Design Con 2015
Breaking News
Comments
Newest First | Oldest First | Threaded View
<<   <   Page 5 / 7   >   >>
SPLatMan
User Rank
Manager
Re: Simple solution
SPLatMan   11/1/2013 8:27:02 PM
NO RATINGS
Cars don't have key switches any more. They have keyless entry keys that cost hundreds of dollars to replace, and stop/start push buttons on the dash.

SPLatMan
User Rank
Manager
Re: You left out the most important error - no independent failsafe
SPLatMan   11/1/2013 8:24:42 PM
NO RATINGS
@Some Guy opined:

"I'll never buy a car that doesn't have a switch that is electrically in series with the rest of the system."

I heartily agree with your sentiment, but I fear you will be unable to buy a new car 3 years from now.

 

TonyTib
User Rank
CEO
Re: Petrochemical standards in 1980
TonyTib   11/1/2013 7:06:19 PM
NO RATINGS
Some data points from an industrial viewpoint:

I'm not a safety expert, but I've had to deal with some safety issues, especially SEMI S2.

The SEMI S2 safety standard requires an EMO button that turns off all power, except that required for safety and logging systems.  The EMO circuit has to be entirely electrical: NO SOFTWARE!  Even Safety PLC's don't qualify.  There's a lot to like about that approach.

On the other hand, my impression (I could be wrong here) is that the newer European safety standards are going away from this approach (for example allowing STO - safe torque off - and networked safety), and are allowing software into the loop, as long as it meets the appropriate SIL level standards, which are development process oriented.  I'm a process skeptic.


To give an idea of how industrial safety can be done, the Banner Micro-Screen light curtains used dual MCUs with different architectures and software ("diverse redundant").  When you're using a light curtain to guard something like a hydraulic press that can crush somebody, this type of approach is crucial.

Some Guy
User Rank
Manager
Re: Funky Code Access & Error Replication
Some Guy   11/1/2013 7:05:57 PM
NO RATINGS
As far as the funky arrangement they had to access the code, that seems like a pretty common practice when outsiders need access to see critical code (at least from a lawyer's perspective on IP / non-disclosure protection).

As far as the error replication, if you don't know the root cause you are only guessing at it, which makes replication a real bear. I'm not surprised that they were not able to reproduce it. The theory that they examined was that it was a Single-Bit-Error, which can have many causes. And without ECC, it was unmitigated. The system design just propagated the fault to a system failure which was an unsafe end state.

Of course, as any practitioner of Ford's 8D problem-solving can tell you, they really have 3 errors. In addition to the unmitigated single-bit-error, they also have a test / validation process that failed to find it. And, third, they have a design process that failed to prevent it happening in the first place. The lawsuit will really only address the first error; it's incumbent on Toyota to address the second two. (And in my experience, Japanese companies tend to go after all three as a matter of course.)

 

junko.yoshida
User Rank
Blogger
Re: Petrochemical standards in 1980
junko.yoshida   11/1/2013 6:43:10 PM
NO RATINGS
very interesting...

C Davis
User Rank
Rookie
Metastability?
C Davis   11/1/2013 6:10:35 PM
NO RATINGS
One thing that Toyota should also do is check their Hardware Vendor's design for Metastability.  This could be the actual root cause of the bad input/bit flip.   With so many car's on the road I would guess they would have a certain chance of this happening.  This risk can be modeled very accurately. The predict circuit behavior across all variations of process parameters, supply voltages, operating temperatures and the increasingly important effects of circuit aging is know.  I think Blendics has the best one I've seen http://www.blendics.com/index.php/blendics-products/metaace  .

Some of the bigger semiconductor companies have ad hock program, but nothing like this.

Some nice write-ups:

http://www.semiwiki.com/forum/content/2454-metastability-fatal-system-errors.html

http://www.semiwiki.com/forum/content/2494-your-synchronizer-doing-its-job-part-1.html

http://www.semiwiki.com/forum/content/2516-your-synchronizer-doing-its-job-part-2.html

http://www.semiwiki.com/forum/content/2620-metastability-starts-standard-cells.html

http://www.semiwiki.com/forum/content/2703-ten-ways-your-synchronizer-mtbf-may-wrong.html

I think that some of the cost likely should be born by the HW companies, as I've rarely seen too much attention paid to this.

It would be good to interview Jerry Cox the CEO of Blendix.  He is a senior professor at WUSTL and also cofounded Growth Networks which was acquired by Cisco.  I would guess he is one of the top asynchronous experts in the world.

junko.yoshida
User Rank
Blogger
Re: Petrochemical standards in 1980
junko.yoshida   11/1/2013 4:20:07 PM
NO RATINGS
@Winderer. Agreed. In the Toyota case, what I understood from Michael barr is:

Toyota's engineers sought to protect numerous variables against software- and hardware-caused corruptions (for example,  by "mirroring" their contents in a 2nd location), but they failed to mirror several key critical variables.

