Barr Code
Comment
sharps_eng
Adopting a common vehicle hardware and software 'platform+kernel' that is ...
ReneCardenas
Firmware forensics: best practices in embedded software source-code discovery
10/27/2011 10:41 AM EDT
Remember unintended acceleration? Here's what NASA should have examined in Toyota's software.
Software has become ubiquitous, embedded as it is into the fabric of our lives in literally billions of new (non-computer) products per year, from microwave ovens to electronic throttle controls. When products controlled by software are the subject of litigation, whether for infringement of intellectual property rights or product liability, it's imperative to analyze the embedded software (also known as firmware) properly and thoroughly. This article enumerates five best practices for embedded software source-code discovery and the rationale for each.
In February 2011, the U.S. government's National Highway Traffic Safety Administration (www.nhtsa.gov) and a team from NASA's Engineering and Safety Center (www.nasa.gov/offices/nesc/) published reports of their joint investigation into the causes of unintended acceleration in Toyota vehicles. While NHTSA led the overall effort and examined recall records, accident reports, and complaint statistics, the more technically focused team from NASA performed reviews of the electronics and embedded software at the heart of Toyota's electronic throttle control subsystem (ETCS). Redacted public versions of the official reports from each agency, together with a number of related documents, can be found at www.nhtsa.gov/UA.
These reports are very interesting in what they have to say about the quality of Toyota's firmware and NASA's review of the same. However, of greater significance is what they are not able to say about unintended acceleration. It appears that NASA did not follow a number of best practices for reviewing embedded software source code that might have identified useful evidence. In brief, NASA failed to find a firmware cause of unintended acceleration--but their review also fails to rule out firmware causes entirely.
This article describes a set of five recommended practices for firmware source code review that are based on my experiences as both an embedded software developer and as an expert witness. Each of the recommendations will consider what more could have been done to determine whether Toyota's ETCS firmware played a role in any of the unintended acceleration. The five recommended practices are:
(1) ask for the bug list;
(2) insist on an executable;
(3) reproduce the development environment;
(4) try for the version control repository; and
(5) remember the hardware.
The relative value and importance of the individual practices will vary by type of litigation, so the recommendations are presented in the order that is most readable.
Ask for the bug list
Any serious litigation involving embedded software will require an expert review of the source code. The source code should be requested early in the process of discovery. Owners of source code tend to strenuously resist such requests but procedures limiting access to the source code to only certain named and pre-approved experts and only under physical security (often a non-networked computer with no removable storage in a locked room) tend to be agreed upon or ordered by a judge.
Software development organizations commonly keep additional records that may prove more important or useful than a mere copy of the source code. Any reasonably thorough software team will maintain a bug list (a defect database) describing most or all of the problems observed in the software along with the current status of each (for example "fixed in v2.2" or "still under investigation"). The list of bugs fixed and known--or the company's lack of such a list--is germane to issues of software quality. Thus the bug list should be routinely requested and supplied in discovery.
Very nearly every piece of software ever written has defects, both known and unknown. Thus the bug list provides helpful guidance to a reviewer of the source code. Often, for example, bugs cluster in specific source files in need of major rework. To ignore the company's own records of known bugs, as the NASA reviewers apparently did, is to examine a constitution without considering the historical reasons for the adoption of each section and amendment. Indeed, a simple search of the text in Toyota's bug list for the terms "stuck" and "fuel valve" might yet provide some useful information about unintended acceleration.
Insist on an executable
In software parlance, the "executable" program is the binary version of the program that's actually executed in the product. The machine-readable executable is constructed from a set of human-readable source code files using software build tools such as compilers and linkers. It's important to recognize that one set of source code files may be capable of producing multiple executables, based on tool configuration and options.
Though not human-readable, an executable program may provide valuable information to an expert reviewer. For example, one common technique is to extract the human-readable "strings" within the executable. The strings in an executable program include information such as on-screen messages to the user (such as "Press the ‘?' button for help."). In a copyright infringement case in which I once consulted several strings in the defendant's executable helpfully contained a phrase similar to "Copyright Plaintiff"! You may not be so lucky, but isn't it worth a try?
