Breaking News
News & Analysis

Toyota Case: Vehicle Testing Confirms Fatal Flaws

10/31/2013 06:15 PM EDT
68 comments
NO RATINGS
4 saves
< Previous Page 2 / 5 Next >
More Related Links
View Comments: Oldest First | Newest First | Threaded View
<<   <   Page 3 / 7   >   >>
Peter.Ting
User Rank
Rookie
Simple solution
Peter.Ting   11/1/2013 4:08:54 PM
NO RATINGS
Remove the steering wheel lock when the engine is shut off.  And make sure

the key switch is not just another input to the MPU.

junko.yoshida
User Rank
Blogger
Re: Petrochemical standards in 1980
junko.yoshida   11/1/2013 4:20:07 PM
NO RATINGS
@Winderer. Agreed. In the Toyota case, what I understood from Michael barr is:

Toyota's engineers sought to protect numerous variables against software- and hardware-caused corruptions (for example,  by "mirroring" their contents in a 2nd location), but they failed to mirror several key critical variables.

C Davis
User Rank
Rookie
Metastability?
C Davis   11/1/2013 6:10:35 PM
NO RATINGS
One thing that Toyota should also do is check their Hardware Vendor's design for Metastability.  This could be the actual root cause of the bad input/bit flip.   With so many car's on the road I would guess they would have a certain chance of this happening.  This risk can be modeled very accurately. The predict circuit behavior across all variations of process parameters, supply voltages, operating temperatures and the increasingly important effects of circuit aging is know.  I think Blendics has the best one I've seen http://www.blendics.com/index.php/blendics-products/metaace  .

Some of the bigger semiconductor companies have ad hock program, but nothing like this.

Some nice write-ups:

http://www.semiwiki.com/forum/content/2454-metastability-fatal-system-errors.html

http://www.semiwiki.com/forum/content/2494-your-synchronizer-doing-its-job-part-1.html

http://www.semiwiki.com/forum/content/2516-your-synchronizer-doing-its-job-part-2.html

http://www.semiwiki.com/forum/content/2620-metastability-starts-standard-cells.html

http://www.semiwiki.com/forum/content/2703-ten-ways-your-synchronizer-mtbf-may-wrong.html

I think that some of the cost likely should be born by the HW companies, as I've rarely seen too much attention paid to this.

It would be good to interview Jerry Cox the CEO of Blendix.  He is a senior professor at WUSTL and also cofounded Growth Networks which was acquired by Cisco.  I would guess he is one of the top asynchronous experts in the world.

junko.yoshida
User Rank
Blogger
Re: Petrochemical standards in 1980
junko.yoshida   11/1/2013 6:43:10 PM
NO RATINGS
very interesting...

Some Guy
User Rank
CEO
Re: Funky Code Access & Error Replication
Some Guy   11/1/2013 7:05:57 PM
NO RATINGS
As far as the funky arrangement they had to access the code, that seems like a pretty common practice when outsiders need access to see critical code (at least from a lawyer's perspective on IP / non-disclosure protection).

As far as the error replication, if you don't know the root cause you are only guessing at it, which makes replication a real bear. I'm not surprised that they were not able to reproduce it. The theory that they examined was that it was a Single-Bit-Error, which can have many causes. And without ECC, it was unmitigated. The system design just propagated the fault to a system failure which was an unsafe end state.

Of course, as any practitioner of Ford's 8D problem-solving can tell you, they really have 3 errors. In addition to the unmitigated single-bit-error, they also have a test / validation process that failed to find it. And, third, they have a design process that failed to prevent it happening in the first place. The lawsuit will really only address the first error; it's incumbent on Toyota to address the second two. (And in my experience, Japanese companies tend to go after all three as a matter of course.)

 

TonyTib
User Rank
CEO
Re: Petrochemical standards in 1980
TonyTib   11/1/2013 7:06:19 PM
NO RATINGS
Some data points from an industrial viewpoint:

I'm not a safety expert, but I've had to deal with some safety issues, especially SEMI S2.

The SEMI S2 safety standard requires an EMO button that turns off all power, except that required for safety and logging systems.  The EMO circuit has to be entirely electrical: NO SOFTWARE!  Even Safety PLC's don't qualify.  There's a lot to like about that approach.

On the other hand, my impression (I could be wrong here) is that the newer European safety standards are going away from this approach (for example allowing STO - safe torque off - and networked safety), and are allowing software into the loop, as long as it meets the appropriate SIL level standards, which are development process oriented.  I'm a process skeptic.


To give an idea of how industrial safety can be done, the Banner Micro-Screen light curtains used dual MCUs with different architectures and software ("diverse redundant").  When you're using a light curtain to guard something like a hydraulic press that can crush somebody, this type of approach is crucial.

SPLatMan
User Rank
Manager
Re: You left out the most important error - no independent failsafe
SPLatMan   11/1/2013 8:24:42 PM
NO RATINGS
@Some Guy opined:

"I'll never buy a car that doesn't have a switch that is electrically in series with the rest of the system."

I heartily agree with your sentiment, but I fear you will be unable to buy a new car 3 years from now.

 

SPLatMan
User Rank
Manager
Re: Simple solution
SPLatMan   11/1/2013 8:27:02 PM
NO RATINGS
Cars don't have key switches any more. They have keyless entry keys that cost hundreds of dollars to replace, and stop/start push buttons on the dash.

Some Guy
User Rank
CEO
Re: You left out the most important error - no independent failsafe
Some Guy   11/1/2013 8:38:36 PM
NO RATINGS
I've got a pair of diagonal cutters. Won't stop me from adding an EMO to the circuit.

Just sayin'

DrQuine
User Rank
CEO
A Radical Alternative?
DrQuine   11/1/2013 9:36:00 PM
NO RATINGS
I do a lot of business travel and experience many car model in my car rentals every three weeks. I've noticed that the pedal placement varies from model to model.  Has anyone investigated the positioning of the brake and gas pedals with respect to the centerline of the driver's seat? It seems to me that some cars have the gas pedal where other cars would have placed the brake pedal (everything is shifted a little to the left). This could be a contributing factor - especially if the drivers in the accidents often drove other cars with the pedals in a different relative geometry to the driver's seat.

<<   <   Page 3 / 7   >   >>
Top Comments of the Week
August Cartoon Caption Winner!
August Cartoon Caption Winner!
"All the King's horses and all the KIng's men gave up on Humpty, so they handed the problem off to Engineering."
5 comments
Like Us on Facebook

Datasheets.com Parts Search

185 million searchable parts
(please enter a part number or hit search to begin)
EE Times on Twitter
EE Times Twitter Feed
Radio
LATEST ARCHIVED BROADCAST
David Patterson, known for his pioneering research that led to RAID, clusters and more, is part of a team at UC Berkeley that recently made its RISC-V processor architecture an open source hardware offering. We talk with Patterson and one of his colleagues behind the effort about the opportunities they see, what new kinds of designs they hope to enable and what it means for today’s commercial processor giants such as Intel, ARM and Imagination Technologies.
Flash Poll