I've worked on safety critical software, for a couple different companies. Code quality is a very real problem.
One company, the guy in charge of software was a CE, who would have been fine as long as the hardware was at the level of sophistication as what he was taught at school (He knew 8051 microcontrollers really well). He was really good at giant switch-case statements. Function pointers were a little newfangled and suspect.
Basically, he knew enough software engineering to get the hardware working.
That's one big problem that needs to be addressed -- there aren't a lot of people being trained in the software side of embedded systems. You have CS grads who for the most part aren't given much training on the low end of the abstraction spectrum, and the opposite for CE people, so there tends to be a very fuzzy area in the middle that causes arguments between the two camps.
The other company I worked for literally had crazy coding standards that basically dictated 20,000 line functions and a bizarre sort of anti-DRY mindset that I will never understand. You were encouraged to c-c c-v a block of code, change one line, move on!
Patio11 has talked about how programmers are little respected and paid poorly in Japan compared with the US. Could this have something to do with Toyota's code quality being so poor and causing this issue?
Keep in mind that I live in the country side and don't hang out with the likes of Patio11 ;-) I think he's seeing the best side of it. Where I live (in Japan, if it isn't obvious), the programmers I know have no training in programming, let alone a degree or anything like that. One of my friends was a secretary at an insurance company. One day her boss walked up to her and said, "From today you are going to be a programmer" and that was that!
I do also know a self taught free lancer who makes an absolute killing cleaning up problems in various companies. He does really short contracts (like 2-4 weeks) in Tokyo and Osaka. Then he comes back to Shizuoka and hangs out for a couple of weeks. So there is money to be made ;-)
That seems so strange to me since I always think of Japan as being so technologically advanced.
Granted, even here in the USA programming used to be considered "women's work", mostly revolving around planning and organization. So they passed it off to secretaries. I just didn't think that was something that was still happening.
I can see how people think this, but once you live here you see the reality. There are sectors though where Japan is still pretty damn advanced, but you don't necessarily notice it in daily life. A great example is precision manufacturing - they are awesome at it.
As I understand it, a lot of the early foundation Japanese PCs werr delayed by the need to support kanji for all but the most dedicated hacker. So higher resolution screens, initially lots of ROM to store the glyphs, and of course input methods to easily convert kana to kanji.
Or you could just hand print messages and send them by fax....
The programmers writing embedded software in the US aren't being paid all that much in respect or money either. It's not glamorous, you're basically invisible. Given all the money paid in the valley to develop the next Uber for Dogs it's hard for these companies to compete. That's why companies like GE are doing commercials for recruiting [1] but I don't think they hit the target.
I saw that when it first came out, but I have come to think that under the noise of age-related accidents, there are a few incidents that cannot be explained away, possibly including the one that this article leads with. It is also possible that younger drivers generally reacted faster to problems and were able to avoid serious accidents (IIRC, some of the less ambiguous crashes did occur to younger drivers.)
Ultimately, Toyota was heavily penalized for fielding safety-critical software that it could not show was acceptably safe, which is a reasonable and desirable outcome, IMHO.
And more importantly than that there are a couple of underlying facts that invalidate the whole premise that unintended acceleration means automatic accidents/death:
1) None of these cars are 700hp Supras that accelerate at drastic speeds. These were normal consumer cars that frankly aren't that fast even with the throttle fully depressed.
2) The brakes in all of these vehicles are many times more powerful than the engine. Pressing the brakes would have stopped the vehicles, even if the engine were attempting to accelerate full throttle.
In most cases I would never side with the corporation over average people. But this is one of those rare cases where lawyers were able to hire dishonest "experts" and snow over the judge and jury and get an unjust verdict.
Your two point list is silly. Consumer cars & SUVs can go 0-60 in under 10 seconds in almost all cases, and the fact that the brake can overcome that acceleration is great, except it takes time, and within the time between unexpected acceleration and stopping damage/injuries/death can occur.
I had a water bottle fall onto my right leg while turning, this caused a sudden but short lived acceleration (e.g. 10 MpH of unexpected acceleration for less than 1 second), this was enough to cause me to mount the curb, and do some decent property/car damage (thank god nobody was on the curb). The brakes worked perfectly, and stopped the car, but it does show how much damage even a tiny burst of unexpected acceleration can do (the entire incident was under 5-10 seconds).
