Breaking News
Comments
Newest First | Oldest First | Threaded View
<<   <   Page 10 / 11   >   >>
Antony Anderson
User Rank
Author
Re: Single bit flip
Antony Anderson   10/26/2013 4:28:41 AM
NO RATINGS
Yes ISO26262 is correct standard and it does derive from IEC 61508. you may find the following open letter to the NAS Committee on Sudden Acceleration written in Nov 2010 a useful starting point.

"The poor state of functional safety in the Automobile Industry" by Armstrong, Kirk and Anderson www.insidefunctionalsafety.com/article/31.html‎ 

 

 

 

Sanjib.A
User Rank
Author
Re: Single bit flip
Sanjib.A   10/26/2013 2:47:53 AM
NO RATINGS
One of the safety standards for automotive electronics systems is ISO 26262, which was adapted from the standard IEC 61508, a popular safety standard followed in the industry for "Functional Safety" of programmable electrical and electronics system. I have worked on a number of safety programs per IEC 61508. From my experience, the possible causes of failures: such as  "unprotected critical variables", "...tasks can die without the watchdog resetting the processor", erroneous bit-flip undetected etc. could have been averted if the embedded design of the throttle control system was compiled as per the safety standard. Unfortunately ISO 26262 was introduced after 2007 (most probably in 2010-2011 time frame) and I guess it was not mandatory for the automotive industry to comply with IEC 61508 for the automotive electronics system safety before that.

 

prabhakar_deosthali
User Rank
Author
Manual "Master Stop"
prabhakar_deosthali   10/26/2013 1:41:37 AM
NO RATINGS
In most of the automated machine control systems - either hardwired, PLC based , or computerized, there is one big RED push button on the control panel, labelled "EMERGENCY  STOP"  This button when pushed deactivates all electronic controls and brings the machine to halt at whatever state it is.

A similar master stop button in the hand of the driver may be the solution for all kind exigencies arising out of hardware/software malfunction and avoid many a accidents because of the systems failures which require emergency manual intervention.

For the much touted "self-driven" car designers this is a lesson to learn.

tb100
User Rank
Author
Re: Single bit flip
tb100   10/25/2013 7:40:18 PM
NO RATINGS
I am in no way trying to defend buggy software or buggy hardware, I'm just asking how far does one have to go, and will it ever be far enough?


A fair question, but you don't want to go with the logical fallacy of "If it isn't 100% then it is useless."  Examples of this type of thinking:

A seat belt won't protect you from all accidents, so you might as well not wear one at all.

A car lock won't protect your car from all theives, so you shouldn't even bother locking the car. In fact, make it more convenient for yourself by leaving the keys in the ignition.

Is a seat belt good enough if people are still dying in car crashes? Do you see the fallacy of this type of thinking?

We'll never get 100% safe, but I'll defintely go for 'safer'. And we can have standards and tests for what is considered safe design practices that lead to what is safe enough.

We understand SEUs and their effect pretty well. To support military projects, many logical synthesis tools can automatically implement logic that isn't vulnerable to single bit flips. People here have given examples of how code can be designed to handle unexpected jumps or variable flips, and these kinds of effects can be predicted and tested.

You can never get 100% error free, but implementing certain design styles and testing can definitely improve safety. I'll go with that, over nothing at all.

rick merritt
User Rank
Author
Re: standard OS?
rick merritt   10/25/2013 5:58:42 PM
NO RATINGS
We live on a thin balance of the complexity not only of our biology but increasingly of our human-made electronics.

Caleb Kraft
User Rank
Author
Re: standard OS?
Caleb Kraft   10/25/2013 5:22:26 PM
NO RATINGS
Oh that is no good at all. Someone is going to get fired over that even if it has no bearing whatsoever on this specific issue. 

Bert22306
User Rank
Author
Re: Hard to tell what actually happened
Bert22306   10/25/2013 5:19:19 PM
True, Caleb, "mere humans" can be taken by surpise and perform all sorts of erroneous responses.

But in this specific case, where we're talking about the throttle, it's not clear what was involved. For example, it does not appear difficult to compare the throttle command to the fuel intake with the accelarator pedal position, as a reasonableness check. Is it that such a check was not done, or that for some reason, it failed? Or was it associated with a cruise control malfunction?

SSDWEM
User Rank
Author
Re: Hard to tell what actually happened
SSDWEM   10/25/2013 5:19:02 PM
NO RATINGS
"If unintended acceleration occurs, certaily in a 2005 car, put the car in neutral and shut off the engine!"

One thing you need to be aware of - in most modern automobiles with an automatic transmission, shifting gears is really more of a "suggestion" than a command.

