Breaking News
News & Analysis

Toyota Case: Inside Camry’s Electronic Control Module

10/30/2013 05:15 PM EDT
45 comments
NO RATINGS
1 saves
Page 1 / 6 Next >
More Related Links
View Comments: Threaded | Newest First | Oldest First
Frank Eory
User Rank
CEO
Is all hope lost?
Frank Eory   10/30/2013 6:48:34 PM
NO RATINGS
So to summarize, he seems to be saying:

1. Complex software always has bugs, even latent ones that might rarely if ever show up.

2. No matter how imaginative the team is, they will never be able to think of all those bugs. Some bugs and their consequences will simply never occur to the team members.

3. Safety critical systems should follow standards, but even if they do, random events can still activate latent software bugs and take out the fail safe systems designed to protect against those latent bugs.

Is all hope lost?

LarryM99
User Rank
CEO
Re: Is all hope lost?
LarryM99   10/30/2013 8:12:10 PM
NO RATINGS
It is possible to reduce errors to effectively zero, but it is very hard. Complex will always be less reliable than simple, unless that complexity is focused on reliability (for example, overlapped and crosschecked operation of independent systems). The system (hardware and software) has to be independently verified, since developers have blind spots around their own work. The real issue is that it can't be rushed. Making reliability trump schedule would avoid many problems of this type, but especially recently that is a hard case for engineers to make to management.

rick merritt
User Rank
Author
Re: Is all hope lost?
rick merritt   10/31/2013 12:25:23 AM
NO RATINGS
@Larry: Agreed

vasanth kumar d
User Rank
Manager
Re: Is all hope lost?
vasanth kumar d   10/31/2013 1:26:12 AM
NO RATINGS
Is all hope lost?

Yes.

Infact, the right question must be "Do we really need to hope anything?".

Because, even if we could write a perfect firmware that has zero bugs and failures that results in a perfect car, it ceases to be perfect until some other driver lost control of his vehicle and hits us. If so, the best answer, according to me, is to not hope perfection. The only thing we could do is to try writing better firmware that would result in better systems than that was previously.

KB3001
User Rank
CEO
Re: Is all hope lost?
KB3001   10/31/2013 9:41:14 AM
NO RATINGS
There is no perfect world, all we can do is to make it better and better over time. Complexity is a problem yes, but modular/reuse-based design, agile software development, and continuous improvements can reduce the risk of bugs dramatically.

Jason Cove
User Rank
Rookie
Re: Is all hope lost?
Jason Cove   10/31/2013 9:44:22 AM
NO RATINGS
Exactly there is no perfect things in this world and even though the leading and the finest can do mistakes, the important thing is that they are able to do their best to resolve it. - Aldo Disorbo

C VanDorne
User Rank
CEO
Re: Is all hope lost?
C VanDorne   10/31/2013 2:40:47 PM
NO RATINGS
Frankly, I like this take.  (Sorry, I couldn't resist)  Anyway, I'm with you, Frank.  For me, his argument had a very philisophical feel to it.  In other words, as I'm reading the exchange I wasn't questioning the limits of Toyoya's capabilities, I was questioning the limits human capabilities.  And this time the laws of probability just happen not to be on Toyota's side.

Of course, mitigating that argument is the fact that no other manufacture's vehicles have failed in this way.  But it still felt too philisophical to me.  If I was a jurer, I would have needed some serious convincing beyond this.

Antony Anderson
User Rank
Rookie
Re: Is all hope lost?
Antony Anderson   10/31/2013 4:07:21 PM
NO RATINGS
"no other manufacture's vehicles have failed in this way"

Anyone interested in seeing the range of manufacturers that have had SA  problems should go to my website and explore:

http://www.antony-anderson.com/Cruise/9.5-links.html

Ford has currently a major sudden acceleration class action going on.

 

 

 

junko.yoshida
User Rank
Blogger
Re: Is all hope lost?
junko.yoshida   10/31/2013 4:21:16 PM
NO RATINGS
It's sobering to hear how our readers -- design engineers in all stripes -- are responding to the Toyota case. Indeed, after all said and done, it could make many feel as though odds are against them, especially at a time when there is NO bug-free software out there. It's a matter of probability as Frank says.

But I don't think we should get ahead of ourselves. According to Barr's testimony, there are a number of steps Toyota engineers missed or didn't just take into consideration in developing their software and designing the architecture for their electronic control module. It wasn't just one but there were several contributed factors here that had a cascading effect on the unintended acceleration.

And by the way, those "factors" weren't caused by just bad luck.

So, let's not jump to a conclusion that all hope is lost.