It honestly boggles my mind that someone can dismiss any length of unexpected acceleration because "cars [aren't] 700 hp Supras." Consumer cars are plenty powerful enough to cause injury and death due to any length (even 1 second) of unexpected acceleration at the wrong moment. Sure, if you're going straight on the freeway then you aren't going to even notice, but in a car park, while turning, or stopped at a school crossing, the brake's ability to overcome the engine are largely irrelevant since you won't be expecting it.
> Consumer cars & SUVs can go 0-60 in under 10 seconds in almost all cases, and the fact that the brake can overcome that acceleration is great, except it takes time
That said people don't do well with surprises so while the car mechanically would have no trouble at all stopping very nearly as fast due to a wide open throttle, the driver is probably freaking out instead of just slamming on the brakes.
Also people suck at actually slamming on the brakes, regardless of the situation. It's not something people want to ever do. They'll hit the brakes, they just won't go anywhere close to really pushing that pedal to the floor.
All the cars added a marginal [ O(10ft) ] amount of braking distance at wide open throttle; with the exception of a very powerful, heavily tuned sports car which was the only one able to overwhelm its brakes.
If we convert MPH to FPS we can look at the data as follows:
We're talking tenths or hundredths of a second of unintended acceleration. A cursory search tells me reaction time to visual stimuli is about ~250ms.[1][2]
This means that in all but the Camry 100-0 case your reaction time is a larger factor in braking distance than the presence of wide open throttle.
Who is responsible for the property damage in the example you gave? The car manufacturer? No. The water bottle manufacturer? No. You. You were the driver behind the wheel.
It's still the driver's fault for not reacting properly. You could have unexpected acceleration or deceleration (which is just as dangerous in some circumstances) due to a lot of different problems; throttle stuck open, O2 Sensor goes wonky and tells the ECU to adjust the fuel mixture in a way that makes your car run rich and stall out, tire blows out causing your car to swerve severely to the right. In all of these cases it is up to the driver to react properly.
NOW, if they had proven that there was a design/manufacturing defect in these cars that Toyota knew about and did nothing about (like in the GM faulty ignition switch case), that's a different story. That would mean the manufacturer put customers at risk deliberately and not only should they pay financial penalties for that, but there should be jail time involved.
However, in the Toyota unintended acceleration case, not only was it very few drivers, they were never even able to establish a cause for the unintended acceleration. The software "experts" that testified for the plaintiffs only said that basically the software is badly written. It was never demonstrated that a specific piece of code caused unintended acceleration.
Instead, what is the obvious answer is that panicking drivers hit the throttle when they meant to hit the brakes. Especially since at least one of the drivers testified that they hit the brakes and it was unable to stop the car, which is total baloney.
EDIT: Also let me just state as a disclaimer I do not work for Toyota, never have, don't know anybody who does, I don't own any Toyota cars and never have. I just can't deal with people spreading bullshit.
> It's still the driver's fault for not reacting properly.
But in the scenario I gave the driver DID react properly. The break was applied and the car brought to a halt. It didn't stop damage being done or a dangerous situation from occurring.
Same thing with sudden acceleration. A driver can react appropriately and the condition can still be incredibly dangerous or even deadly.
> Instead, what is the obvious answer is that panicking drivers hit the throttle when they meant to hit the brakes.
Saying something is "obvious" when it is disputed just makes you sound arrogant and dismissive. Many experts don't agree with your "obvious" conclusions.
> Especially since at least one of the drivers testified that they hit the brakes and it was unable to stop the car, which is total baloney.
You're again contradicting the experts. They said that it is possible for the car to ignore brake input, but were unable to determine how corruption could have occurred to cause it.
I'm not saying I know for a fact that unintended acceleration occurred and that the brake was ignored, I do not, nobody does. But I think the way you're dismissing it and stomping all over a dozen or more experts is absurd. You cannot know it didn't occur any more or less than they know it did. You certainly don't have the expertise for your "obvious" conclusions to be meaningful.
> EDIT: Also let me just state as a disclaimer I do not work for Toyota, never have, don't know anybody who does, I don't own any Toyota cars and never have. I just can't deal with people spreading bullshit.
Right... And you essentially saying that the conclusions of experts in the field is wrong without any proof, cite, or good explanation definitely isn't "bullshit."
The fact you need a disclaimer saying "I am not a shill" (paraphrasing) means you yourself must know how absurd you're sounding here.