It may also be possible to reverse engineer or disassemble an executable file into a more human-readable form. Disassembly could be important in cases of alleged patent infringement, for example, where what looks like an infringement of a method claim in the source code might be unused code or not actually part of the executable in the product as used by customers.
Sometimes it's easy to extract the executable directly from the product for expert examination--in which case the expert should engage in this step. For instance, software running on Microsoft Windows consists of an executable file with the extension .EXE, which is easily extracted. However, the executable programs in most embedded systems are difficult, at best, to extract. Extraction of Toyota's ETCS firmware might not be physically possible. Thus the legal team should insist on production of the executable(s) actually used by the relevant customers.
Reproduce the development environment
The dichotomy between source code and executable code and the inability of even most software experts to make much sense of binary code can create problems in the factual landscape of litigation. For example, suppose that the source code produced by Toyota was inadvertently incomplete in that it was missing two or three source-code files. Even an expert reviewer looking at the source code might not know about the absent files. For example, if the bug the expert is looking for is related to fuel valve control and the code related to that subject doesn't reference the missing files, the reviewer may not notice their absence. No expert can spot a bug in a missing file.
Fortunately, there is a reliable way for an expert to confirm that she has been provided with all of the source code. The objective is simply stated: reproduce the software build tools setup and compile the produced source code. To do this it's necessary to have a copy of the development team's detailed build settings, such as make files, preprocessor defines, and linker control files. If the build process completes and produces an executable, it's certain the other party has provided a complete copy of the source code.
Furthermore, if the executable as built matches the executable as produced (actually, ideally, the executable as extracted from the product) bit by binary bit, it's certain that the other party has provided a true and correct version of the source code. Unfortunately, trying to prove this part may take longer than just completing a build; the build could fail to produce the desired proof for a variety of reasons. The details here get complicated. To get exactly the same output executable, it's necessary to use all of the following: precisely the same version of the compiler, linker, and each other build tool as the original developers used; precisely the same configuration of each of those tools; and precisely the same set of build instructions. Even a slight variation in just one of these details will generally produce an executable that doesn't match the other binary image at all--just as the wrong version of the source code would.
Try for the version control repository
Embedded software source code is never created in an instant. All software is developed one layer at a time over a period of months or years in the same way that a bridge and the attached roadways exist in numerous interim configurations during their construction. The version control repository for a software program is like a series of time-lapse photos tracking the day-by-day changes in the construction of the bridge. But there is one considerable difference: It's possible to go back to one of those source code snapshots and rebuild the executable of that particular version. This becomes critically important when multiple software versions will be deployed over a number of years. In the automotive industry, for example, it must be possible to give one customer a bug fix for his v2.1 firmware while also working on the new v3.0 firmware to be released the following model year.
Consider, for the sake of discussion, that the executable version of Toyota's ETCS v2.1 firmware that was installed in the factory in one million cars around the world had an undiscovered bug that could result in unintended acceleration under certain rare operating conditions. Now further suppose that this bug was (perhaps unintentionally) eliminated in the v2.2 source code, from which a subsequent executable was created and installed at the factory into millions more cars with the same model names--and also as an upgrade into some of the original one million cars as they visited dealers for scheduled maintenance. In this scenario, an examination of the v2.2 source code proves nothing about the safety of the hundreds of thousands of cars still with v2.1 under the hood.
Gaining access to the entire version control repository containing all of the past versions of a company's firmware source code through discovery may be out of the question. For example, a judge in a source-code copyright and trade secrets case I consulted in would only allow the plaintiff to choose one calendar date and to then receive a snapshot of the defendant's source code from that specific date. If the plaintiff was lucky it would find evidence of their proprietary code in that specific snapshot. But the observed absence of their proprietary code from that one specific snapshot doesn't prove the alleged theft didn't happen earlier or later in time.
There are some problems with examination of an entire version control repository. It may be difficult to make sense of the repository's structure. Or, if the structure can be understood, it might take many times as long to perform a thorough review of the major and minor versions of the various source code files as it would to just review one snapshot in time. At first glance, many of those files would appear the same or similar in every version--but subtle differences could be important to making a case. To really be productive with that volume of code, it may be necessary to obtain a chronological schedule provided by a bug list or other production documents describing the source code at various points in time.
