Design Con 2015
Breaking News
Comments
Newest First | Oldest First | Threaded View
<<   <   Page 3 / 5   >   >>
Frank Eory
User Rank
CEO
Re: Is all hope lost?
Frank Eory   10/31/2013 6:45:18 PM
NO RATINGS
Neither sarcastic nor sardonic -- just concerned about the implications for future design of critical safety systems. I do not accept the premise that "all software must contain bugs" nor the premise that critical values stored in hardware cannot be adequately protected with combinations of mirroring, EDAC or majority voting.

Since we are (and always were) dealing in probabilities, how low is low enough when it comes to the probability of failure? How do we define "adequately protected" hardware and "bug-free" software? Yes, there are standards, but they deal in probabilities, not absolutes. No one can ever guarantee that failure is impossible.

Even when the probabilities are extremely low, the enormous number of opportunities (3 trillion miles driven per year just in N. America) means that someday, somewhere, a failure might manifest itself. If the implicatons of this expert testimony and this verdict are that in such an event, the manufacturer will be responsible, that is troubling.

Bert22306
User Rank
CEO
Re: Is all hope lost?
Bert22306   10/31/2013 6:22:47 PM
NO RATINGS
"It's sobering to hear how our readers -- design engineers in all stripes -- are responding to the Toyota case. Indeed, after all said and done, it could make many feel as though odds are against them, especially at a time when there is NO bug-free software out there. It's a matter of probability as Frank says."



Whoa. Wait one. It's nothing new to engineering design that "it's all a matter of probabilities," Junko. I very much doubt that Frank, or I for that matter, ever intended to make that sound hopeless or otherwise negative. It's just a fact of life, always has been, and possibly many non-engineers don't appreciate that fact.

I took Franks comment "is all hope lost" to be sarcastic, or maybe sardonic, if anything.

As others have commented, it's no doubt true that the designer is often blind to faults in his design. Just as a writer often keeps overlooking his spelling errors. That's why it takes peer review to get compleicated things done right.

From what I've read, if all we've read is factual, such a peer review appears to have been hurried, maybe, at Toyota. Maybe. Controls with safeguards, fail-safes, proper redundancy, voting, and so forth, can be designed, are being designed, and will beat the safety records of anything manual hands down.

Caleb Kraft
User Rank
Blogger
Re: Responsibility of the DRIVER.
Caleb Kraft   10/31/2013 5:55:34 PM
NO RATINGS
This is absolutely important to remember. Not only this, but in some cases (maybe not toyota), the transmission would not respond to the placement of the selector, effectivley removing your ability to put it in neutral while the accelleration was happening.

Frank Eory
User Rank
CEO
Re: Is all hope lost?
Frank Eory   10/31/2013 4:58:18 PM
NO RATINGS
"According to Barr's testimony, there are a number of steps Toyota engineers missed or didn't just take into consideration in developing their software and designing the architecture for their electronic control module."

Perhaps this was the essential focus of Barr's testimony (I have not read all of it), but what concerns me is the more philosophical testimony that seems to suggest that even *if* Toyota engineers had not missed those steps, and had been much more thorough in their hardware & software design and testing -- in other words, even if they had a much more perfect hardware & software system -- that a critical safety failure could still occur -- with the implication that the manufacturer would still be responsible.

NimrodO0l1
User Rank
Rookie
Don't Worry. It's too late to worry.
NimrodO0l1   10/31/2013 4:55:48 PM
NO RATINGS
Where to begin?

Modern cars have multiple ECB, FRUs, and other embedded systems that have CPUs, sensors and software.   I think it has been more than 10 years since I heard that new Mercedes' had about 50 different CPUs on board.  Many of these communicating over communications buses with Ethernet like behavior such that 100% reliable or timely delivery was not guaranteeable.  For many manufacturers, such as GM, many of these units are developed by third parties and then intergrated very late in the process.   To extend Mr Barr's comments a little, even if all but a small percentage of the units was bug-free at manufacture, the SYSTEM cannot be shown to be bug-free because of the complexity and the uncertainties in the message passing.   

Now add that the little computers are working with Sensors that age in hot and violent environments in the presence of 10,000 Volt spikes.


BTW: many years ago, Volvo had a sudden acceleration problem that caused cars to leap forward on start-up.   One report suggested that it was due to weak PROMs that gave bad readouts under certain conditions.  If that was the case, then clearly the best software practices would not be a much use. 

I have read other articles reviewing this that suggest that Toyota was not using anything close to the best practices.  Indeed they seem to be aware of the MISRA practices/policies and then did not implement them.

NimrodO0l1
User Rank
Rookie
Don't Worry. It's too late to worry.
NimrodO0l1   10/31/2013 4:55:41 PM
NO RATINGS
Where to begin?