Said another way, there is a CPU in between the gear selector switches that are being opened and closed, and the transmission.  If the very CPU which is causing UA is responsible for monitoring those "gear shift suggestions"... oh dear!  So much for shifting into neutral. 

I drive a manual transmission because it's fun, but I'm starting to see the value in the ability to physically disconnect the transmission from the engine.

I don't think we'll see the mechanical connection from pedal to brakes go away any time soon, but I wonder how far away we are from "Steer by Wire"

P.S.  Same thing goes for many of the "push button start" vehicles - there is no key to rip out of the steering column.  Press and hold the ON/OFF switch for a few seconds while hurtling down the road at 130MPH like Rhonda Smith?  (Just find her 10 minute testimony on YouTube and tell me she's not credible!)

junko.yoshida
User Rank
Author
standard OS?
junko.yoshida   10/25/2013 5:18:24 PM
NO RATINGS
Speaking of standards, though, the expert group did find that Toyota failed to comply"OSEK," an international standard API specifically designed for use in automotive software. Toyota's Ex-OSEK850 version was not certified as OSEK compliant, according to Barr.

Frank Eory
User Rank
Author
Re: Single bit flip
Frank Eory   10/25/2013 5:10:07 PM
NO RATINGS
If I may expand on my above comment a little further:

"Memory corruption as little as one bit flip can cause a task to die. This can happen by hardware single-event upsets -- i.e., bit flip -- or via one of the many software bugs, such as buffer overflows and race conditions, we identified in the code."

So he mentions hardware SEU, but also software bugs like buffer overflows & race conditions, which makes me wonder the following:

Consider a hypothetical safety-critical system that many might consider very well-engineered. Suppose that the software in this system is so well done & well-tested that there are no buffer overflows, no race conditions, no possibility of software-induced memory corruption whatsoever. In this hypothetical near-perfect system, the only way for memory to get corrupted is by SEU, and then only if the SEU goes uncorrected or the fail-safe systems fail to guard against it.

Suppose further that the engineers carefully considered SEU, and included fairly powerful ECC to guard against it's ill effects. Perhaps they even considered how much higher the SEU rate might be in a high-altitude city during peak solar flare activity. Is that enough? As I mentioned above, we're still dealing with probabilities that can never be zero.

I am in no way trying to defend buggy software or buggy hardware, I'm just asking how far does one have to go, and will it ever be far enough?

Larry: I had already posted the above before I saw your reply.

"If you look at modern automotive control systems they are beginning to introduce redundant voting controls. This is an effective way of effectively eliminating this type of error, be it from hardware or software."

Redundanct voting controls, dual CPUs running the same code in lock step, and so on. But the key statement you made is that these are a way of "effectively eliminating this type of error" and I am asking how effective must "effectively" be, in quantitative terms?

<<   <   Page 10 / 11   >   >>


Datasheets.com Parts Search

185 million searchable parts
(please enter a part number or hit search to begin)
Radio
LATEST ARCHIVED BROADCAST

What are the engineering and design challenges in creating successful IoT devices? These devices are usually small, resource-constrained electronics designed to sense, collect, send, and/or interpret data. Some of the devices need to be smart enough to act upon data in real time, 24/7. Specifically the guests will discuss sensors, security, and lessons from IoT deployments.

Brought to you by:

Most Recent Comments
Like Us on Facebook
Special Video Section
The LTC2380-24 is a versatile 24-bit SAR ADC that combines ...
In this short video we show an LED light demo to ...
02:46
Wireless Power enables applications where it is difficult ...
07:41
LEDs are being used in current luxury model automotive ...
With design sizes expected to increase by 5X through 2020, ...
01:48
Linear Technology’s LT8330 and LT8331, two Low Quiescent ...
The quality and reliability of Mill-Max's two-piece ...
LED lighting is an important feature in today’s and future ...
05:27
The LT8602 has two high voltage buck regulators with an ...
05:18
Silego Technology’s highly versatile Mixed-signal GreenPAK ...
The quality and reliability of Mill-Max's two-piece ...
01:34
Why the multicopter? It has every thing in it. 58 of ...
Security is important in all parts of the IoT chain, ...
Infineon explains their philosophy and why the multicopter ...
The LTC4282 Hot SwapTM controller allows a board to be ...
This video highlights the Zynq® UltraScale+™ MPSoC, and sho...
Homeowners may soon be able to store the energy generated ...
The LTC®6363 is a low power, low noise, fully differential ...
See the Virtex® UltraScale+™ FPGA with 32.75G backplane ...
Vincent Ching, applications engineer at Avago Technologies, ...