Remember the hardware
Embedded software is always written with the hardware platform in mind and should be reviewed in the same manner. For example, it's only possible to properly reverse engineer or disassemble an executable program once the specific microprocessor (such as Pentium, PowerPC, or ARM) is known. But knowing the processor is just the beginning, because the hardware and software are intertwined in complex ways in such embedded systems.
Only one or more features of the hardware are enabled or active when the hardware is in a particular configuration. For instance, consider an embedded system with a network interface, such as an Ethernet jack that is only powered when a cable is mechanically inserted. Some or all of the software required to send and receive messages over this network may be not be executed until a cable is inserted. A proper analysis of the software needs to keep hardware-software interactions like this in perspective. Ideally, testing of the firmware should be done on the hardware as configured in exemplars of the units at issue--so it is useful to ask for hardware during discovery, if you are not able to acquire exemplars in other ways. It's not clear from the redacted reports if NHTSA's testing of certain Toyota Camrys was done using the same firmware version on exactly the same hardware as the owners who experienced unintended acceleration. Hardware interactions can be one of the most important considerations of all when analyzing embedded software.
Sometimes a bug is not visible in the software itself. Such a bug may result from a combination of hardware and software behaviors or multiprocessor interactions. For example, one motor-control system I'm familiar with had a dangerous race condition. The bug, though, was the result of an unforeseen mismatch between the hardware reaction time and the software reaction time around a sequence of commands to the motor.
Additional analysis required
As you can see, the review of embedded software can be complicated. This is partly because the hardware of each embedded system is unique. In addition, the system as a whole generally involves complex interactions between hardware, software, and user. An expert in embedded software should typically have a degree in electrical engineering, computer engineering, or computer science plus years of relevant experience designing embedded systems and programming in the relevant language(s).
The five best practices I've presented here are meant to establish the critical importance of making certain specific requests early in the legal discovery process. They are by no means the only types of analysis that should be performed on the source code. For example, in any case involving the quality or reliability of embedded software, the source code should be tested via static-analysis tools. This and other types of technical analysis should be well understood by any expert witness or litigation consultant with the proper background.
In the case of Toyota's unintended acceleration issues, I hope that expert review in the class-action litigation against Toyota will include these and other additional types of analysis to identify all of the potential causes and determine if embedded software played any role. Though government funds for analysis by NASA are understandably limited, it's suggested that transportation safety organizations, such as NHTSA, should establish rules that ensure that future investigations are more thorough and that safety-related technical findings in litigation cannot be hidden behind the veil of secrecy of a settlement agreement.
Michael Barr is the author of three books and over fifty articles about embedded systems design, as well as a former editor-in-chief of this magazine. Michael is also a popular speaker at the Embedded Systems Conference, a former adjunct professor at the University of Maryland, and the president of Netrino. He has assisted in the design and implementation of products ranging from safety-critical medical devices to satellite TV receivers. You can reach him via e-mail at mbarr@netrino.com or read more of what he has to say at his blog (www.embeddedgurus.net/barr-code).
Software has become ubiquitous, embedded as it is into the fabric of our lives in literally billions of new (non-computer) products per year, from microwave ovens to electronic throttle controls. When products controlled by software are the subject of litigation, whether for infringement of intellectual property rights or product liability, it's imperative to analyze the embedded software (also known as firmware) properly and thoroughly. This article enumerates five best practices for embedded software source-code discovery and the rationale for each.
In February 2011, the U.S. government's National Highway Traffic Safety Administration (www.nhtsa.gov) and a team from NASA's Engineering and Safety Center (www.nasa.gov/offices/nesc/) published reports of their joint investigation into the causes of unintended acceleration in Toyota vehicles. While NHTSA led the overall effort and examined recall records, accident reports, and complaint statistics, the more technically focused team from NASA performed reviews of the electronics and embedded software at the heart of Toyota's electronic throttle control subsystem (ETCS). Redacted public versions of the official reports from each agency, together with a number of related documents, can be found at www.nhtsa.gov/UA.
These reports are very interesting in what they have to say about the quality of Toyota's firmware and NASA's review of the same. However, of greater significance is what they are not able to say about unintended acceleration. It appears that NASA did not follow a number of best practices for reviewing embedded software source code that might have identified useful evidence. In brief, NASA failed to find a firmware cause of unintended acceleration--but their review also fails to rule out firmware causes entirely.