> You're again contradicting the experts. They said that it is possible for the car to ignore brake input, but were unable to determine how corruption could have occurred to cause it.
No one who is actually an expert in cars would say this because the cars in question did not have purely drive by wire brakes. There's literally no way the car could "ignore" brake input unless the hydraulic system failed, which the driver should have noticed the moment they got in the car.
Modern cars, even the modest ones, are fast enough that they can get out of control very quickly. While the brakes certainly can slow a vehicle with its throttle stuck open, the real question is what impact does that stuck throttle have on the average driver? When the brake doesn't work as expected, does the average driver continue to brake? Do they pump the brake pedal? Something else altogether? How long does it take them to regain composure and act sensibly (in this case, putting the car in neutral while continuing to brake aggressively)? If that slowed reaction is more than some fraction of a second, accidents will happen.
It's likely that drivers won't immediately react well to unintended acceleration. However, immediate reactions are unlikely to cause major accidents here. Yeah, you might bump someone or mount a curb or something, but it's likely to be an injury-free accident.
Toyota's unintended acceleration is notorious because of incidents where the car accelerated up to extremely high speeds, was driven down the highway in this state for an extended time, then finally crashed. At least one involved a panicked 911 call from the driver. This is a scenario drivers should be able to bring to a safe conclusion, because they have time to work things out.
Some drivers will panic in such a scenario and be unable to work on the problem. Those people should not be driving. That they are speaks to the woefully inadequate state of driver training in this country.
None of this absolves Toyota of blame, though. If an equipment malfunction due to a design defect results in death even if the human should have recovered, that's still the fault of the manufacturer, as well as the driver.
A comment below mentions this, and it's one factor that can be age-related without invoking ‘dumb old people pressed the accelerator by mistake’. People who learned to drive before ABS were taught to pump the brakes.
I hadn't even thought of pre-ABS drivers being taught to pump the pedal to avoid skidding.
I was thinking of my old race car days, where a low pedal (boiled fluid or worse) could be temporarily reversed by a few pedal pumps to bring up the line pressure.
>2) The brakes in all of these vehicles are many times more powerful than the engine. Pressing the brakes would have stopped the vehicles, even if the engine were attempting to accelerate full throttle.
The brakes in 2004 and newer models are controlled by the computer. It controls the hydraulic pressure to the brakes to maximize the amount of work the regenerative braking system can do. It uses a pump and accumulator to store hydraulic pressure, and solenoids to send it to the brakes as well as provide pedal feedback. The only time you directly control the brakes is if the main system loses all accumulated pressure. Until then, you're just sending pedal input to the computer and it does what it wants.
It seems to me that even if it is possible for the driver to prevent the accident by reacting quickly and braking, Toyota is still responsible. Unintended acceleration is not a reasonable behavior for a vehicle and is not something that a driver can reasonably be expected to compensate for.
As I understand it, the brakes in modern gasoline powered cars often need vacuum and when the throttle is wide open (high acceleration) the engine will generate very little if any vacuum, so the assist which normally provides high braking power is not present and this can drastically reduce the braking ability of the car.
Some cars have a sensor to detect if you are overlapping the throttle and brakes and will cut the throttle if the brake pedal is detected as being pressed. This can frustrate people who attempt to match revs on downshifts in manual transmission cars.
To the extent that's true, it's only for the period of high acceleration (I know this intimately since my first vehicle was a 1967 Kaiser Jeep CJ-5 with vacuum powered windshield wipers). Once the new engine speed is achieved, that vacuum sure ought to come back (weaseling because I don't remember checking for this while at sustained high RPMs).
In this particular case, 150-foot skid marks indicate that the driver was trying pretty hard to stop.
No doubt there are accelerator-brake confusions in many of these cases, especially with older drivers. I'm really hesitant to say they all are in that category. Investigators need more "black box" info to see, for example, whether the accelerator and/or brake were being pressed in the seconds before an accident.
Because "you experienced unintended acceleration because you panicked and wouldn't release the accelerator" and "you should have just mashed the brakes until the car stopped" and "shift into neutral, silly" don't make for interesting stories and all have the smell of victim-blaming, even if completely true.
That source was Megan McArdle, who is a libertarian partisan. It's trying to discredit the complainants. The actual court case had an expert who looked at the code and found bugs where the possibility of unintended acceleration could come about. I'm not saying it's not true about the ages of the complainants, but it's certainly trying to present a particular interpretation of unknown events.