 

Frank Eory
User Rank
CEO
Re: Is all hope lost?
Frank Eory   10/31/2013 4:58:18 PM
NO RATINGS
"According to Barr's testimony, there are a number of steps Toyota engineers missed or didn't just take into consideration in developing their software and designing the architecture for their electronic control module."

Perhaps this was the essential focus of Barr's testimony (I have not read all of it), but what concerns me is the more philosophical testimony that seems to suggest that even *if* Toyota engineers had not missed those steps, and had been much more thorough in their hardware & software design and testing -- in other words, even if they had a much more perfect hardware & software system -- that a critical safety failure could still occur -- with the implication that the manufacturer would still be responsible.

Bert22306
User Rank
CEO
Re: Is all hope lost?
Bert22306   10/31/2013 6:22:47 PM
NO RATINGS
"It's sobering to hear how our readers -- design engineers in all stripes -- are responding to the Toyota case. Indeed, after all said and done, it could make many feel as though odds are against them, especially at a time when there is NO bug-free software out there. It's a matter of probability as Frank says."



Whoa. Wait one. It's nothing new to engineering design that "it's all a matter of probabilities," Junko. I very much doubt that Frank, or I for that matter, ever intended to make that sound hopeless or otherwise negative. It's just a fact of life, always has been, and possibly many non-engineers don't appreciate that fact.

I took Franks comment "is all hope lost" to be sarcastic, or maybe sardonic, if anything.

As others have commented, it's no doubt true that the designer is often blind to faults in his design. Just as a writer often keeps overlooking his spelling errors. That's why it takes peer review to get compleicated things done right.

From what I've read, if all we've read is factual, such a peer review appears to have been hurried, maybe, at Toyota. Maybe. Controls with safeguards, fail-safes, proper redundancy, voting, and so forth, can be designed, are being designed, and will beat the safety records of anything manual hands down.

Frank Eory
User Rank
CEO
Re: Is all hope lost?
Frank Eory   10/31/2013 6:45:18 PM
NO RATINGS
Neither sarcastic nor sardonic -- just concerned about the implications for future design of critical safety systems. I do not accept the premise that "all software must contain bugs" nor the premise that critical values stored in hardware cannot be adequately protected with combinations of mirroring, EDAC or majority voting.

Since we are (and always were) dealing in probabilities, how low is low enough when it comes to the probability of failure? How do we define "adequately protected" hardware and "bug-free" software? Yes, there are standards, but they deal in probabilities, not absolutes. No one can ever guarantee that failure is impossible.

Even when the probabilities are extremely low, the enormous number of opportunities (3 trillion miles driven per year just in N. America) means that someday, somewhere, a failure might manifest itself. If the implicatons of this expert testimony and this verdict are that in such an event, the manufacturer will be responsible, that is troubling.

Bert22306
User Rank
CEO
Re: Is all hope lost?
Bert22306   10/31/2013 7:05:41 PM
NO RATINGS
"Even when the probabilities are extremely low, the enormous number of opportunities (3 trillion miles driver per year just in N. America) means that someday, somewhere, a failure might manifest itself."

True. In my unintended valve cycling case, we were sending commands, to many such valves, each set of valves on many different platforms, at something like 10 Hz. That's 24 hours a day, 365 days a year. So it's also a case of many, many opportunities for a failure.

With the valve controllers in question, which operated in such a way that a single discrete "open" command would cause the valve to cycle full open before the series of corrected "closed" commands could close it again, the initial error checking resulted in one likely fault every two weeks, per platform. Verified in real life. So my initial goal was to make the MTBF 35 years, the life of the platform, as an initial goal. And then we got something closer to 10s of Kyears, when the new error checking technique was finalized.

In this Toyota case, there is the advantage that a human driver is there to take over. It looks in the last testimony like the brakes actually did work throughout the problem period. What did not work is that braking didn't cut power. This is already a better situation than what I had thought at first.

Frank Eory
User Rank
CEO
Re: Is all hope lost?
Frank Eory   10/31/2013 7:16:15 PM
NO RATINGS
It's interesting how MTBFs always sound better than failure probabilities. 10's of Kyears gives more of a warm fuzzy feeling than 10 to the minus some number.

If you've ever dealt with resynchronizers in digital logic when crossing an asynchronous boundary, the probabilities get very low very quickly -- and the MTBFs grow exponentially. It doesn't take very many flip flops to ensure that the MTBF of a resynchronizer failure (a metastable condition) is greater than the known age of the universe.