This article describes a set of five recommended practices for firmware source code review that are based on my experiences as both an embedded software developer and as an expert witness. Each of the recommendations will consider what more could have been done to determine whether Toyota's ETCS firmware played a role in any of the unintended acceleration. The five recommended practices are:
(1) ask for the bug list;
(2) insist on an executable;
(3) reproduce the development environment;
(4) try for the version control repository; and
(5) remember the hardware.
The relative value and importance of the individual practices will vary by type of litigation, so the recommendations are presented in the order that is most readable.
Ask for the bug list
Any serious litigation involving embedded software will require an expert review of the source code. The source code should be requested early in the process of discovery. Owners of source code tend to strenuously resist such requests but procedures limiting access to the source code to only certain named and pre-approved experts and only under physical security (often a non-networked computer with no removable storage in a locked room) tend to be agreed upon or ordered by a judge.
Software development organizations commonly keep additional records that may prove more important or useful than a mere copy of the source code. Any reasonably thorough software team will maintain a bug list (a defect database) describing most or all of the problems observed in the software along with the current status of each (for example "fixed in v2.2" or "still under investigation"). The list of bugs fixed and known--or the company's lack of such a list--is germane to issues of software quality. Thus the bug list should be routinely requested and supplied in discovery.
Very nearly every piece of software ever written has defects, both known and unknown. Thus the bug list provides helpful guidance to a reviewer of the source code. Often, for example, bugs cluster in specific source files in need of major rework. To ignore the company's own records of known bugs, as the NASA reviewers apparently did, is to examine a constitution without considering the historical reasons for the adoption of each section and amendment. Indeed, a simple search of the text in Toyota's bug list for the terms "stuck" and "fuel valve" might yet provide some useful information about unintended acceleration.
Insist on an executable
In software parlance, the "executable" program is the binary version of the program that's actually executed in the product. The machine-readable executable is constructed from a set of human-readable source code files using software build tools such as compilers and linkers. It's important to recognize that one set of source code files may be capable of producing multiple executables, based on tool configuration and options.
Though not human-readable, an executable program may provide valuable information to an expert reviewer. For example, one common technique is to extract the human-readable "strings" within the executable. The strings in an executable program include information such as on-screen messages to the user (such as "Press the ‘?' button for help."). In a copyright infringement case in which I once consulted several strings in the defendant's executable helpfully contained a phrase similar to "Copyright Plaintiff"! You may not be so lucky, but isn't it worth a try?
It may also be possible to reverse engineer or disassemble an executable file into a more human-readable form. Disassembly could be important in cases of alleged patent infringement, for example, where what looks like an infringement of a method claim in the source code might be unused code or not actually part of the executable in the product as used by customers.
Sometimes it's easy to extract the executable directly from the product for expert examination--in which case the expert should engage in this step. For instance, software running on Microsoft Windows consists of an executable file with the extension .EXE, which is easily extracted. However, the executable programs in most embedded systems are difficult, at best, to extract. Extraction of Toyota's ETCS firmware might not be physically possible. Thus the legal team should insist on production of the executable(s) actually used by the relevant customers.
Reproduce the development environment
The dichotomy between source code and executable code and the inability of even most software experts to make much sense of binary code can create problems in the factual landscape of litigation. For example, suppose that the source code produced by Toyota was inadvertently incomplete in that it was missing two or three source-code files. Even an expert reviewer looking at the source code might not know about the absent files. For example, if the bug the expert is looking for is related to fuel valve control and the code related to that subject doesn't reference the missing files, the reviewer may not notice their absence. No expert can spot a bug in a missing file.
Fortunately, there is a reliable way for an expert to confirm that she has been provided with all of the source code. The objective is simply stated: reproduce the software build tools setup and compile the produced source code. To do this it's necessary to have a copy of the development team's detailed build settings, such as make files, preprocessor defines, and linker control files. If the build process completes and produces an executable, it's certain the other party has provided a complete copy of the source code.
