Breaking News
Comments
Newest First | Oldest First | Threaded View
<<   <   Page 3 / 11   >   >>
JCreasey
User Rank
Freelancer
Re: Toyota's culpability here is the tip of the iceberg for everyone
JCreasey   10/31/2013 9:17:38 AM
NO RATINGS
@Etmax. Ah the Doncaster parking lot.

I notice that Nissan have just announced a recall of 152k vehicles for an electronic brake malfunction possibility (http://www-odi.nhtsa.dot.gov/owners/SearchResults?searchType=ID&targetCategory=R&searchCriteria.nhtsa_ids=13V445000); this right on top of 900k vehicles with possible acceleration problems (though this was loss of power instead of UA).

At least they are catching the problems before it causes accidents and not after.

 

BBINDER000
User Rank
Rookie
Software hygine isn't a fool's errand
BBINDER000   10/29/2013 3:40:48 PM
NO RATINGS
As a lifelong gear head, I know that worn or broken parts can kill you, but I don't believe claims about unintended acceleration, given functional mechanical pedals, linkages, etc.

I developed a verification and testing process for a firm that developed embedded engine controllers and this all sounds familiar. I'd been dubious about the Toyota failures, but I didn't realize that this car was drive by wire. Buggy software as the root cause of the failure mode is therefore completely plausible, despite no finding of mechanical or electronic failures. 

If Barr's report is accurate, the software design, programming, and testing was ignorant, sloppy, and inadequate. The real shame is that this is completely unnecessary – we've known how to achieve very high reliability software systems for a long time without breaking the bank. Model-based testing is now a big part of that.

I'm not sure who's responsible for the hype and inflammatory language ("a single bit flip could...," task death, dead task, dead app), but I guess that's what you have to do to make software failures tangible to a jury.  It is interesting no smoking gun is reported (recorded input/state with incorrect output that directly caused the failure - i.e., it is not correct to say that a single bit flip caused the failure.)  In a tort case, circumstantial evidence can be sufficient, so it seems that evidence of poor software development alone was enough to convince the jury that it probably caused the failure. 

This may be the first time that indicators of bad code (not actual results) were sufficient to get a judgement. If so, I hope this is a wake up call for people who manage this kind of system development and its risks: software hygine isn't a fool's errand.

 

junko.yoshida
User Rank
Blogger
Re: Interesting reading
junko.yoshida   10/29/2013 2:31:23 PM
NO RATINGS
We posted excerpts of the court transcript -- related to "Task X" here:

http://www.eetimes.com/document.asp?doc_id=1319936&

 

Give you some clues on what Task X was actually tasked to do.

junko.yoshida
User Rank
Blogger
Re: I admit to a level of cynicism
junko.yoshida   10/29/2013 1:33:54 PM
NO RATINGS
Hi, Bert. I appreciate a level of skepticism...but let's get too cynical before we know all the facts. 

Actually, I find the fact that the experts' group was able to demonstrate at least one way for the software to cause unintended acceleration is a "breakthrough," at a time when the Toyota case -- up until last week -- was viewed by many as an issue of floor mat, sticky pedal or a driver's error.

 

 

junko.yoshida
User Rank
Blogger
Re: Can we get the presentation?
junko.yoshida   10/29/2013 1:26:31 PM
NO RATINGS
Yes. In the U.S., the court system is open. But it doesn't mean everything used in the trial will be scanned and put up on the Internet. 

We will see how far we can go.

AZskibum
User Rank
CEO
Re: Single bit flip
AZskibum   10/29/2013 1:11:50 PM
NO RATINGS
But as Bert and I have pointed out, ultimately the designers of critical safety systems, both hardware & software designers, are dealing with probabilities, and their task is one of reducing the probability of a dangerous incident to some acceptably low level, which can never be exactly zero.

Those familiar with ISO 26262 know that it defines four automotive safety integrity levels (ASILs) and various metrics, including the probability of violation of a safety goal (PVSG). The highest ASIL level, ASIL D, requires a PVSG (1/hour) of less than 10^-8, which is an order of magnitude less than that required by IEC 61508.

An argument could be made that safety systems which meet such requirements reduce the failure rate of these systems to a level far less than the failure rate of human behavior & decision-making while driving. Again, I am speaking of automotive safety in general, without regard to the particulars of this case. We could imagine future standards requiring even lower error probabilities, but these will never be zero.

Consider that just in North America, vehicle travel amounts to about 3 trillion miles a year, amounting to billions of hours spent behind the wheel. That is a sufficiently large sample size that even with extremely low failure probabilities resulting from best engineering practices to ensure absolute safety, failures will still be seen from time to time. But consider how that compares with the injury and fatality rates caused by human error.

Even as modern automotive safety systems make driving safer every year, and as we look toward a future in which we humans are merely passengers in our vehicles and safety incidents are rare, the burden of responsibility and the cost of failure borne by the providers of these systems is far greater than it ever was or is on the fallible humans whose errors cause so many injuries and fatalities every day on our roads.