If only we could achieve those kinds of MTBFs in everything, then everyone would sleep a lot more soundly :)

cd2012
User Rank
Manager
software for self-driving
cd2012   10/31/2013 7:45:46 AM
NO RATINGS
On a tangent, seeing how difficult it is to write flawless software for a ECU, is there any hope of writing good software for a self-driving car, which is an immensely more difficult problem?

 

Bert22306
User Rank
CEO
Re: software for self-driving
Bert22306   10/31/2013 3:34:29 PM
NO RATINGS
"On a tangent, seeing how difficult it is to write flawless software for a ECU, is there any hope of writing good software for a self-driving car, which is an immensely more difficult problem?"

Really? How is self-driving immensely more difficult, if barely competent humans can manage it, while even expert humans couldn't begin to master what these engine controls are doing? Remember that the reason for the electronic engine controls, including electronic fuel injection, are not because the automakers wanted to pile on glitzy electronics for better sales. They were pretty much mandated by the stringent pollution control and fuel economy requirements. Catalytic converters cannot survive with carburators, much less sloppy incompetent human manual controls.

Not sure why so many people believe that driving a car is the most difficult thing imaginable.

Steam Kid
User Rank
Rookie
Re: software for self-driving
Steam Kid   11/1/2013 6:32:09 AM
NO RATINGS
@Bert22306. The complexity is in the decisions not in the speed. The enviroment of an engine control system is stable, i.e. from day to day it does not vary, but it does occur at high speed needing milli-second decisions to meet modern enviromental requirements. Self driving requirements are slower, fractional second, but filled with data, i.e. is that a vehicle, will it cross my path as I am travelling now?, will it cross my path on my intended change of path?, will a second, third, fourth vehicle cross his or my path and cause an incident? before you even make a decision to continue as currently or change your speed or direction.

Bert22306
User Rank
CEO
Re: software for self-driving
Bert22306   11/1/2013 3:41:29 PM
NO RATINGS
"The complexity is in the decisions not in the speed. The enviroment of an engine control system is stable, i.e. from day to day it does not vary, but it does occur at high speed needing milli-second decisions to meet modern enviromental requirements."

That's just it. If it were stable as you say, the control could be managed manually. But it's far from stable, and the variables it needs to adjust to are way too many for a human to keep track of.

Think of the combination of ambient temperature, air pressure, engine temperature, power demand, engine revs, intake vacuum, impending detonation, oxygen in the exhaust, and on and on. The engine control system is managing a host of variables constantly, very much the same sort of thing a driver has to do. Only the engine management system does this consistently, accurately, without being distracted by conversations, texting, mental fog, panic attacks, drug abuse, or just plain stupidity.

Steam Kid
User Rank
Rookie
Re: software for self-driving
Steam Kid   11/4/2013 4:30:59 AM
NO RATINGS
@Bert22306 @grg9999. Sorry Bert, you seem to think I was commenting on the ECU complexity whereas I was replying on your comment that driving is easy. The post by grg9999 is similar to what I was thinking, in that anticipation can not be computed. Humans are prepared to accept a less optimum solution to avoid a potential poor or disastrous situation.

When automobiles were first built the driver was also the engine ECU with various levers to move to keep the engine running as well as driving, then mechanical systems took that over. As enviromental concerns arose then ECU's have come to the fore, but even then they are far from perfect, I recently had a car that during the night would decide to open the windows, initially part way then fully even when it had been raining! and I was told that there was no problem, but got a re-call a year later for a software upgrade.

Bert22306
User Rank
CEO
Re: software for self-driving
Bert22306   11/4/2013 3:45:48 PM
NO RATINGS
Sorry, Steam Kid, but my description of what the ECU is doing was meant to show that it's taking into account all manner of variables and acting on them constantly. That's what drivers do when they drive a car, but they often make huge mistakes, are slow at reacting, or freeze at the wrong time.

No question that this will take some new communications schemes, between cars and between the roadway and cars. And sensors on cars too.

Driving is just not as phenominal of a chore as some seem to think.

"I recently had a car that during the night would decide to open the windows, initially part way then fully even when it had been raining! and I was told that there was no problem, but got a re-call a year later for a software upgrade."

There you go. A software upgrade fixed the problem. Instead, if you get hit by some moron who was too busy texting, a software upgrade won't prevent that from happening again.

grg9999
User Rank
Blogger
Re: software for self-driving
grg9999   11/3/2013 8:32:50 AM
NO RATINGS
"Not sure why so many people believe that driving a car is the most difficult thing imaginable."