Furthermore, if the executable as built matches the executable as produced (actually, ideally, the executable as extracted from the product) bit by binary bit, it's certain that the other party has provided a true and correct version of the source code. Unfortunately, trying to prove this part may take longer than just completing a build; the build could fail to produce the desired proof for a variety of reasons. The details here get complicated. To get exactly the same output executable, it's necessary to use all of the following: precisely the same version of the compiler, linker, and each other build tool as the original developers used; precisely the same configuration of each of those tools; and precisely the same set of build instructions. Even a slight variation in just one of these details will generally produce an executable that doesn't match the other binary image at all--just as the wrong version of the source code would.
Try for the version control repository
Embedded software source code is never created in an instant. All software is developed one layer at a time over a period of months or years in the same way that a bridge and the attached roadways exist in numerous interim configurations during their construction. The version control repository for a software program is like a series of time-lapse photos tracking the day-by-day changes in the construction of the bridge. But there is one considerable difference: It's possible to go back to one of those source code snapshots and rebuild the executable of that particular version. This becomes critically important when multiple software versions will be deployed over a number of years. In the automotive industry, for example, it must be possible to give one customer a bug fix for his v2.1 firmware while also working on the new v3.0 firmware to be released the following model year.
Consider, for the sake of discussion, that the executable version of Toyota's ETCS v2.1 firmware that was installed in the factory in one million cars around the world had an undiscovered bug that could result in unintended acceleration under certain rare operating conditions. Now further suppose that this bug was (perhaps unintentionally) eliminated in the v2.2 source code, from which a subsequent executable was created and installed at the factory into millions more cars with the same model names--and also as an upgrade into some of the original one million cars as they visited dealers for scheduled maintenance. In this scenario, an examination of the v2.2 source code proves nothing about the safety of the hundreds of thousands of cars still with v2.1 under the hood.
Gaining access to the entire version control repository containing all of the past versions of a company's firmware source code through discovery may be out of the question. For example, a judge in a source-code copyright and trade secrets case I consulted in would only allow the plaintiff to choose one calendar date and to then receive a snapshot of the defendant's source code from that specific date. If the plaintiff was lucky it would find evidence of their proprietary code in that specific snapshot. But the observed absence of their proprietary code from that one specific snapshot doesn't prove the alleged theft didn't happen earlier or later in time.
There are some problems with examination of an entire version control repository. It may be difficult to make sense of the repository's structure. Or, if the structure can be understood, it might take many times as long to perform a thorough review of the major and minor versions of the various source code files as it would to just review one snapshot in time. At first glance, many of those files would appear the same or similar in every version--but subtle differences could be important to making a case. To really be productive with that volume of code, it may be necessary to obtain a chronological schedule provided by a bug list or other production documents describing the source code at various points in time.
Remember the hardware
Embedded software is always written with the hardware platform in mind and should be reviewed in the same manner. For example, it's only possible to properly reverse engineer or disassemble an executable program once the specific microprocessor (such as Pentium, PowerPC, or ARM) is known. But knowing the processor is just the beginning, because the hardware and software are intertwined in complex ways in such embedded systems.
Only one or more features of the hardware are enabled or active when the hardware is in a particular configuration. For instance, consider an embedded system with a network interface, such as an Ethernet jack that is only powered when a cable is mechanically inserted. Some or all of the software required to send and receive messages over this network may be not be executed until a cable is inserted. A proper analysis of the software needs to keep hardware-software interactions like this in perspective. Ideally, testing of the firmware should be done on the hardware as configured in exemplars of the units at issue--so it is useful to ask for hardware during discovery, if you are not able to acquire exemplars in other ways. It's not clear from the redacted reports if NHTSA's testing of certain Toyota Camrys was done using the same firmware version on exactly the same hardware as the owners who experienced unintended acceleration. Hardware interactions can be one of the most important considerations of all when analyzing embedded software.
Sometimes a bug is not visible in the software itself. Such a bug may result from a combination of hardware and software behaviors or multiprocessor interactions. For example, one motor-control system I'm familiar with had a dangerous race condition. The bug, though, was the result of an unforeseen mismatch between the hardware reaction time and the software reaction time around a sequence of commands to the motor.
