Redundancy is a great tool to avoid failures, but several points must be noted in response to earlier posts:
1. Redundancy is only useful if the errors of the redundant systems are not correlated. Hence, two identical sensors is often more reliable than one, but that may not be the best solution if both sensors fail simultaneously for the same reason. Really good failsafes have uncorrelated failure modes.
2. A modern automobile is already pretty expensive without redundant systems. The consumers have long decided that they would prefer to have creature comforts first and safety only if it is really inexpensive or mandated by law. I bet that every one of the vehicles that failed to stop had a CD player and probably even a GPS. Nobody opts-in on the driver-side airbag. If it is not mandated as a safety requirement, it won't exist on the majority of vehicles. The same is true for all safety devices.
3. Drive-by-wire may be spooky to some, but it is not the problem. Don't throw out the baby with the bath water. Drive-by-wire is an excellent way to improve the functioning of our automobiles. It is the lack of proper failsafes that is the problem.
4. Turning off the ignition switch (or having an equivalent function when the brake pedal is pushed really hard for a really long time) would only kill power to the electric motor. Breaking the connection between battery and the motor would not necessarily brake the vehicle (unless a resistive load is simultaneously switched across the motor windings). Both mechanical and electrical failsafes could be implemented that act when the drive-by-wire system fails. That is where Toyota failed to protect the consumers of their vehicles.
As others have noted Toyota has been running around like achicken with its head cut off trying to blame this on anything but the software.
Is the code being changed when these cars go in for recall???
Someone should determine the code version and total size before and after recall to see if they are doing any changes.
This problem is really about good engineers being able to speak there minds and be encouraged to critique others designs.
Now everyone just keeps their mouths shut bacause everone has seen the outspoken engineer thrown out on the street.
Group think has taken over everthing now and if one wishes to keep feeding their fgamily they keep their mouths shut so the direct deposit continuos to flow.
Bill are that nieve? have you not seen all the changing excusses coming out of toyota?
Not to leave the conversation without adding some hope and a potential solution. why not have the code return to zero level each cycle for a small duty cycle period and only return to set point if no error detected like brake applied?
If those drifters complain they can add a momentary switch override for this brake error with large throttle etting condition.
Also a large changing (quick = panic) braking force could be used to zero out the throttle set point as an override. This would allow for suttle braking with some throttle applied that may be needed for certain driving techniques.
This could have many levels of override to prevent this in multiple wqays as it should be.
The redundant pot mention is a must also.
whach out for groupthink it bites sooner or later and this has resulted in deaths.
who wants to be next?
We are not really certain that the Toyota sudden acceleration problem is a sticking gas pedal. That theory is a quick and easy one, not that hard to fix and not that indicative of a faulty engineering process. Check the demo by the two NASA guys on yuo-tube, where they duplicate the acceleration with a momentary short circuit of two of the throttle control wires, and no fault code is generated. This proves that there is at the very least, a defect that does not record a fault that causes sudden acceleration. Consider the implications of THAT for a while. The reality is that they may well be fixing something that is not the problem.
For the millions of cars on the road, its really amazing to me that there are so few serious problems like this. The last line about the law of large numbers being tough to work around is so true! Well said.
Keith may be an expert, but examples he uses are poor. His analogy for proving whether a lamp has been on? I can think of several methods, the most obvious that I use is, touch it and see if it's warm.
I guess I am also wondering why if Officer Saylor was so experienced, why not just switch off the ignition?
My daughter asked me about this recently, and I went through what I thought one should do, stomp on the brakes, shift to neutral, switch off engine.
I must admit I felt that holding the brake down would slow and stop a car, but maybe I'll have to try it myself.
I certainly don't think cars should be unreliable in an unsafe way, but after reading Keith's paper, I could be paranoid about getting in a car.
It is a credit to the Toyota management that the timing of the announcement, solution and recall was so well executed. I heard discouraging comments like "its been over a week, and Toyota is just now supplying dealers with correct parts". Now I don't know about you, but my reality is that if a problem surfaces and 8 MILLION "fixed" parts are delivered in a week, that's nothing short of a miracle.
Toyota was exceptional in containing the news, managing the release, and suffering the consequences. No one blabbed, no one created panic (until that Congressman got in front of the camera), and a "solution" was delivered in seemingly record time.
To assume that Toyotas accerator problem is a mechanical problem is naive. Software bugs can cause similar issues, but your comments on performing enough testing to identify every possible problem is valid.
I disagree aiki10. The material wear out problem should be more prominent on older car which is not the case here. It is more toward the electronic control system. You could not catch up 100% possible glitch problem in the production test. You could lower it down to few DPPM but when production number is in the millions, that is quite a few cases and exactly is what we see in Toyota.
I respectfully disagree with your conclusions. Based on Toyota's analysis of the accelerator pedal issue (and the fix), this is attributed to a materials wear problem. The mechanical friction fixture that is causing the "sticking" exists solely to provide pedal feedback.
I don't intend to offend, but as a practicing Engineer, I have an obligation to the public, especially where safety is concerned. Dismissing what appears to be, in fact, improper testing by trying to make a "law of large numbers" argument just discourages folks from taking home a valuable lesson. The tuition has, unfortunately been paid with human lives. This isn't a statistical outlier... This is a materials wear issue. Toyota made a mistake. Plain and simple.
My Mom the Radio Star Max MaxfieldPost a comment I've said it before and I'll say it again -- it's a funny old world when you come to think about it. Last Friday lunchtime, for example, I received an email from Tim Levell, the editor for ...
A Book For All Reasons Bernard Cole3 comments Robert Oshana's recent book "Software Engineering for Embedded Systems (Newnes/Elsevier)," written and edited with Mark Kraeling, is a 'book for all reasons.' At almost 1,200 pages, it ...