auto accident than we are when a software system fails to do the same, even though the later was far less likely.

      I am not saying that makes sense in moral terms, statistical terms, or anything. In fact the more objectively you look at it the less sense it makes to not use drive by wire and computerized systems but "we" still don't "feel" that way about it.

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
    11. Re:Impossible to test by AigariusDebian · · Score: 4, Informative

      If a driver dials 911 on his cell phone before even trying to put the car in Neutral, then yeah - it is a driver error.

      (The last case on the news - a driver called 911 on his cell phone because his car was accelerating out of control. When prompted by the operator if he had tried putting the car in Neutral, he said no and even refused to do so when ordered to do it by the operator.)

    12. Re:Impossible to test by Gordonjcp · · Score: 5, Informative

      Every production car on the road has sufficient braking power to stall the engine in any gear at any throttle setting. Put your foot on the brake, and the car will stop. You may need new discs and pads after that.

    13. Re:Impossible to test by konaforever · · Score: 4, Informative

      Automatic trannies in these cars use the shifter as advice only. If shifted into neutral at speed, the engine would spin out, which is very damaging..

      It doesn't seem you know much about cars. First of all, "spin out" isn't an automotive term. And 2nd, what do you mean by "spin out"? Modern cars have a rpm limiter which limits the RPM of the engine to some preset RPM limit. Have you ever driving a manual and hit the RPM limiter? It'll cut power to the engine. Same thing with neutral. An engine will not be damaged if you gas it in neutral, even to the RPM limit.

    14. Re:Impossible to test by FleaPlus · · Score: 4, Interesting

      (The last case on the news - a driver called 911 on his cell phone because his car was accelerating out of control. When prompted by the operator if he had tried putting the car in Neutral, he said no and even refused to do so when ordered to do it by the operator.)

      It's starting to look increasingly likely that this latest case was a hoax:

      http://en.wikipedia.org/wiki/Toyota_Prius#Brake_fix_and_acceleration

      On March 8, 2010, a 2008 Prius allegedly uncontrollably accelerated to 94 miles per hour on a California Highway (US), and the Prius had to be stopped with the verbal assistance of the California Highway Patrol as news cameras watched [86]. Subsequent to the event, media investigations uncovered suspicious information about the alleged runaway Prius driver, 61-year old James Sikes, including false police reports, suspect insurance claims, theft and fraud allegations, television aspirations, and bankruptcy.[87][88] Sikes was found to be US$19,000 behind in his Prius car payments and had $US700,000 in accumulated debt.[87] Sikes stated he wanted a new car as compensation for the incident.[87][89] Analyses by Edmunds.com and Forbes found Sikes' acceleration claims and fears of shifting to neutral implausible, with Edmunds concluding that "in other words, this is BS",[90] and Forbes comparing it to the balloon boy hoax.[88]

  3. Infallible fail. by jeckled · · Score: 5, Insightful

    Drive by wire is great and all, but I'd feel much better with a physical fail-safe than their "infallible" software. I am aware of the physical remedies for the issue, but I'd like to see the brake pedal override the accelerator.

    1. Re:Infallible fail. by shrimppesto · · Score: 4, Informative

      i'd feel much better with drivers who know they should pop the car into NEUTRAL if it starts accelerating out of control for any reason, rather than trying to stand on the brake pedals while dialing 911 ...

  4. Another interesting statistic by homer_s · · Score: 5, Interesting
    From here :

    In the 24 cases where driver age was reported or readily inferred, the drivers included those of the ages 60, 61, 63, 66, 68, 71, 72, 72, 77, 79, 83, 85, 89—and I’m leaving out the son whose age wasn’t identified, but whose 94-year-old father died as a passenger.

    These “electronic defects” apparently discriminate against the elderly, just as the sudden acceleration of Audis and GM autos did before them. (If computers are going to discriminate against anyone, they should be picking on the young, who are more likely to take up arms against the rise of the machines and future Terminators).

    Some more data here

    1. Re:Another interesting statistic by maxume · · Score: 4, Insightful

      Be careful to note that the 24 cases discussed there are only the ones that have led to serious incidents.

      --
      Nerd rage is the funniest rage.
    2. Re:Another interesting statistic by maxume · · Score: 5, Informative

      To me it suggests that older drivers are having more difficulty coping with the situation once it arises.

      Forbes says that the guy who got himself plastered all over cable last week was 'afraid' to put the vehicle into neutral, or to turn off the engine:

      http://www.forbes.com/2010/03/12/toyota-autos-hoax-media-opinions-contributors-michael-fumento.html?boxes=financechannelforbes

      (They link the 911 recording:

      http://www.thetruthaboutcars.com/the-jim-sikes-911-call-23-minutes-of-unintended-acceleration/

      )

      So apparently being an idiot is also a likely factor in the failing to cope with the incident before it becomes lethal.