Additional analysis required
As you can see, the review of embedded software can be complicated. This is partly because the hardware of each embedded system is unique. In addition, the system as a whole generally involves complex interactions between hardware, software, and user. An expert in embedded software should typically have a degree in electrical engineering, computer engineering, or computer science plus years of relevant experience designing embedded systems and programming in the relevant language(s).
The five best practices I've presented here are meant to establish the critical importance of making certain specific requests early in the legal discovery process. They are by no means the only types of analysis that should be performed on the source code. For example, in any case involving the quality or reliability of embedded software, the source code should be tested via static-analysis tools. This and other types of technical analysis should be well understood by any expert witness or litigation consultant with the proper background.
In the case of Toyota's unintended acceleration issues, I hope that expert review in the class-action litigation against Toyota will include these and other additional types of analysis to identify all of the potential causes and determine if embedded software played any role. Though government funds for analysis by NASA are understandably limited, it's suggested that transportation safety organizations, such as NHTSA, should establish rules that ensure that future investigations are more thorough and that safety-related technical findings in litigation cannot be hidden behind the veil of secrecy of a settlement agreement.
Michael Barr is the author of three books and over fifty articles about embedded systems design, as well as a former editor-in-chief of this magazine. Michael is also a popular speaker at the Embedded Systems Conference, a former adjunct professor at the University of Maryland, and the president of Netrino. He has assisted in the design and implementation of products ranging from safety-critical medical devices to satellite TV receivers. You can reach him via e-mail at mbarr@netrino.com or read more of what he has to say at his blog (www.embeddedgurus.net/barr-code).
|
|
|
|
|
Navigate to related information
cdhmanning
10/27/2011 3:21 PM EDT
From what I read in the reports, I think the NASA team did a pretty thorough job.
What made the most interesting reading was the psychology of the case. Many of the reports only came in once it hit the media.
There are multiple UA reports across many diferent vehicles. Toyota only represents a fraction of those. Many of the UA reports are at least somewhat bogus. For example gear downs might seem to be acceleration when they are not.
Sign in to Reply
dwhite
10/27/2011 4:47 PM EDT
The most troubling part of the NHTSA/NASA findings is that the extreme complexity prevents conclusively proving that the firmware isn't to blame.
How can you possibly have confidence in your test results in a system this complex
I would be ashamed to disclose such a complex design for a safety critical system such as this.
But, maybe I should consider this as a strategy against possible future lawsuits...bury the investigators with so much code that its too expensive for them to find the bug(s).
Sign in to Reply
cdhmanning
10/29/2011 5:54 PM EDT
I too was struck by the complexity. It seemed a vast amount of code to perform what is fundamentally a relatively simple function.
However the code has to also cope with an amazingly complex set of potential failures and still provide "limp home" modes.
As an example, my car recently had a problem with its Mass Air Flow (MAF) sensor due to a service mechanic allowing a bunch of twigs and dead bees to get into the sensor. So how did the system know the MAF sensor was problematic? The code models MAF using other variables and if the model and sensor get to be out of whack by more than some % the sensor is no longer used and the modelled value is substituted.
That sort of modelling and verification is performed for all the sensors. This adds quite a bit of complexity that you would not expect at first glance.
Perhaps part of the complexity arises from using a single CPU for too many functions or trying to automate too many things.
Sign in to Reply
Luis Sanchez
10/29/2011 11:54 PM EDT
I´m a little surprised with this article. The reason is because I find that all your advice Michael is sound and logical and I would be surprised to hear that the NASA experts didn´t consider the mentioned practices. The explanation behind this ought to be the protection of Intellectual Property and company secrets. But also, I would expect that if a company is being accused of responsability in failures of their products then the company should be obligated to disclose their methods practices and records.
Nevertherless, thanks for sharing your years of experience and expertise Michael, great article!
Sign in to Reply
ReneCardenas
10/31/2011 3:13 PM EDT
I agree with the spirit of this note: transparency is critical, but it was not clear from all writings and reports that released to the media, that anything was off-limits or not explored.
Sign in to Reply
PWong
11/3/2011 12:53 PM EDT
Unintended acceleration made headlines due to sensational high speed. But overly loose Prius braking on rough roads should be given equal treatment. It can also kill a pedestrian. I suspect the firmware here also.