Think.   You probably avoided several accidents just this week by using your brain in ways a computer never can.  Here are a couple of instances just from my driving last week:

 

(1)  I see a dumptruck on the cross-street approaching the intersection where we will collide if they don't stop.   I notice that the back of the truck is heaping overful with dirt.  I also notice that the truck is REALLY old.  I also hear the truck brakes making a not so good sound.   I also see the driver's face, which is very alarmed.   So I stop even though I have the green.    A computer would not have noticed ANY of those details and I would now be dead.

 

(2)  I get on 694 where there is road construction, narrowing the 4 lanes down to 2.   The old lady in front of me gets confused by this and barrels on and scatters orange cones all over and she drives about 500 feet into the contruction zone before her front wheels shear off in a 2-foot deep hole cut into the concrete.  Now why would my computer-driven car not follow her?

 

(3)  It's the time of the month when folks are apartment-moving.  Two guys have strapped a box spring to the roof of their car, with what looks like fishing line.  I back off and change lanes.   20 seconds later, the box spring and matress go flying.    A computer would not have noticed nor concluded that things were likely o go wrong and I might not be dead, but have had a comical driving experience with a mattress on the windshield.  Good times!

 

(4)   I'm driving in a part of town with lots of drinking establishments, at 2AM.  A part of town where there are a lot of 1-way streets, merging at 45-degree angles, sometimes with 3 lanes across, narrowing to two between intersections.  I see drivers making U-turns and barely making it.  I slow down and use a lot of extra caution.   Aha, here's a guy going the wrong way on a 1-way street.   A computer would not make these value judgements and might get me into trouble.

 

(5)  A plastic bag floats across the road ahead of me.   I can tell by knowing the wind speed and the way the bag is moving, that it's an empty bag.   To a computer's radar or laser or ultrasonic sensors, it would look just the same size as something to be stopped for- like a cement block or a baby.  There is no way for a computer to judge, oh, yeah, that's an empty #2 bag from Target.    A computer would have to decide whether to proceed over the obstacle or slam on the brakes.  Slamming on the brakes during rush hour would get me badly rear-ended, all due to a plastic bag on the road.

 

(6)  Again on 694, an aluminum step-ladder fell off a truck.  It happened to land directly on the lane-dividing dashed lines and only about 5 degrees canted.  I was able to identify the object, its position, and decide to proceed without swerving, all in under a second.  I doubt of a computer could do anything other than sense "small object, do something?"

 

(7)  Now on second thought, that ladder was mostly orange, could that have been a mostly-fiberglass ladder?   Would car radar have picked up anything?  How do ultrasonics bounce off fiberglass?    What if the ladder had been fiberglass, had landed on its side, not exposing much reflective area?   Hmmmmm......

 

See, lots of situations we see and handle every week.  Sitiations where a computer would not have a clue what was hapennig or what to do.  

 

 

Bert22306
User Rank
CEO
Re: software for self-driving
Bert22306   11/4/2013 3:37:27 PM
NO RATINGS
1. Autonomous driving has to rely on V2V as well as V2I communications. The intentions of the dump truck, as well as its mechanical health, are part of V2V. Much more reliable than something a human driver "thinks" he notices.

2. Construction zones and lane merging are part of V2I. Way more reliable than what some "old lady" in front of you may or may not decide to do.

3. Optical sensors on cars, another necessary ingredient, can detect odd motions in the vehicle in front a lot better than some idiot who is busy texting on his cell phone.

4. Obviously, drunk drivers are part of the reason you want self driving cars. Initially, in the driver assist-only mode, where a mix of human and autonomously driven vehicles share the same roads, the solution won't be as good. Mostly, in this intermediate phase, you'll have V2V comms warning that the other guy is doing unpredictable things.

5. Vision algotirthms can *easily* tell apart a floating plastic bag from a brick. And if a floating platic bag gets stuck on your windshield, it wouldn't matter.

And so forth. You simply haven't appreciated what sensors and what comms are needed for autonomous driving. For most repetitive work, and driving is a prime example, properly programmed computers can do a far better job than the majority of humans. Even playing chess, for instance. For purely creative work, perhaps that's different.

Kinnar
User Rank
CEO
Virtually all the cars has this now a days
Kinnar   10/31/2013 8:10:12 AM
NO RATINGS
All the ECU controlled cars has this kind of automated control with manual control provided for the driver, but we can not say that it totally manual. Where ever automation is there these kind of malfunctions are possible. We should be ready for these kind of accidents as now the time is coming up for driver-less autonomous vehicles. God knows about the dependency on machines then afterwards.

rruss
User Rank
Rookie
Responsibility of the DRIVER.
rruss   10/31/2013 10:40:59 AM
NO RATINGS
This article (and all discussions on this subject) seem to ignore the number one safety system in place in all of these fly-by-wire cars, and that is the DRIVER.