Isn't it time for an oversight agency that looks at code quality within safety-critical systems? The FDA forces oversight of drugs that less than 100,000 people a year will take. Yet there is no agency looking into the software quality of a car management system that millions of people will drive with every day.
I am not advocating that every aspect of a system is tested by an agency, I am simply saying that there should be a body that ensures that safety-critical software development follows a basic set of best practices - avoiding some of pitfalls mentioned in the article.
Yes, it's an potentially acceptable tradeoff. While the figures vary, economists and the like have estimates of how many people you'll kill for every N million dollars you extract from the economy (and they're below 10 million last time I checked). Just how much do you propose to extract with such a regime?
That forces the cost onto the state and the state is also inefficient generally so it would take longer than an I ternary review. Then when a bug causes an issue it is the fault of the state for allowing it through and not the company for coding it. In addition private sector usually pays more so the state sector does not get the pick of the coders.
I don't think that an agency should be responsible for the testing, just ensuring that software development best practices are in place, and that the company is actually doing their internal testing.
I am quite surprised by this, especially since it comes from Toyota, the company that invented Lean. This is very relevant given that the debate over upgrading vehicle software is raging on and the Volkswagen scandal has not settled just yet. Too bad we can't crowd source the various automobile software development teams. I am curious to see if any of them are any good. In my travels over the last 10 years I have encountered very few skilled software development teams at the enterprise level. Given the current state of the industry I would not e surprised to find them all wanting.
One of the general principles of engineering ethics states "A practitioner shall, regard the practitioner's duty to public welfare as paramount."
I think part of the problem is that software development isn't considered an engineering discipline and code of engineering ethics goes out the window.
I got a degree in CS at UC Berkeley. There were exactly 2 lectures on ethics, both given by the same professor. Kudos to him (Ousterhout), but shame on the department. I'm not singling out UCB, I'm sure many other schools have the same problem.
I love magic bullets! As we've recently seen with things like Heartbleed, open source has no vulnerabilities, no bugs, no errors, and is free from all the problems of proprietary software.
One of the problems with embedded systems like this is that very few eyes ever see the code. Even in more regulated fields like avionics. The code will be examined primarily by the developers, testers, their QA and maybe the company that hired them if it's contracted out.
Instead, what gets examined are the artifacts like requirements documents, the results of tests, specifications and such. This allows poor code quality to be hidden, and, to some extent, encourages sloppy development practices (especially when time is critical). Exposing the code to more people will have several effects, but the main two (from my perspective) are:
* Developers won't release as much bad code, either due to pride or insistence from their management.
* Bugs may be more easily discovered and diagnosed if the code is available. As it is now, it's a black box. So if I find an issue I may be able to repeat it, but I can't examine the code to see why it's actually happening or to correct it.
Heartbleed is the perfect example of why critical code should be open source. It was discovered by developers who were not the original coders, and they were able to talk about it freely, essentially marketing it to create awareness.
If OpenSSL was closed-source my servers would probably still be vulnerable today.
Not sure it would help any, it's not exactly hard to find very low quality code on Github.
It IMHO shows a failure of the type approval process, maybe it didn't evolve enough with regard to the amount of software used in safety critical components. Inspiration from aircraft certification would likely be mùore than welcome in that regard...
The point is that a world of coders who would be mulling over the code due to interest and spare time would likely find critical issues and shine light onto them, making it a PR issue for those companies. If those companies ever get around to offering bounties for issues relating to safety or security, even easier to get an army of eyes on the code.
Heartbleed and ShellShock are examples of why open source is better. Both were found by folks who were not the software maintainers, but were reviewing the source code independently.
In comparison, it took multiple deaths and a major lawsuit to create the same level of visibility into Toyota's codebase. And what reviewers found was code quality far worse than that of OpenSSL or bash.
Someone else said this in another HN thread, but I love it: imagine a world in which Consumer Reports car reviews include a code audit report. That would be far, far better for overall safety than the current situation.
I agree. I might have stated my point too strongly.
I just think that going Open Source won't magically fix things. ShellShock and Heartbleed were out there for many years before someone reported on them, with (AFAIR) evidence of those holes being exploited by malicious actors. Trying to force a switch to Open Source won't improve situation very much, while requiring a serious overhaul of how the entire world does business. It doesn't seem to be worth it without introducing additional ways to fix the software creation and testing process.