Peter.Ting
User Rank
Rookie
Simple solution
Peter.Ting   11/1/2013 4:08:54 PM
NO RATINGS
Remove the steering wheel lock when the engine is shut off.  And make sure

the key switch is not just another input to the MPU.

Wnderer
User Rank
CEO
Re: Petrochemical standards in 1980
Wnderer   11/1/2013 3:47:45 PM
NO RATINGS
I worked in medical and there was always a safety CPU or FPGA or safety analog circuitry. Basically they all worked the same. The input and output states were monitored and if there was some illegal combination, the device was put into a safe mode. I worked on safety analog circuits which were fairly simple measurement circuits and comparators with the advantage that analog circuits are conducive to single point failure analysis. It's hard to see how automotive gets away without any these safety methods.

JIMAshby
User Rank
Rookie
Re: Petrochemical standards in 1980
JIMAshby   11/1/2013 3:47:43 PM
NO RATINGS
Reading through the released court notes, it appears as they are only discussing a single point of control.

Being that the single point of control code is the target of the discussion, I would assume (and you know what that does to all involved) that they have only implemented a single point of control even though a dual point of mechanical control is in the process of control, as you have stated.

My comments are based on a failsafe system which does not rely on a single point of control, rather a duality of control with a monitoring unit, all being separate devices to insure a failsafe control system.

I have found in the past that just implementing fail safe code on a single MPU/CPU control unit such as a WDT or rolling codes, does not guarantee a failsafe system, but still creates a single point of failure as the court disclosures have show in the articles I read.

They only discuss function X as a single function which is responsible for all failsafe determinations, and only discuss a single MPU./CPU controller (unless I missed something).

I would never design a system such as this in which life or limb were in danger.

Even the system they designed was put through serious certifications and testing, and the error still exposed itself in real world applications.

I would NOT want any of these engineers designing a air/space ship of which I would travel on in the future.

I find it odd that the review engineers had to be sequestered to be able to review the code and determine the possible issues.

I also find that it is odd that they did not setup a know failing system and test the until a failure was seen to determine without a doubt, what the root cause IS, not assuming the failure by causing a most probable failure.

??????

 

 

<<   <   Page 5 / 7   >   >>


Top Comments of the Week
Flash Poll
Like Us on Facebook

Datasheets.com Parts Search

185 million searchable parts
(please enter a part number or hit search to begin)
EE Life
Frankenstein's Fix, Teardowns, Sideshows, Design Contests, Reader Content & More
<b><a href=Betajet">

The Circle – The Future's Imperfect in the Present Tense
Betajet
3 comments
The Circle, a satirical, dystopian novel published in 2013 by San Francisco-based writer Dave Eggers, is about a large, very powerful technology company that combines aspects of Google, ...

Max Maxfield

Recommended Reads From the Engineer's Bookshelf
Max Maxfield
8 comments
I'm not sure if I read more than most folks or not, but I do I know that I spend quite a lot of time reading. I hate to be idle, so I always have a book or two somewhere about my person -- ...

Martin Rowe

No 2014 Punkin Chunkin, What Will You Do?
Martin Rowe
2 comments
American Thanksgiving is next week, and while some people watch (American) football all day, the real competition on TV has become Punkin Chunkin. But there will be no Punkin Chunkin on TV ...

Rich Quinnell

Making the Grade in Industrial Design
Rich Quinnell
16 comments
As every developer knows, there are the paper specifications for a product design, and then there are the real requirements. The paper specs are dry, bland, and rigidly numeric, making ...

Special Video Section
The LT8640 is a 42V, 5A synchronous step-down regulator ...
The LTC2000 high-speed DAC has low noise and excellent ...
How do you protect the load and ensure output continues to ...
General-purpose DACs have applications in instrumentation, ...
Linear Technology demonstrates its latest measurement ...
10:29
Demos from Maxim Integrated at Electronica 2014 show ...
Bosch CEO Stefan Finkbeiner shows off latest combo and ...
STMicroelectronics demoed this simple gesture control ...
Keysight shows you what signals lurk in real-time at 510MHz ...
TE Connectivity's clear-plastic, full-size model car shows ...
Why culture makes Linear Tech a winner.
Recently formed Architects of Modern Power consortium ...
Specially modified Corvette C7 Stingray responds to ex Indy ...
Avago’s ACPL-K30T is the first solid-state driver qualified ...
NXP launches its line of multi-gate, multifunction, ...
Doug Bailey, VP of marketing at Power Integrations, gives a ...
See how to ease software bring-up with DesignWare IP ...
DesignWare IP Prototyping Kits enable fast software ...
This video explores the LT3086, a new member of our LDO+ ...
In today’s modern electronic systems, the need for power ...