For decades, drivers had to deal with the possibility of a stuck throttle.  Were cables worry free?

In all of these supposed run-away cars, there was a transmission which could be mechanically shifted to neutral, and an independent hydraulic braking system which could stop the car, even if the engine was buzzing away at redline.

That doesn't mean the manufacturers shouldn't do their best to build a car that is bug free - but the ultimate responsibility lies with the driver.  If the car does something unexpected, shift it to neutral and stop, period.  If a stuck throttle is something you can't cope with, you probably shouldn't be behind the wheel of a 4,000 lb projectile.

MS243
User Rank
Manager
Re: Responsibility of the DRIVER.
MS243   10/31/2013 11:32:27 AM
NO RATINGS
Driver Responsibility

I think with the event of electronicly controlled transmissions and brakes and a common bus that connects these to the ECU(throttle) in the event of cascading failures this may not be feasible. 

I have personally experienced two ABS failures and one other failure of Mechanical brakes - I walked away from all of these by pretty much using the transmission to shift into low, combined with the emergency brake to do this.  Had this mechanical backup not functioned I would likely be in much worse shape medically than I am now.

Aircraft systems typically use three independent channels be they mechanical or eletro-mechanical -- any one of which will maintain control of the aircraft in the event of the loss of the other two.

junko.yoshida
User Rank
Blogger
Re: Responsibility of the DRIVER.
junko.yoshida   10/31/2013 4:27:42 PM
NO RATINGS
@rruss, I appreciate your reminder here that the utlimate safety responsibilty belongs to the driver.

However, I would also like to remind our readers of what exactly happened to this particular case.

Bookout, the driver and the plaintiff of this case, did step on the brake and even pulled the emergency brake when her car sped out. Even with the emergency brake on, she could not stop the vehicle.

Bookout's attorneys pointed out that skid marks as the evidence of that statement.

 

Caleb Kraft
User Rank
Blogger
Re: Responsibility of the DRIVER.
Caleb Kraft   10/31/2013 5:55:34 PM
NO RATINGS
This is absolutely important to remember. Not only this, but in some cases (maybe not toyota), the transmission would not respond to the placement of the selector, effectivley removing your ability to put it in neutral while the accelleration was happening.

rruss
User Rank
Rookie
Re: Responsibility of the DRIVER.
rruss   11/1/2013 1:48:09 PM
NO RATINGS
@junko.yoshia,  I can appreciate that the driver tried to stop the vehicle, but they simply didn't understand the operation of the vehicle they were responsible for piloting on public roads.

The bottom line is that they left the transmission engaged, keeping the drivetrain connected to an engine that was supposedly revving out of control.  Simply shifting to neutral would have removed the out of control engine from the equation.

I would like to remind the readers that the brake handle (or extra foot lever in a minivan/suv) is a PARKING brake, not an EMERGENCY brake.  It engages the rear brakes only via a simple mechanical linkage and is capable of producing maybe 5 or 10% of the braking the car is capable of with the brake pedal.  In a true emergency, one is much better off shifting to low range gears on the transmission to slow the car instead of just applying the parking brake.

The malfunction of the car was a contributing factor to the accident, not the CAUSE of the accident.  The CAUSE was a driver who was not equipped with the knowledge, experience and ability to safely operate their car.

Antony Anderson
User Rank
Rookie
Re: Responsibility of the DRIVER.
Antony Anderson   11/2/2013 4:50:05 PM
NO RATINGS
"The CAUSE was a driver who was not equipped with the knowledge, experience and ability to safely operate their car."

It could equally be argued that somewhere in all of this was a  car company seemingly  neither  equipped with the knowledge, experience and ability  to design electronic functional safety into their cars ( so that drivers would be able safely to operate them) nor blessed with the foresight and  moral courage to warn drivers what to do in the event of a sudden acceleration. 

 

resistion
User Rank
CEO
Re: Responsibility of the DRIVER.
resistion   11/3/2013 11:46:26 AM
NO RATINGS
Foot on brake disengages transmission, right?

rruss
User Rank
Rookie
Re: Responsibility of the DRIVER.
rruss   11/3/2013 4:40:47 PM
No.  The brake applies the brake.  In virtually every car, the transmission is a mechanical linkage, and it is still engaged in "Drive" when you are pressing the brake.

Assuming you don't apply throttle and brake at the same time (by driving 2 footed - eek!!) then the engine would be resisting the wheels by having a closed throttle.

