Slashdot Mirror
Toyota's Killer Firmware
New submitter Smerta writes "On Thursday, a jury verdict found Toyota's ECU firmware defective, holding it responsible for a crash in which a passenger was killed and the driver injured. What's significant about this is that it's the first time a jury heard about software defects uncovered by a plaintiff's expert witnesses. A summary of the defects discussed at trial is interesting reading, as well the transcript of court testimony. 'Although Toyota had performed a stack analysis, Barr concluded the automaker had completely botched it. Toyota missed some of the calls made via pointer, missed stack usage by library and assembly functions (about 350 in total), and missed RTOS use during task switching. They also failed to perform run-time stack monitoring.' Anyone wonder what the impact will be on self-driving cars?"
'Although Toyota had performed a stack analysis, Barr concluded the automaker had completely botched it. Toyota missed some of the calls made via pointer, missed stack usage by library and assembly functions (about 350 in total), and missed RTOS use during task switching. They also failed to perform run-time stack monitoring.'
Huh? I'm a software engineer and don't understand the relevance of this statement, how can a jury? How does it confirm that there was a defect?
My God can beat up your God. Just kidding...don't take offense. I know there's no God.
Not sure why this was modded flaimbait... this is one of the areas where Ada does generally shine, it is a language built for auditing.
That might turn out to be an important point. Suppose some day two cars of different manufacturers cash into each other. Will comparative code audits find their way to court?
Gosh, thanks. That must be why the other ships call me Meatfucker -- GCU Grey Area (Eccentric)
Realistically, you are quite a bit more likely to die in your classic car than you are in a new car despite issues like this.
The new car brakes better, handles better, is an order of magnitude safer in a collision thanks to the crumple zones, airbags, and modern collision testing requirements. It also uses less fuel, and pollutes less.
I like classics too, but I don't have any illusions that they are generally safer or more reliable. I will give you that they are usually easier to fix (assuming they aren't so classic that parts are a problem) but that doesn't make them safer -- and safety was the underlying catalyst for this discussion.
The thing is, the car's brakes can easily overpower the engine. And your car has two independent sets of brakes - the foot pedal (hydraulic) and the parking brake (mechanical cable linkage, though some luxury models have made it electronic). For unintended acceleration to have caused the accident, you're saying three independent systems which by all accounts function flawlessly 99.999% of the time failed simultaneously and catastrophically. So it's not enough to show the acceleration system can fail. Unless you can come up with something which can cause all three of these systems to fail simultaneously, the odds of that happening are quite literally astronomical.
The far more likely explanation is that these people thought they were stomping on the brake, when they were in fact stomping on the accelerator. I've actually done that when the passenger kicked over a folding sun shade and it (unknown to me) wedged so that every time I pressed the brake, it also pressed the accelerator. The car would lurch forward whenever I started braking. Nothing happened because when I jammed down the brake pedal, the brake overpowered the engine and the car came to a stop. The engine was revving at an uncomfortably high RPM, but the car was stopped.
That's what happened when Audi got hit by the unintended acceleration hysteria in the 1980s. Despite all the rational arguments against it, the press and public hysteria kept growing. They eventually "fixed" the problem by moving the brake and accelerator pedals further apart, and putting in a brake-gearshift interlock. You now have to press down the brake pedal before you can shift out of Park. After they did that, all the cases of unintended acceleration (when shifting the car into gear) disappeared, confirming that it was simple pedal misapplication.
You may be and so may I be but the people that sue (and there will be many) won't really care if self driving cars reduce deaths. They will only be looking a one or two deaths at a time.
Is buying a Harley Davidson as your first motorcycle since you were 16 at age 49 a midlife crisis issue?
I agree. I'm hardly a Luddite, but being an embedded hardware/software engineer, I know what kinds of problems can crop up. The use of computers for safety critical functions was pretty well developed years ago in aerospace, but it's very expensive. Developing the software is also very expensive (and dull frankly), and has to meet stringent standards (the higher tiers of DO-178B). It sound like Toyota anyway, haven't even reached the point of good practices, let alone stringent standards. The car makers have decided they want aerospace style control, but without the costs. Good luck with that.
ECU's have been around since the 70's, and became ubiquitous in the 80's. AFAIK the older systems had a mechanical linkage between the gas pedal and the throttle plate. The ECU then read the air flow sensor, and various other sensors, to set the fuel injection and spark timing. Obviously it can fail, but it's a soft fail. The engine won't run, or more likely won't run well. Sudden acceleration or unstoppable engine though? Forget it. With the throttle plate closed there's no way you can get any more than the power produced at idle, no matter what the ECU does.
There was a time after automated elevators first came out when people refused to use them because they didn't trust them without a "human fall back or ability to overthrow the computer's control". Today, when nearly all the elevators we've ever seen were automated, this seems crazy.
In 50 years, when most people have never seen a manually operated car, we'll seem just as crazy for not trusting them.
Did you read TFA?
In a nutshell, the team led by Barr Group found what the NASA team sought but couldn’t find: “a systematic software malfunction in the Main CPU that opens the throttle without operator action and continues to properly control fuel injection and ignition” that is not reliably detected by any fail-safe.
That's proof, not an argument that they could have tried harder to find the system could fail. The bottom line is that its software that puts people's lives at risk. It's reasonable to hold that type of code to a higher standard. There are millions of other cars, trains, and planes out there with similar software but without this type of problem. At some point you should be responsible for the things you create.
"This is the argument Boeing put forth about Airbus and its fly-by-wire planes...until the gave in. We cannot stop this type of progress, but it would be nice if there was still somewhere a killswitch that was manual and separate from the computer...just as a last resort if possible."
Having researched this issue not very long ago, I can tell you that the issue is not as black-and-white as you make it out to be.
Boeing has been building "fly-by-wire" planes almost as long as Airbus. The major difference (which Airbus aficionados still dispute but which is supported by factual records) is that Boeing put more and better physical ("manual") backup systems in their planes than Airbus did. And the consequences, as shown in the safety record, speak for themselves. Airbus' systems in some cases led to pilots literally sitting horrified in their cockpits watching disaster happen and not being able to do a single damned thing about it.
Kill switches, manual disconnects and backups, etc. all have to be built in. Doing otherwise is just plain irresponsible.
But hey... you're talking about the automotive industry here, remember? The same guys who control engines and entertainment systems with the same CPU, and who put android systems in new vehicles with no way to upgrade them for the life of the car.
No, it's more than that: it has a penetration through the firewall (which means some kind of rubber grommet usually), and connections to both the throttle pedal and to the throttle body. On top of that, there's usually some extra brackets to route the cable.
When you account for all these things, that's a bunch of assembly steps that some worker has to do, while crawling around under the dashboard and under the hood. That takes a lot of time. With an electronic throttle, you don't have to do all that; the pedals are a complete assembly, the throttle body is part of the engine and all the connections to that are done during engine assembly. The engine is then dropped in, and a few electrical connections made to the wire harnesses that were installed earlier. The pedals are bolted in as a complete assembly, and again all the electrical connections made all at once with a single connector being plugged in. With electrical connections, lots of connections can be made by plugging in a single connector. Not so with bowden cables.