 

junko.yoshida
User Rank
Blogger
Re: Interesting reading
junko.yoshida   10/29/2013 1:07:14 PM
NO RATINGS
I know; that bit was quite interesting, wasn't it?

As I wrote in my blog, http://www.eetimes.com/author.asp?section_id=36&doc_id=1319910&, the experts' group spent 18 months in the secluded room in Maryland looking at the source code. Under the unbelievable security.

And in the end, only 12 experts were allowed to see the source code.

The report that contains the source code is NOT made available.

EE Times will be publishing some of the relevant parts of the testimony in a separate story shortly.

Etmax
User Rank
Rookie
Re: Toyota's culpability here is the tip of the iceberg for everyone
Etmax   10/29/2013 12:58:47 PM
NO RATINGS
@JCreasey :-) re:

At 60mph (88fps) you would maintain a minimum distance of 264ft on a US freeway ...and you'd like to have 528ft? mmm, I'd like to see you do that in peak hour on one of Sydney's or Melbourne's freeways.


I've never been on a Melbourne freeway in peak hour where the speed get much above 60kph let alone 60mph. :-) (you new that was coming right? :-)

Platooning is an interesting one, it would avoid the cycling between 0kph and 60kph that occurs at various intervals on freeways, but as you say with no margin for error, and who is responsible for the collision and possible death? Toyota paid dearly here, and while most drivers can't cope with their car in working order they have little chance to cope with an X-failure in platooning, the car makers will likely be sued out of existence in that case.

People just like to blame someone, and usually the one with the deepest pockets rather than the one at fault.

JCreasey
User Rank
Freelancer
Re: Toyota's culpability here is the tip of the iceberg for everyone
JCreasey   10/29/2013 12:36:01 PM
NO RATINGS
@Etmax. Ah good old Aussie roads with the best potholes in the world (I'm an Aussie too).

At 60mph (88fps) you would maintain a minimum distance of 264ft on a US freeway ...and you'd like to have 528ft? mmm, I'd like to see you do that in peak hour on one of Sydney's or Melbourne's freeways.

Choices on car spacing aside, cars decelerate at different rates and with ABS essentially universal your "emergency" braking is limited to what the system allows in wheel speed differences. As we move to drive by wire, brake pressure is fully  software controlled. A fault in the braking system might result in anything from a nice controlled maximum –g stop to a four wheels locked monster with allied loss of directional control.

As in UA, this unintended braking (under fault conditions) might happen at any time, and IMO would be just as hard to have the human cope with. At least with UA, the vehicle is moving in the direction you are looking: with unintended braking the danger front is both in front and behind you.

As a last comment, as we move to more automation in cars, the spacing between cars may be set in software based on in car sensors. Manufacturers are playing with "platooning" of cars on the freeway with distances of about 20ft at 60mph between 10- 20 cars (Mercedes and Volvo seem to have the lead here). http://www.newscientist.com/article/dn22272-out-of-control-driving-in-a-platoon-of-handsfree-cars.html#.Um_g7HCsi-0  While this is an island/V2V system and I don't really agree with it, this does get the traffic density up on the freeway, and should be valuable providing interaction between multiple platoons can be controlled. Platooning does however clearly show that if one vehicle in the platoon has an "unintended X" failure, it will be challenging to prevent V2V contact.

junko.yoshida
User Rank
Blogger
Re: Can we get the presentation?
junko.yoshida   10/29/2013 8:23:33 AM
NO RATINGS
My colleague Michael Dunn has also posted his technical analysis on this issue here: http://www.eetimes.com/author.asp?section_id=36&doc_id=1319930&

<<   <   Page 3 / 11   >   >>


Flash Poll
EE Life
Frankenstein's Fix, Teardowns, Sideshows, Design Contests, Reader Content & More
Engineer's Bookshelf
Caleb Kraft

The Martian: A Delightful Exploration of Math, Mars & Feces
Caleb Kraft
3 comments
To say that Andy Weir's The Martian is an exploration of math, Mars, and feces is a slight simplification. I doubt that the author would have any complaints, though.

The Engineering Life - Around the Web
Caleb Kraft

Surprise TOQ Teardown at EELive!
Caleb Kraft
Post a comment
This year, for EELive! I had a little surprise that I was quite eager to share. Qualcomm had given us a TOQ smart watch in order to award someone a prize. We were given complete freedom to ...

Design Contests & Competitions
Caleb Kraft

Join The Balancing Act With April's Caption Contest
Caleb Kraft
54 comments
Sometimes it can feel like you're really performing in the big tent when presenting your hardware. This month's caption contest exemplifies this wonderfully.

Engineering Investigations
Caleb Kraft

Frankenstein's Fix: The Winners Announced!
Caleb Kraft
8 comments
The Frankenstein's Fix contest for the Tektronix Scope has finally officially come to an end. We had an incredibly amusing live chat earlier today to announce the winners. However, we ...

Top Comments of the Week
Like Us on Facebook
EE Times on Twitter
EE Times Twitter Feed

Datasheets.com Parts Search

185 million searchable parts
(please enter a part number or hit search to begin)