That was the entire point of my initial post - if the engine is going crazy, for anyone of a million reasons, just push the gear selector forward to neutral, slow to a stop and shut the car off.  **(you'll notice that you can just PUSH this lever forward and it stops in neutral for JUST this reason.  It won't go into reverse without pressing the button so you can just push it forward HARD in an emergency and it stops at neutral!)

Engineers worked this detail out 50+ years ago to prevent just this thing.  Unfortunatley, as the cars get smarter, the drivers get... worse.

There is no excuse for a lack of serious double and triple+ redundancies in life-critical safety systems.  But there will ALWAYS be a condition that was untested that will require the driver to fall back on basic common sense.

MS243
User Rank
Manager
Re: Responsibility of the DRIVER.
MS243   11/3/2013 5:56:44 PM
NO RATINGS
In commercial aircraft the pilots are given about 120 hours per month of non-flying time some of which they use for practicing fault conditions in a simulator -  I wonder if driving simulators are needed due to the increasing complexity of cars and the addition of steer by wire and brake by wire, and throttle by wire --   The issue is that these change the way the car can react under some fault conditions and result in issues.

resistion
User Rank
CEO
Re: Responsibility of the DRIVER.
resistion   11/3/2013 7:22:57 PM
NO RATINGS
I think driver instruction needs to be responsible for covering this. It's still a black box to most, so even the Toyota drivers manual would be a good place.

Roncalli
User Rank
Rookie
Cause of the Crash
Roncalli   10/31/2013 11:35:39 AM
NO RATINGS
More correctly, Barr should have said that the purported software event contributed to the crash (or even was a major contributor to the crash), since the layered failsafes did not successfully avert disaster.    Saying the purported software event caused the crash is too strong;  it is like saying that a butterfly the car hit caused a cascade that resulted in the crash.  In reality, if one believes Barr, too many small things went wrong at the same time-- and it can happen to anyone at any time [here, car accelerates, environment is such that there is something fatal to crash into before a successful response can be made by the final failsafe, the driver, whose performance is variable across the population]

It is actually remarkable that the fairly poor reliability COTS hardware actually works as well as it does in the automotive environment.  Barely any error detection/correction in the cores and still millions of cars drive around successfully every day.   Or perhaps it is just because the surrounding environment of sensors and wires and exploding hydrocarbon in metal cylinders is so unreliable by comparison that people blame something else when the "wheels fall off"... like wings falling off a plane.  It happens, but far less often than other failures so virtually no one worries about the wings falling off the plane when flying.

Acepilot
User Rank
Rookie
Toyota Unintended Acceleration
Acepilot   10/31/2013 2:13:35 PM
NO RATINGS
How is Mr. Barr so sure that the software caused the acceleration? I read a report that said that Tin Whiskers were found on some boards, which could have caused the problem.

junko.yoshida
User Rank
Blogger
Re: Toyota Unintended Acceleration
junko.yoshida   10/31/2013 4:29:02 PM
NO RATINGS
The tin whisker issue wasn't brought into this case. That was not the argument that plaintiffs' attorneys used to build this case.

Acepilot
User Rank
Rookie
Toyota Unintended Acceleration
Acepilot   10/31/2013 2:13:37 PM
NO RATINGS
How is Mr. Barr so sure that the software caused the acceleration? I read a report that said that Tin Whiskers were found on some boards, which could have caused the problem.

NimrodO0l1
User Rank
Rookie
Don't Worry. It's too late to worry.
NimrodO0l1   10/31/2013 4:55:41 PM
NO RATINGS
Where to begin?

Modern cars have multiple ECB, FRUs, and other embedded systems that have CPUs, sensors and software.   I think it has been more than 10 years since I heard that new Mercedes' had about 50 different CPUs on board.  Many of these communicating over communications buses with Ethernet like behavior such that 100% reliable or timely delivery was not guaranteeable.  For many manufacturers, such as GM, many of these units are developed by third parties and then intergrated very late in the process.   To extend Mr Barr's comments a little, even if all but a small percentage of the units was bug-free at manufacture, the SYSTEM cannot be shown to be bug-free because of the complexity and the uncertainties in the message passing.   

Now add that the little computers are working with Sensors that age in hot and violent environments in the presence of 10,000 Volt spikes.


BTW: many years ago, Volvo had a sudden acceleration problem that caused cars to leap forward on start-up.   One report suggested that it was due to weak PROMs that gave bad readouts under certain conditions.  If that was the case, then clearly the best software practices would not be a much use. 

I have read other articles reviewing this that suggest that Toyota was not using anything close to the best practices.  Indeed they seem to be aware of the MISRA practices/policies and then did not implement them.