I'm only trying to show that you can't shout "Open Source!" and get magical immunity from bugs in life-critical software. We need to think of something else instead, or in addition to, open-sourcing to meaningfully reduce the amount of those bugs.
I agree. The main component of safety and security--is making it part of the software development process itself. Nothing can substitute for that, and it's what the article is addressing.
Open source would be "nice", but it's just the training wheels, while safety and security baked into the process is the front tire. Might help it from not falling over but you're not going anywhere in the right direction without the right foundation.
I'm a retired electronics design engineer and embedded programmer, and I will NEVER own a car with any kind of vehicle/engine management computer. Old cars for me, forever. I flatly refuse anything but fully manual and direct mechanical gears, clutch, steering, brakes and throttle.
Curiously the chief engineer I knew at a major car service center, also felt the same way.
And that's not even touching on the insanity of building computerized vehicle systems with always-on GSM data links to the Net. Ask Michael Hastings how that worked out for him.
Also I agree that critical systems software should be legally required to be open source.
Though I have a strong preference for analog/physical/mechanical systems in cars, the main reason for this is more that they're far easier and more fun to work on, rather than reasons of safety.
I'd hazard a guess that in a serious crash you're going to have a far better chance of survival in a modern car (crumple zones, airbags/side-cushions/curtains, ABS etc) vs a ~1980's or older car, and that the cause of said crash would be human error rather than a bug in the engine throttle code.
I drive a 25 year old car that perfectly fits your description, but that's just because I like the way it handles, how it looks, and because it has a little more personality to it than all the dime-a-dozen cars you see on every corner of the street.
What I don't understand is how you can rationalize your preferences by thinking these old cars are safer because they don't have any software-defined points of failure. The chances of dying in a car accident because of driver error (by yourself, or by someone else) or mechanical failure (because of worn-out parts) are infinitely higher than by some kind of electronic failure. And if you end up in crash, your chance of survival will be much higher in a modern car, because of all the safety measures that have been added over the years. So IMO it doesn't make sense to stick with the things you've mentioned if safety is your primary concern.
The article is about software systems leading to safety risks. I'd say safety is implied when an electronics designer comments on it that he/she would never drive a car that relies on software to ensure safe operation. Not worth splitting hairs over IMO.
They're also all triply redundant control systems with rad hardened computers and error correcting memory... you won't find that level of redundancy in passenger cars; and Toyota outright lied to NASA about the type of memory that was used in the 2005 Camry. (Claiming it to be ECC when it was not.)
On top of that: pilots of any caliber undergo far more rigorous training than what is required of a licensed driver in the US. They routinely have to train for the autopilot systems they use, etc. -- I trust a pilot to react appropriately when the fly-by-wire system goes haywire moreso than the average driver.
The automotive industry has quite a ways to go before I'll consider their safety critical engineering to be anywhere near the level of robustness present on even the oldest commercial airliners in service.
While safety relevant ECU's are not triply redundant, they ARE doubly redundant with error correction memory. So I don't know what Toyota used to do, but, from my experience, nowadays, auto companies take safety relevant applications VERY seriously.
Actually, for the division I used to work for, a lot of the people programming ECU's for cars came from aerospace. They built radars for planes, now they build radars for cars.
Also, the safety of the systems tends to improve with time, as technology matures.
Also, another interesting anecdote, the Flexray communication protocol used more and more in cars these days was first used in planes.
When you say fake steering do you mean power steering, or electronic assisted power steering?
Because the way I see it power steering itself is just as mechanical as hydraulic brakes; and electronic steering is a far more recent development than throttle-by-wire.
If you're willing to accept power steering it's not too hard to find vehicles w/ side curtain airbags. Lots of '01 Toyotas had side curtain airbags, and it wasn't until '02 that they started putting drive-by-wire in the Lexus lineup (much later for the rest of their lineup, I believe it was phased in over '03-'05 for Toyotas.)
I adore my '01 Camry. The 5S-FE is a bit sluggish compared to modern powertrains, but its bulletproof, insanely easy to work on, and drives quite smoothly. It'll be a cold day in hell when I have to replace that car with a glorified playstation controller.
That stance will soon become unreasonable. Incidentally, I'm also an engineer and work on embedded systems... for cars. Can embedded systems be unsafe? Sure. Can they be made reasonably safe, safer than full mechanical cars? They can.