Sign in to Reply
Code Monkey
11/3/2011 2:49 PM EDT
Toyota could have nipped the problem in the bud. With the benefit of hindsight, a data log kept in cheap SPI flash and downloadable from the OBDII port would have saved them a fortune. The first customer that reported unintended acceleration might have been believed instead of dismissed as either crazy or stupid.
Sign in to Reply
eembedded_janitor
11/3/2011 6:11 PM EDT
I agree fully. Logging is a really useful way of either debugging problems or proving "operator error".
It is quite clear that many of the Toyota UA reports were bogus. Once it hit the media, people became sensitized and reported UAs which were actually due to gear shifting or the aircon kicking in at low speeds.
UAs are an ongoing part of all vehicle problem reporting. At the peak of the Toyota UA crisis/hysteria, Toyota only accounted for a third of the UA reports.
Sign in to Reply
dwhite
11/8/2011 9:56 AM EST
Logging is very helpful in these situations but not 100% proof. If the log shows that the accelerator was at 100%, does that mean the driver had his foot to the floor or could it still be a bad sensor, ADC input or data overwrite? The most probable explanation is driver error but the data log is not conclusive in all cases.
Sign in to Reply
cdhmanning
11/10/2011 8:39 PM EST
As the Toyotas use two channels to sample the accelerator (one going up and the other down) and verifies them against eachother it would be extremely unlikely that both sensors would fail perfectly together.
Sign in to Reply
NeznanovicN
11/3/2011 4:09 PM EDT
NASA failed to do the most important thing of all: test the bloody firmware on the target under the conditions as close to the real conditions as possible. Instead, they inspected the code using MODELS (“Software Logic Model Checking”, “Software Analysis Using MATLAB Models”). They analyzed the SOURCE code instead of the actual running code. Was it beneath them to attach the JTAG debugger to the ECU and drive the car around trying to recreate the failure conditions?
Richard Feynman is probably spinning in his grave. This project clearly lacked his no-nonsense attitude.
Sign in to Reply
eembedded_janitor
11/3/2011 6:16 PM EDT
Did you actually read the reports? I did. They make interesting reading.
If so you'd see that they did do in-vehicle tests, including vehicles that has reported issues, as well as other bench testing of the electronics with various nobbled sensors to inject faults.
They certainly did far more than just look at the source.
They even had psychologists on the team to try understand the "wetware" better.
Sign in to Reply
NeznanovicN
11/7/2011 1:21 PM EST
Did you actually ready my comment? What I said is they did not attach a debugger to the ECU during their tests.
They indeed do needed psychologists on the team. Not to understand the "wetware" of the driver, but the wetware of a NASA engineer who prefers modeling to real world debugging.
Sign in to Reply
dwhite
11/8/2011 10:01 AM EST
If they can't replicate the problem without the debugger, there is no point in connecting one. Connecting the debugger could cause other side-effects that could mask or induce errors, too.
The real problem is that, if there is a bug, it is too infrequent to catch. How many thousands of hours should they run with JTAG on before they declare it "good"?
Sign in to Reply
rogerrobie68
11/4/2011 4:27 PM EDT
good comment
Sign in to Reply
W1PK
11/7/2011 5:28 PM EST
Having worked on safety-critical products where a complete failure mode effects analysis was a regulatory requirement, I'm very sensitive to the lesson of Murphy's Law. If you can't afford to have something go wrong, you have to remove all opportunity for it to go wrong, and then prove conclusively that you have done so.
IMO, giving a computer the physical means to open a vehicle's throttle without the driver's real-time consent is just plain nuts. Same for interfering with braking, or with steering. That's why my last pickup didn't have power steering, power brakes, or cruise control. Yes, I know large commercial aircraft these days are operated by fly-by-wire, but those systems are subject to the requirements of DO-178 and DO-254, which basically amount to delivering a documented formal proof that there are no hazardous bugs or catastophic failure modes in either the software or the hardware it runs on. While that can be, and is, done in the real world, it's very, very slow and expensive, and once through the certification process, revisions are pretty much unaffordable. A relentless obsession with simplicity is pretty much essential to make the process affordable at all.
I'd have a lot more confidence in the automobile industry if they had gimlet-eyed FAA inspectors going through their documentation package and development history line by line, and publishing everything for open peer review.