Modern cars have multiple ECB, FRUs, and other embedded systems that have CPUs, sensors and software.   I think it has been more than 10 years since I heard that new Mercedes' had about 50 different CPUs on board.  Many of these communicating over communications buses with Ethernet like behavior such that 100% reliable or timely delivery was not guaranteeable.  For many manufacturers, such as GM, many of these units are developed by third parties and then intergrated very late in the process.   To extend Mr Barr's comments a little, even if all but a small percentage of the units was bug-free at manufacture, the SYSTEM cannot be shown to be bug-free because of the complexity and the uncertainties in the message passing.   

Now add that the little computers are working with Sensors that age in hot and violent environments in the presence of 10,000 Volt spikes.


BTW: many years ago, Volvo had a sudden acceleration problem that caused cars to leap forward on start-up.   One report suggested that it was due to weak PROMs that gave bad readouts under certain conditions.  If that was the case, then clearly the best software practices would not be a much use. 

I have read other articles reviewing this that suggest that Toyota was not using anything close to the best practices.  Indeed they seem to be aware of the MISRA practices/policies and then did not implement them.

junko.yoshida
User Rank
Blogger
Re: Toyota Unintended Acceleration
junko.yoshida   10/31/2013 4:29:02 PM
NO RATINGS
The tin whisker issue wasn't brought into this case. That was not the argument that plaintiffs' attorneys used to build this case.

junko.yoshida
User Rank
Blogger
Re: Responsibility of the DRIVER.
junko.yoshida   10/31/2013 4:27:42 PM
NO RATINGS
@rruss, I appreciate your reminder here that the utlimate safety responsibilty belongs to the driver.

However, I would also like to remind our readers of what exactly happened to this particular case.

Bookout, the driver and the plaintiff of this case, did step on the brake and even pulled the emergency brake when her car sped out. Even with the emergency brake on, she could not stop the vehicle.

Bookout's attorneys pointed out that skid marks as the evidence of that statement.

 

junko.yoshida
User Rank
Blogger
Re: Is all hope lost?
junko.yoshida   10/31/2013 4:21:16 PM
NO RATINGS
It's sobering to hear how our readers -- design engineers in all stripes -- are responding to the Toyota case. Indeed, after all said and done, it could make many feel as though odds are against them, especially at a time when there is NO bug-free software out there. It's a matter of probability as Frank says.

But I don't think we should get ahead of ourselves. According to Barr's testimony, there are a number of steps Toyota engineers missed or didn't just take into consideration in developing their software and designing the architecture for their electronic control module. It wasn't just one but there were several contributed factors here that had a cascading effect on the unintended acceleration.

And by the way, those "factors" weren't caused by just bad luck.

So, let's not jump to a conclusion that all hope is lost.

 

Antony Anderson
User Rank
Rookie
Re: Is all hope lost?
Antony Anderson   10/31/2013 4:07:21 PM
NO RATINGS
"no other manufacture's vehicles have failed in this way"

Anyone interested in seeing the range of manufacturers that have had SA  problems should go to my website and explore:

http://www.antony-anderson.com/Cruise/9.5-links.html

Ford has currently a major sudden acceleration class action going on.

 

 

 

<<   <   Page 3 / 5   >   >>


Flash Poll
Top Comments of the Week
Like Us on Facebook
EE Times on Twitter
EE Times Twitter Feed

Datasheets.com Parts Search

185 million searchable parts
(please enter a part number or hit search to begin)
EE Life
Frankenstein's Fix, Teardowns, Sideshows, Design Contests, Reader Content & More
Max Maxfield

Where Are the Ceramic Vacuum Tube Holders of Yesteryear?
Max Maxfield
48 comments
I'm currently cursing myself for being a fool. I have let chances and opportunities slip between my fingers. I deserve to be berated soundly. But what is the cause of this gnashing of ...

Jolt Judges and Andrew Binstock

Jolt Awards: The Best Books
Jolt Judges and Andrew Binstock
1 Comment
As we do every year, Dr. Dobb's recognizes the best books of the last 12 months via the Jolt Awards -- our cycle of product awards given out every two months in each of six categories. No ...

Engineering Investigations

Air Conditioner Falls From Window, Still Works
Engineering Investigations
2 comments
It's autumn in New England. The leaves are turning to red, orange, and gold, my roses are in their second bloom, and it's time to remove the air conditioner from the window. On September ...

David Blaza

The Other Tesla
David Blaza
5 comments
I find myself going to Kickstarter and Indiegogo on a regular basis these days because they have become real innovation marketplaces. As far as I'm concerned, this is where a lot of cool ...