It'll come at a point when those cars will be unmaintainable, hard to aquire, expensive. I want to see if you'll still have the sae stance then. What if in 30 years it becomes illegal to drive your own car and can only use SDC's, will you still pine over the good old mechanica components then?
The flight-critical software in planes is at least somewhat reviewed and regulated by the FAA and other national aviation agencies. AFAIK, software in cars is totally unregulated.
>And that's not even touching on the insanity of building computerized vehicle systems with always-on GSM data links to the Net. Ask Michael Hastings how that worked out for him.
Thing is, if attackers that advanced are out to get you, you're pretty much screwed regardless.
Had Hastings been driving a classic car, I'm sure he would have suffered a tragic drug overdose or something instead.
Besides, even if your car isn't computerized, there's plenty of others on the road with you that are.
Agree. What about power steering? You won't get any car without nowadays. Do you count non-computerized (servo) power-steering as "mechanical steering"?
I don't think you'd be able to get any new non-computerized car at all today. Emission control makes computerization an absolute requirement. That's why choice in cars for people who feel the way I do is limited to old cars from pre-90s. Suits me fine.
Servo power steering is acceptable, though my present car (1993 Subaru stationwaggon) has direct steering, and I prefer that.
Car manufacturers have made giant leaps in driver safety though (going by NCAP star ratings and the like). Drivers can now walk away from what once would have been a fatal crash - are you comfortable forgoing all those advancements?
Does the safety improvements in cars introduced since 1993 designed to protect you from collisions with other vehicles, outweigh the risk of a computer fault ?
I see your point, although I'd find it too limiting to impose that on myself. Speaking of GSM data links, I seem to be the only person worried about the "eCall" mandate: all cars in the EU will be required to phone home with their location in the event of a crash. That requires a GPS+GSM device in the car.
I love the absurdity of this and arbitrariness. You'll happily drive in a car, one of the most dangerous machines people use regularly. But if it has a computer in it, no siree, that's when things get too deadly to deal with. All of the other thousands of moving parts, like the thing that takes energy-dense hydrocarbons and ignites them several thousand times a second in hot, high pressure tubes - that's fine and totally safe. It's the ECU that makes the car dangerous. The fact that the only thing separating you walking on the sidewalk from death from a two ton metal box is the convention that we'll all stay within the lines painted on the ground. That's fine. It's the ECU that you're afraid of. Absurd.
You make it seem silly. But the energy-dense hydrocarbons get combusted in steel/aluminium enclosures that have been battle tested in millions of systems for over 60 years. For it to go wrong billions of atoms need to be displaced at huge energies (much higher than the single combustion).
The ECU however, was probably made ~10 years ago by a team of highly incompetent software developers trained as electronics engineers, with no access to any previous attempts by other companies and progressively getting worse over time (instead of being perfected). To make the ECU do something it wasn't made to do all it needs is a mere low voltage event just enough to flip a crucial bit, and many bits are crucial.
Not that I don't agree that it's silly to not drive cars with an ECU, but just saying that his point has merit.
That battle testing also killed millions of people.
Modern cars are vastly safer. Demonstrably so.
Computers in cars may make them more dangerous. But this is far outweighed by the greater overall safety in the cars that have them. You can't buy an otherwise modern car with no computer control, so your choice is either to buy a modern car with computers, or buy an old car without them. If you're avoiding computers then you're buying an old car, and the result is greatly decreased safety.
This is typical human risk management, of course. The mostly imaginary scenario where your ECU goes nuts and causes you to crash helplessly into a concrete barrier is assigned great importance, where the sadly common scenario of some drunk or texting (or drunk texting) idiot killing you in an accident that modern safety design would have allowed you to walk away from is assigned very little importance.
It's much like people who are afraid of flying but are happy to drive, because the thought of plummeting to their death from 30,000 feet is much more vivid than the thought of being randomly run over by a tractor trailer even though the latter is much more likely.
I actually know three people who were run over by a tractor trailer! While I don't know anybody killed in a plane crash.
One was rushed to the hospital with a skull cracked like an eggshell. Almost fully recovered except he can't smell anything.
One had a tractor/trailer fall over while turning a corner, onto his car. He happened to lie in the gap between tractor and trailer, leaving a little uncrushed cell with him in it. No injury.
One was slowing to turn right on a highway; sleepy tractor driver ran fullspeed into the back of his old American car, crushing it utterly up to the back of the front seat. Unhurt. So old American cars have something going for them?