As it is, since I couldn't get a new truck last year without computer intervention in practically everything, the first thing I did on my test drive was turn off the key while moving at 15 mph, to prove that I could force a total electrical shutdown in under a second, and then steer and brake successfully.
Sign in to Reply
dan6791
11/8/2011 4:34 PM EST
Having years of experience with safety critical systems, I noticed how expensive and difficult they are to build and prove for safety.
The real safety critical systems are built 2oo2 or 2oo3. In the vehicles they are always 1oo1. This is not really 'safe'
Sign in to Reply
Randall
11/10/2011 7:01 PM EST
Lots of good comments. I'll add only that:
1) Until you have replicated the actual failed build exactly (or adequately explained each and every bit that is different), you have no idea if you are even looking at the right code. From the limited amount of the NASA report that I read, it seemed that Toyota's software development was not particularly rigorous (why run the analysis tools if you are going to ignore the reported defects). And it's all too easy to slip up with configuration control, either accidentally or deliberately.
2) Firmware bugs are not always found in the source code. Compilers are software too, and hence there is always one more bug. The build in question may have been the only build that tripped that particular bug. Years ago I found one that only manifested if the target of a switch statement was exactly +128 bytes away from the generated test instruction. The compiler chose an 8-bit signed offset when it should have used a 16-bit.
Sign in to Reply
cdhmanning
11/10/2011 8:41 PM EST
Correct. The code is only a small part of the equation. There are silicon issues too - particularly since they don't use an off-the-shelf CPU.
Sign in to Reply
NeznanovicN
11/12/2011 11:54 AM EST
The point of using the debugger IS to examine the SUT under the conditions as close to the real conditions as possible. Smart use of the debugger can minimize the affect on the SUT. Whomever tried to reverse engineer software statically knows that it is practically impossible on all except the simplest of systems. Without the ability to dump variables, memory, registers, follow the code path, you are driving blind. No amount of modelling can give you these details. Even if the problem is not reproduced this will at least give you the true picture of the system behaviour.
Any kind of modelling is inherently miles apart from the real system. Trying to debug without a debugger is simply irresponsible, given that the cost is measured in human lives.
Sign in to Reply
dbl
11/14/2011 8:38 AM EST
From the document http://www.nhtsa.gov/staticfiles/nvs/pdf/NASA-UA_report.pdf on page 14
I was particularly impressed with the claim that UAs are rare events.
"The NESC team extensively studied the NHTSA VOQ dataset. Reported UAs are rare events. Typically, the reporting of UAs is about 1/100,000 vehicles / year or 1 in 1.4 billion miles. Of 426,911 total VOQ reports NHTSA received from calendar years 2000 to 2010 for all vehicle makes and models, there were 9698 identified as UA events based on expert review and analysis. Of these, 3,054 were for TMC vehicles"
1 per 100000 vehicles per year, with 426911 total events. It would have been nice if they reported the number of events per vehicle, as 426911 such events seems to imply a vehicle base of 42,691,100,000. In excess of 42 Trillion. A quantity much greater than the number of human beings currently living.
I really would like to believe this is a tyographic error.
Sign in to Reply
dwhite
12/1/2011 10:02 AM EST
The total of 426,911 was for a ten year period and only 9698 of them are UA events. So, this results in a rate of UA events around 969.8 per year. This suggests a vehicle base of around 96.9 million vehicles which sounds more reasonable.
Sign in to Reply
ReneCardenas
12/31/2011 8:26 PM EST
Lots of assumptions here, that make the statistical value more suspect.
Sign in to Reply
sharps_eng
2/5/2012 6:45 PM EST
Adopting a common vehicle hardware and software 'platform+kernel' that is certified and utilized across the industry seems the only rational way to proceed. Some such kernels are available today. It would at least be a start and effort could then concentrate on any special drivers and the application code. Programmers across the industry would become familiar with the system with the result that more common-sense would be applied to designs.
The effort would be finite. The benefits for saved lives - infinite.
Cost savings to car manufacturers - inestimable.
The only losers would be lawyers, which is why it won't happen unless drivers demand it and politicians support it.
Not the whole solution, but a step in the right direction.
Sign in to Reply