NimrodO0l1
User Rank
Rookie
Don't Worry. It's too late to worry.
NimrodO0l1   10/31/2013 4:55:48 PM
NO RATINGS
Where to begin?

Modern cars have multiple ECB, FRUs, and other embedded systems that have CPUs, sensors and software.   I think it has been more than 10 years since I heard that new Mercedes' had about 50 different CPUs on board.  Many of these communicating over communications buses with Ethernet like behavior such that 100% reliable or timely delivery was not guaranteeable.  For many manufacturers, such as GM, many of these units are developed by third parties and then intergrated very late in the process.   To extend Mr Barr's comments a little, even if all but a small percentage of the units was bug-free at manufacture, the SYSTEM cannot be shown to be bug-free because of the complexity and the uncertainties in the message passing.   

Now add that the little computers are working with Sensors that age in hot and violent environments in the presence of 10,000 Volt spikes.


BTW: many years ago, Volvo had a sudden acceleration problem that caused cars to leap forward on start-up.   One report suggested that it was due to weak PROMs that gave bad readouts under certain conditions.  If that was the case, then clearly the best software practices would not be a much use. 

I have read other articles reviewing this that suggest that Toyota was not using anything close to the best practices.  Indeed they seem to be aware of the MISRA practices/policies and then did not implement them.

Magnum Innominandum
User Rank
Rookie
First hand experience
Magnum Innominandum   11/2/2013 5:03:25 PM
NO RATINGS
A bit over two years ago I was in a case of the euphemistically called "unintended acceleration" (which they should term "Runaway Killer Car") and was lucky to walk away, with my family (who were in the same car) with minor concussions and scrapes, rather than the four funerals which looked likely, mostly by luck.

The Driver was astute enough to keep the car on the winding downslope road (rather than falling off 50+meter downon the outside of the road, where the car will pull to when accelerating) and to only mutilate raised flower beds, avoiding the concrete guards blockhouse at the bottom of the slope by a few inch at the most.

When the car, which had acelerated downhill all the while hit the flowerbeds, it became a ballistic missile, airborne at almost a mans height at the top of the Arc (at least that is what the guard in blockhouse claimed) and came down a fair distance on and slid onto a road, normally full of tucks carrying containers barreling down at (or above) the legal speed limit. It was empty when the car ended up there. Thank someone for that. 

The Airbags deployed when the car re-engaged somewhat violently with Terra Firma. Lucky we all wore seatbelts and that at least someone in the Car had a guardian angle who was not on the phone or washing his/her hairor having a tall latte at Starbucks.

Now I drive (though not that day, perhaps for the best) and I design electronics and program and I have a few degrees. So I do know what we are talking about here. No system is foll proof (foolsare ingenious).

What I will not forget was the drivers face when the whole Fit hit the proverbial Shan.

He was just a real-estate agent picking us up to have a look at a place we were interested in. The car was on the company. And then it simply ran away and tried to kill the whole ruddy lot of us. He just had no control of the engine and the brakes seemed not to work either. He frantically operated the steering to keepus somewhere on the road, not off it.

There was no driver error, no buched up floor mats, the Car had just come back from it's first inspection (as we found out) and was almost brandnew (still had the new car smell). As no-one was seriusly hurt, Toyota just setteled for a new car and the guy still works at the agent (but refuses to get into the Toyota). Since then I have refused traveling in Toyota Car's. No point tempting the fates twiceor more.

Seeing the evidence presented in this case, I must say that I am totally appalled how cavalier the Toyota design team handled safety critical design and programming. 

Not only did they not implement hardware safeties in truly critical areas, which any systems engineer will tell you is not just good practice but practically mandatory, their software design invites cascading failures on top of all of this!

I can only say that I sincerely hope that Toyota will be forced by regulators and governments around the world to fix ALL the cars they have sold that have this bad design AND that with those costs and further suits they will be forced into bankruptcy over this and never make cars again, as a salutary example to other car makers everywhere to take the health and lives of their customers more serious!

Antony Anderson
User Rank
Rookie
Re: First hand experience
Antony Anderson   11/3/2013 8:45:41 PM
NO RATINGS
@Magnum Innominandum

".....Toyota just settled for a new car....."

Reading between the lines Toyota found that in this instance they could not blame the incident on the absence of a guardian angel, or on the presence of loose all-weather flying floormats (which allegedly  become active in the absence of a guardian angel), or sticky pedals, or loose beer cans, or backseat drivers. They could not blame it on the age of the driver, nor on their youth, nor on the width of their feet, They could not blame it on driver pedal error because there were too many witnesses of the driver braking and the vehicle flying through the air. They could not blame it on a malfunctioning electronic throttle control system because that would damage the public perception of Toyota's perfection in all things electronic.