      But they key observation is that the higher number of fatalities among older drivers doesn't really point to the source of the problem being driver error (rather, the driver error is in failing to deal with the situation once it arises).

      --
      Nerd rage is the funniest rage.
    3. Re:Another interesting statistic by causality · · Score: 4, Insightful

      To me it suggests that older drivers are having more difficulty coping with the situation once it arises.

      Forbes says that the guy who got himself plastered all over cable last week was 'afraid' to put the vehicle into neutral, or to turn off the engine:

      That part is strange. Uncontrolled acceleration is a much greater risk to life and limb than the red-lined/blown engine you might get if it were put into neutral with the throttle wide open. Being "afraid to try neutral" makes no sense.

      They link the 911 recording

      Just an irrelevant side note: I've always found it low-class and tacky that phone calls made to 911 become publically available, especially when you hear them on the news. The message is, "hey sir or madam, remember that moment when you were highly emotional and had no idea if you were going to live or die? Well, we've got great news! That highly personal moment of reflection on your own mortality is now a public spectacle for millions of people! It's okay, we make a profit from this! No we won't share that profit with you..."

      I realize it's a government service funded by taxpayer dollars. That explains how this is possible. It fails to explain how this is the best or most honorable thing to do.

      So apparently being an idiot is also a likely factor in the failing to cope with the incident before it becomes lethal.

      That part generally shouldn't be a surprise. I'd imagine it also helps if you can keep calm and avoid panicking, as panicky people often fail at things they could do easily if they were not in a state of deer-in-headlights fear.

      But they key observation is that the higher number of fatalities among older drivers doesn't really point to the source of the problem being driver error (rather, the driver error is in failing to deal with the situation once it arises).

      Nor does it explain why older drivers were disproportionately affected. Possibly the Toyota brand is more popular among older drivers because it historically has retained a decent resale value. While nothing the driver does should ever cause this kind of uncontrollable automatic acceleration, perhaps older drivers tend to have habits that somehow manifest whatever the actual underlying problem is. There are a lot of coincidences and correlations being pointed out in this discussion but unfortunately there seems to be little certainty about whether they are more than that.

      --
      It is a miracle that curiosity survives formal education. - Einstein
  5. Testing. by Ihlosi · · Score: 4, Insightful

    Testing only confirms the absence of known bugs. Never forget that.

  6. Logic of Testing by Renegade+Lisp · · Score: 4, Insightful

    David Cummings does seem to know what he's talking about, but as it is written, there is some strange logic in the article.

    If Toyota has indeed tested its software as thoroughly as it says without finding any bugs, my response is simple: Keep trying.

    Testing cannot prove the absence of bugs, only their presence. There are two things that do not follow from this:

    • If you don't find any bugs, then your software doesn't have any.
    • If you don't find any bugs, then there must be some left in your software.

    It sounds to me as if Toyota is saying the former, while Cummings says the latter. Neither is a correct conclusion.

    1. Re:Logic of Testing by marcansoft · · Score: 4, Insightful

      Given practical software engineering conditions though, a) is highly unlikely while b) is highly likely.

  7. Boeing versus Airbus by goombah99 · · Score: 5, Insightful

    I'm loving this conversation here because I've gotten crucified in slashdot before for making simmilar comments to the whole thread here. I grew up in a family of top managers of Boeing systems engineers. They hated computers. My dad never even learned how to turn one on. He hired other monkey to use the computers. As A child I was regailed with wonderful stories of every hard lesson in safety my dad had learned over his lifetime. He loved world war II because they got to use cutting edge designs for balls out performance yet at the same time learned how to make things reliable by disecting the accident. He would tell me about the accident that taught them that the engine pumps need to be at full speed but flow stalled on take off so that there's no lag when you hot swap after a pump fails. He told me of the accident where they learned not to route 100% of the control system wiring through any one junction box. etc...

    Probably because of all these hard won lessons boeing for years insisted on fully mechanical or hydraulic flight surface controls. Whereas Airbus and other jumped on the fly-by-wire concept early. My dad would spit after hearing some youg person tout all the advantages of fly by wire. He knew them perfectly well. He was big on accepting new innovations to reduce fuel costs and increas performance. He was not a luddite. But he had a safety background that told him these electonic systems were hard as hell to validate and hard as hell to make truly independent from each other.

    For example they often used triple redundant computers and if one of them disagreed the other two would vote it off the island and stop listening to it. From what I've read it's now suspected that the latest airbus crash in the pacific had one of it's root problem in the voting nexus where a superior computer over ruled a more primitive safety system.