It's not absurd at all. For the questionable benefit of the ECU, you get a black box system that may or may not be garbage controlling the primary engine input, that may or may not fail safe. Give me the thing that grandpa designed 75 years ago.
In the olden times, the throttle was controlled by a mechanical device and tensioned springs. The failure characteristics were studied for 150+ years, and the state of the mechanical components could be assessed by visual or physical inspection. The failure scenarios for open throttle are also non-obvious things to workaround. What do you do? Pump the brake? Take the car out of gear? Depress the accelerator to reset? Turn the key? It's a complex decision matrix with life-and-death consequences, and the correct answer will vary by car configuration and vendor.
The ridiculous positions taken by posters here are indicative of how engineering fail like this happens.
It's absurd because the reported incidents are so few. In 2010 worldwide 1,24 million people died in car accidents. Over 3000 a day. In 2010 the US 36,166 died.
The number of incidents related to speeding Toyota's is pretty insignificant to that number.
You speak of the olden times like they're long gone? My car is from 2001, has side curtain airbags which will render most common crashes non-fatal, and it still has a fully mechanical throttle and no electronic brake controller of any kind. I don't consider it all that old.
Yes it has an ECU, but EFI is not the problem in my opinion, and the computer by itself doesn't frighten me. EFI was a fantastic invention as far as I'm concerned. Also despite it being a "black box" I find it much more pleasurable to tune and maintain EFI systems over fickle carburetors.
The real problem was making the ECU an _active control system_ which directly controls the engine, throttle, brakes, etc. in response to your inputs; as opposed to a passive one which merely _reacts in response to changes in its environment_ (e.g: more air moving through the intake, wheels locked up, losing traction on one side.)
So yes, my '01 Toyota has a black box, but it's simple enough that it could be replaced by a handful of aftermarket controllers, many of which have their source freely available, or available for a modest licensing fee.
---
Also I'd like to disagree that reacting to WOT is a "complex decision matrix." -- My instinctual reaction would be as follows.
First you open the clutch and/or put the car in neutral. Disconnecting the motor from the wheels is the most reasonable solution to this problem. When I was taught to drive stick the very first thing I was told, before I ever moved the car an inch, was: "when you need to stop, clutch and brake."
(Of course if it's an automatic transmission: "going into neutral" is just controlled by another black box. Sucks to be you if you hit deadly bugs in two separate powertrain management controllers.)
(As an aside I do personally know people that commute every day in the US, and they don't even know what a transmission does. Why are we licensing these people as skilled motorists?)
If I somehow found myself without even the most basic control of my transmission then you just press the brakes as hard as you can and you stop in ~300 feet.[1]
If that didn't work, or if I had stopped but hadn't regained control of the vehicle, I would then kill the ignition. (To be fair: I'm told this is not quite so simple in modern cars! Apparently someone thought "pushing and holding a button for 3 seconds" was a better idea than "turn a key." -- However I also wouldn't agree to drive a car if I didn't know something as basic as how to kill the ignition under duress. I'm the sort of guy that reads the manual cover to cover for fun.)
If killing the ignition doesn't work[2] and your transmission is somehow stuck engaged then today is really not your day.
I don't see how any of this requires any more skill than driving does normally. To me this is not some complex decision tree, it's reflex at this point.
(Also there is a good reason I would brake before killing the ignition. Brakes and steering are mechanically assisted by the engine. It would be extremely irresponsible to cut the ignition in a vehicle w/ power steering and power brakes on a public motorway in my opinion. -- Again I don't think this is some complex decision, I believe it should be requisite knowledge for being licensed to operate a motor vehicle under such conditions.)
tl;dr: the complexity in this matrix is inherent in the task itself. If this is "too complex" then maybe we should work to improve our driver training and licensing programs; or better yet consider having more people take public transit, instead of handing out licenses like candy.
Although, wow, that's an awful article, skimming it there's only this hint of the root cause: "After being asked by Missouri Senator Claire McCaskill whether a GM engineer had apparently lied under oath, [GM CEO] Barra confirmed that this had indeed happened (or at least seemed to)." The problem, besides GM having a procurement system that assumed people in it wouldn't lie through their teeth about lethal problems, was a single engineer who selected an out of spec switch, and then, for example, slipstreamed a better one into the system without a part number change.