Replacing the car and presumably getting the driver to sign a non-disclosure agreement would cost less for Toyota than having driver and passengers telling friends and acquaintances that the car "ran away and tried to kill the whole ruddy lot of us." thereby rubbishing the pedal error hypothesis.

 

 

resistion
User Rank
CEO
brake-shift interlock confusion
resistion   11/3/2013 11:23:46 PM
NO RATINGS
I think many, including myself, still are not quite sure, the whole story regarding which gear shifts require brake action. As mentioned earlier, I fault inadequate driver instruction, as well as education by the car manufacturers themselves.

http://forums.audiworld.com/showthread.php?page=2&t=2811326

Otherwise, it should be taught more widely how to use gear shift to neutral in emergency. Because a current common teaching is to avoid switching gears without brake action. Drive to neutral is sometimes even a discouraged gear shift, there is so much confusion about this. A dangerous shame.

Antony Anderson
User Rank
Rookie
Re: brake-shift interlock confusion
Antony Anderson   11/4/2013 5:46:44 AM
NO RATINGS
Brake shift interlock is an electro-mechanical interlock that prevents the driver from moving the gear stick from PARK unless they have their foot on the brake. It comes in various different flavours, see Shift Interlock system.

When it comes to getting the car into neutral from DRIVE or REVERSE with the vehicle moving at speed this is an entirely different matter, not connected in any way with the brake shift interlock. You can certainly put the gear stick into NEUTRAL, but whether this actually puts the transmission into neutral will depend on the transmission control strategy implemented by the manufacturer - remember that the automatic transmission is also now largely under electronic control. As to what the situation is in Toyota cars, I do not know. Perhaps someone else can answer this question.

 

 

Antony Anderson
User Rank
Rookie
Re: brake-shift interlock confusion
Antony Anderson   11/4/2013 9:03:30 AM
NO RATINGS
You write: "...it should be taught more widely how to use gear shift to neutral in emergency".

Yes agreed, but this has to be in the context of where shifting to neutral would be appropriate. Those preparing training material and instructions to be put in owners manuals would have to qualify the kinds of emergencies in which shifting to neutral would be appropriate . For example, hypothetically:

"in the unlikely event of a sudden uncommanded acceleration, put the vehicle into neutral, then brake etc."

This in turn would mean that automobile manufacturers would have to admit in public the possibility that some UAs are NOT  caused by driver error.

In other words, they would have to admit what they, with NHTSA's tacit support, have consistently denied for three decades: namely,  that intermittent electronic and software malfunctions in electronic throttles may be causing sudden accelerations.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Parris Boyd
User Rank
Manager
Increased risk of unintended acceleration in '02-'06 Camrys
Parris Boyd   4/16/2014 3:01:20 PM
NO RATINGS
NASA physicist Henning Leidecker has now voiced his concerns about the increased risk of unintended acceleration in '02-'06 Camrys due to the ongoing growth of "tin whiskers," comparing the risk to a game of Russian roulette. Toyota redesigned the pedal sensors in '07 and '08 for the express purpose of eliminating the tin whisker risk, and Dr. Leidecker questions why Toyota would have done this if tin whiskers aren't a problem. Instead of Toyota, the Department of Justice, and NHTSA trying to keep the electronics issue quiet, a recall should be issued to update the sensors in the models Dr. Leidecker is concerned about.

I've been blogging about the Recall King at Beware of Toyota. Their next victim may be YOU... and my 4/14/2014 post addresses the Camry issue: http://uc2.blogspot.com/2014/04/nasa-physicist-warns-of-unintended.html

August Cartoon Caption Winner!
August Cartoon Caption Winner!
"All the King's horses and all the KIng's men gave up on Humpty, so they handed the problem off to Engineering."
5 comments
Top Comments of the Week
Like Us on Facebook

Datasheets.com Parts Search

185 million searchable parts
(please enter a part number or hit search to begin)
EE Times on Twitter
EE Times Twitter Feed
Flash Poll
Radio
LATEST ARCHIVED BROADCAST
David Patterson, known for his pioneering research that led to RAID, clusters and more, is part of a team at UC Berkeley that recently made its RISC-V processor architecture an open source hardware offering. We talk with Patterson and one of his colleagues behind the effort about the opportunities they see, what new kinds of designs they hope to enable and what it means for today’s commercial processor giants such as Intel, ARM and Imagination Technologies.