    While we all know that computer software validation is hard if not impossible. It's not something we readily admit here on slash dot. It's because for years people like my dad would throttle the innovations the computer engineeers wanted to implement. I think as a result there became this culture of computer engineers that presented the case that embedded computing could be made safer than it really could be to offset that.

    So now we come full circle and have to admit there is this middle ground. Just because a computer can improve perfromance does not mean it's reliable and safe. The old guys had a point after all when it came to safety.

    Next week I'll tell you about how the ancient shocking lesson of the British Commet aluminum aircraft wings falling off led to the unanticipated discovery of metal fatigue and probably was the reason Boeing was slow to move to composite materials in commercial aircraft (but not in military aircraft). In hind sight we have heard of many tales of the composite tails of plane falling off as the reason for the loss of control before a crash. Conversely, composite wings on UAVs allow them to absorb a lot of bullet holes with no loss of control and to operate under higher perfromance conditions.

    The point is that safety and performance are trade offs when both are pushed to the limit. The old guys know a lot more about safety than you might expect. The young guys are all about performance.

    --
    Some drink at the fountain of knowledge. Others just gargle.
    1. Re:Boeing versus Airbus by roman_mir · · Score: 5, Interesting

      A year ago I was watching one of Discovery programs I think and they had a couple of guys who supposedly implemented a piece of software, that would allow an airplane to fly and land safely if for some reason, while in the air, the tale would brake off or rudder would just stop working. They relied on a fly by wire airplane of-course and controlled the yaw with all other surfaces by applying very slight changes to the motion. They were saying a human could do this if extremely lucky, but software was able to do it almost always.

      Just something to think about.

      --
      You can't handle the truth.
    2. Re:Boeing versus Airbus by MartinSchou · · Score: 4, Insightful

      I'm pretty sure that the tail of an airplane falling off is an unanticipated scenario that humans cannot deal with either ;)

    3. Re:Boeing versus Airbus by timeOday · · Score: 4, Insightful

      You make it sound as computers killed a golden era of safe engineering, as if perhaps we should go back. Let's keep some perspective here. Were cars back then simple, predictable, and solid? Perhaps. They were also death traps. How do the deaths with a suspected link to throttle software stack up statistically to those saved by anti-lock brakes? How does Toyota safety - on any model you choose - stack up to the competition when measured in deaths per millions of miles? I doubt this problem is even enough to appear in those big-picture statistics.

    4. Re:Boeing versus Airbus by DerekLyons · · Score: 4, Informative

      Next week I'll tell you about how the ancient shocking lesson of the British Commet aluminum aircraft wings falling off led to the unanticipated discovery of metal fatigue and probably was the reason Boeing was slow to move to composite materials in commercial aircraft (but not in military aircraft).

      This one comment makes me wonder about the veracity of the balance of your account.

      1. Metal fatigue was known about long before the Comet took wing in 1949.
      2. The fatigue cracks on the Comet's occurred at skin penetrations (windows and hatches).

      In hind sight we have heard of many tales of the composite tails of plane falling off as the reason for the loss of control before a crash.

      Then there is crunchy bit of FUD, which fails to mention that more than a few of those accidents are also associated with extreme control surface movements (inducing extreme stresses) prior to the failure.

  8. Re:I agree on non-software fail-safes by KarmaMB84 · · Score: 4, Insightful

    Unfortunately the update assumes the computer will actually respond to the brake being pressed or any input for that matter. Toyota doesn't know for certain what is causing all of these sudden acceleration problems in which fiddling with the gas pedal, brake and even putting the vehicle in neutral won't stop the vehicle. The software update, while a sensible modification that should've been in the software all along, is sort of a hail mary toward preventing any new cases in updated vehicles.

  9. Other lessons from Boeing by Beryllium+Sphere(tm) · · Score: 4, Interesting

    I worked on an embedded flight system there, and deeply respected people like your dad.

    Boeing works under the eye of a certification authority who has to approve the safety of a design including, at least in the system I worked on, human factors. If there's anything comparable for cars, I haven't heard of it.

    Boeing would not have made a pilot have to guess at how to turn an engine off (people with older cars, it's no longer a matter of turning a key).

    Inputs were checked for consistency and validity. The specs would have anticipated what to do if the accelerator and brake were both full on at the same time.

    There was a culture of worst-case planning and redundancy.

    Also, if Boeing built a car, it would have a flight data recorder which investigators could examine and say for example "Looks like both(*) potentiometers on the accelerator went hard over at the same time, so we go look on the branches of the fault tree where there's a common-mode failure in the potentiometers or the pedal is down due to mechanical or pilot error".

    (*) If I remember correctly from my obsessive pre-purchase research on Priuses, there are two separate sensors for accelerator position.