You could easily extrapolate this argument to the Internet of Things if you need a way to understand the poster's point differently. Do you want or even really need a toaster with a computer in it? A refrigerator with a computer in it?
Analog toaster and refrigerator technology has been working quite well for us for almost a century.
"Brakes" are at the wheels. The only time stopping a car from rolling also affects the engine is when everything remains engaged (manual transmission, manual clutch; in gear, clutch not depressed to the floor.) In a vehicle with an automatic transmission, the transmission begins to disengage from the wheels as the wheels spin slower than the engine is pushing. (Very simplified explanation...)
i.e. brakes on cars are not designed the stop the engine but to absorb the vehicle's momentum.
I assume the post above yours was referring to the brakes being able to stop a moving car that also has the engine's power being applied, which they easily can do. If the brakes are engaged enough, even a full throttle engine won't be able to keep the car moving.
I wonder if this is a behavior inherent to older drivers? I'm in my 20's, but my first car was from the late 60's. I hadn't properly bled the master cylinder on my brakes, so I would have to pump them to make them more effective. Just wondering if it's a natural panic behavior, or something learned.
It's something learned. You are explicitly taught to do it if your vehicle does not have ABS. It prevents the wheels from locking up. ABS does the same thing, and does it much more effectively than a human ever could.
Preventing the wheels from locking up under hard braking is crucial to stopping when you have little traction. To provide traction on any surface _wheels must keep rolling._
When wheels are static their contact patch is effectively the size of a hockey puck, that little bit of rubber is not very good at stopping a car going 80MPH. Not compared to disc brakes w/ ceramic pads bleeding off all that energy, at any rate.
While I'm on the subject, I'll take this time to drop a PSA: on ice, where ABS is most helpful, the rubber of your all season tires is about the consistency of a hockey puck. -- Please invest in actual winter tires if you get regular snowfall.
(Also if you live in Texas: invest in a set of winter tires anyways and go have a blast when the streets are deserted.)
By not being used effectively by the driver, mostly.
If your car starts accelerating in an unintended fashion, you should push the brakes to the floor and keep them there, then if you have time shift into neutral and turn off the ignition (this shouldn't be necessary, but will help).
Many drivers won't actually do this in the heat of the moment, though, thus many deadly crashes.
It's interesting that VW cars have been taken off the road for unintended acceleration. Also that quickcheck was used to find many timing related bugs between software components that VW uses. It was used after the models were taken off the road. There are other models still not recalled using similar software from the same era.
A big takeaway that I got out of this is that nearly everybody forgot about this.
People are still buying and driving Toyotas.
When the VW emissions thing started making its way through the news cycle, I read comments postulating that this might be the end of VW. Hah - people are going to forget about VW just like they forget about everything else.
> When the VW emissions thing started making its way through the news cycle, I read comments postulating that this might be the end of VW. Hah - people are going to forget about VW just like they forget about everything else.
It wasn't the end of Toyota, and it won't be the end of VW; but it was the end of Toyota's goal to be the Biggest Car Company in the World[1][2], and it may be the end of VW's goal to be the Biggest Car Company in the the World.
2. http://www.economist.com/node/15576506 - James Womack, one of the authors of “The Machine that Changed the World”, a book about Toyota's innovations in manufacturing, dates the origin of its present woes to 2002, when it set itself the goal of raising its global market share from 11% to 15%. Mr Womack says that the 15% target was “totally irrelevant to any customer” and was “just driven by ego”. According to Mr Womack, the requirement to expand its supply chain rapidly “meant working with a lot of unfamiliar suppliers who didn't have a deep understanding of Toyota culture.”
Disclosure - I work for GM, these opinions are my own, etc.
One company, the guy in charge of software was a CE, who would have been fine as long as the hardware was at the level of sophistication as what he was taught at school (He knew 8051 microcontrollers really well). He was really good at giant switch-case statements. Function pointers were a little newfangled and suspect.
Basically, he knew enough software engineering to get the hardware working.
That's one big problem that needs to be addressed -- there aren't a lot of people being trained in the software side of embedded systems. You have CS grads who for the most part aren't given much training on the low end of the abstraction spectrum, and the opposite for CE people, so there tends to be a very fuzzy area in the middle that causes arguments between the two camps.
The other company I worked for literally had crazy coding standards that basically dictated 20,000 line functions and a bizarre sort of anti-DRY mindset that I will never understand. You were encouraged to c-c c-v a block of code, change one line, move on!