Thursday - February 11, 2010

It’s in the code

On Jan. 19, in a closed-door meeting in Washington, D.C., two top executives from Toyota Motor Corp. gave American regulators surprising news.

Evidence had been mounting for years that Toyota cars could speed up suddenly, a factor suspected in crashes causing more than a dozen deaths. Toyota had blamed the problem on floor mats pinning the gas pedal. Now, the two Toyota men revealed they knew of a problem in its gas pedals.

Toyota’s woes have roots in 2002’s redesigned Camry sedan, which featured a new type of gas pedal. Instead of physically connecting to the engine with a mechanical cable, the new pedal used electronic sensors to send signals to a computer controlling the engine. The same technology migrated to cars including Toyota’s luxury Lexus ES sedan. The main advantage is fuel efficiency.

But by early 2004, NHTSA was getting complaints that the Camry and ES sometimes sped up without the driver hitting the gas.

But by early 2004, NHTSA was getting complaints that the Camry and ES sometimes sped up without the driver hitting the gas. It launched its first acceleration probe, focusing on 37 complaints, 30 of which involved accidents
...
NHTSA had decided to limit the probe to incidents involving brief bursts of acceleration, and would exclude so-called “long duration” incidents in which cars allegedly continued racing down the road after a driver hit the brakes.
...
Of the 37 incidents, 27 were categorized as long-duration and not investigated. On July 22, 2004, the probe was closed because NHTSA had found no pattern of safety problems.

By August 2007, NHTSA wanted Toyota to issue a Lexus and Camry recall to remove the floor mats Toyota blamed for the acceleration problems. “Toyota assured us that this would solve the problem,” said Nicole Nason, then NHTSA’s administrator.

In their probe, NHTSA investigators asked Toyota, “Are you sure it’s not the gas pedal?” Ms. Nason said. “They assured us it’s just the floor mat.”

Toyota says that, at that time, it had no indication of problems with the pedal design.

Vehicle engines are all controlled by computers these days. Toyota’s gas pedal doesn’t have an actual throttle wire. It’s a “fly by wire” system and similar systems are used by many other companies. The technology is a spin-off from the aerospace industry, where control systems need to work in as little “real time” as possible. A predictive algorithm that gathers sensor data and user input can react faster than a physical connection, and make the engine changes smoother with less wasted fuel.

That’s when the sensors are working properly and sending in correct information. And when the algorithm is written correctly (especially the parts that deal with sensor output outside the normal bounds (either from a dead sensor or from one sending in an unnaturally high signal) ... and then thoroughly tested. Exhaustively tested. I used to do software testing. Boundary testing was one of the most basic parts of it, right down at the same level as Garbage testing. And we found bugs in commercial software like crazy, although many of those were set aside. “We don’t care that the program crashes when the database query fails because the field is empty. This software is run on an existing database, so the fields are never empty!” We got that a lot. And it did make a bit of sense in a way. It was what we called “a chicken-egg thing”. But this kind of attitude is inexcusable when you are dealing with electro-mechanical systems, because parts can ALWAYS fail. Wires can short, interfaces can get dirty, etc. You HAVE to test the boundaries and ensure that the system has a “worst case” safe path to follow. Granted that the permutations are very large in number. eg: take an engine that has 20 sensors feeding it’s computer. Each sensor can go dead, or provide a reading in it’s proper range, or go hot and provide an excessive signal. Dead and excessive are the boundary test cases. Two conditions. And 20 sensors. Since each sensor impacts how the whole engine runs, there are 2²⁰ unique permutations. Just for the “bad sensor” scenarios. That’s more than a million: 1,048,576 to be exact. (an actual “meg") If you physically tested each one on a running engine, and gave each test just 5 seconds to see how the engine reacted, it would take almost 61 days to run that test working 24-7.  It’s far more likely that the Toyota gas pedal issue is not boundary condition related, which means there are nearly an infinite number of sensor permutations, because sensors are analog devices even if they are only sampled digitally. So no doubt this testing was done on a computer model. But models are just that: models. Not the real thing. And “mission critical systems” like cars, heart monitors, air-to-air missiles, etc., need to be tested on the real thing as much as possible.

Toyota has a fix and they’re making big efforts to put it in place. But such systems are in lots of other cars too. Should you find yourself in an “unforeseen sudden acceleration” situation, remember what you learned in Driver’s Ed and just put the damn transmission in neutral. Then step on the brakes. And if the brakes fail, use the hand brake. And aim for something soft.

Notice that I’m not railing on Toyota for being a heartless evil giant corporation. That’s just the way it is. Same goes for Boeing, Chevrolet, Dell, Remington. People have problems with their machines, the corporations investigate when they see enough complaints of a similar nature. Then they get around to making a fix and issuing a recall when government and media pressure force them to. So let the buyer beware, and don’t forget how to handle emergency situations. Because it’s your life.

Posted by Drew458     on 02/11/2010 at 11:02 AM   
Filed Under: • planes, trains, tanks, ships, big machinery, and automobiles • Product Safety •  
• Comments (11) • Trackbacks(0)  Permalink •  

DISCLAIMER

THE SERVICES AND MATERIALS ON THIS WEBSITE ARE PROVIDED "AS IS" AND THE HOSTS OF THIS SITE EXPRESSLY DISCLAIMS ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, TO THE EXTENT PERMITTED BY LAW INCLUDING BUT NOT LIMITED TO WARRANTIES OF SATISFACTORY QUALITY, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, WITH RESPECT TO THE SERVICE OR ANY MATERIALS.

Not that very many people ever read this far down, but this blog was the creation of Allan Kelly and his friend Vilmar. Vilmar moved on to his own blog some time ago, and Allan ran this place alone until his sudden and unexpected death partway through 2006. We all miss him. A lot. Even though he is gone this site will always still be more than a little bit his. We who are left to carry on the BMEWS tradition owe him a great debt of gratitude, and we hope to be able to pay that back by following his last advice to us all:

1. Keep a firm grasp of Right and Wrong
2. Stay involved with government on every level and don't let those bastards get away with a thing
3. Use every legal means to defend yourself in the event of real internal trouble, and, most importantly:
4. Keep talking to each other, whether here or elsewhere

It's been a long strange trip without you Skipper, but thanks for pointing us in the right direction and giving us a swift kick in the behind to get us going. Keep lookin' down on us, will ya? Thanks.

THE INFORMATION AND OTHER CONTENTS OF THIS WEBSITE ARE DESIGNED TO COMPLY WITH THE LAWS OF THE UNITED STATES OF AMERICA. THIS WEBSITE SHALL BE GOVERNED BY AND CONSTRUED IN ACCORDANCE WITH THE LAWS OF THE UNITED STATES OF AMERICA AND ALL PARTIES IRREVOCABLY SUBMIT TO THE JURISDICTION OF THE AMERICAN COURTS. IF ANYTHING ON THIS WEBSITE IS CONSTRUED AS BEING CONTRARY TO THE LAWS APPLICABLE IN ANY OTHER COUNTRY, THEN THIS WEBSITE IS NOT INTENDED TO BE ACCESSED BY PERSONS FROM THAT COUNTRY AND ANY PERSONS WHO ARE SUBJECT TO SUCH LAWS SHALL NOT BE ENTITLED TO USE OUR SERVICES UNLESS THEY CAN SATISFY US THAT SUCH USE WOULD BE LAWFUL.

Copyright © 2004-2008 Domain Owner