Unintended Acceleration 'hits' new Hybrid London Buses

I was really trying to read the article but kept getting distracted by the side bar and Penelope Cruz and Selena Gomez.

 

Bus equipped with Black Box??

"noisy neuromuscular processes" The Punching Bag Hits Back: Prius Crash Was Driver Error, Toyota Says

 

i know this is a toyota fanboy site, but toyota's ECU software was proven to be defective, buggy and not written in accordance with industry standards. what's even worse, no traces of problems would remain in the software when the main process ("kitchen sink") halts. so, the Toyota's "black box" is a joke. there is no such a thing.

 

I have to thank you for this post, because I honestly hadn't caught up with that part of that news. I definitely remember seeing the much-more-favorable NHTSA/NASA report that had come out earlier, and that must have seemed enough like closure that I just wasn't paying as much attention to the story after that.

I had not heard of or seen Michael Barr's findings until you posted this today.

Very interesting, the contrast between the earlier findings and Barr's, illustrating how difficult it is to check quality of software at all, much less embedded software. I've been a very satisfied customer of my Toyota (which I hope is not quite the same as 'fanboy') but most of what tends to inform my opinion is mechanical design and execution, the stuff you can see, not the invisible stuff in the ECUs.

I'm in software myself, so I have a very vivid and grim appreciation of how that kind of sausage gets made. (A lab colleague of mine in grad school was doing his research on automated verification of embedded software stack use, one of the exact things Barr finds Toyota to have flubbed.) I will admit that when I read the NHTSA/NASA report I was partly relieved and thinking "wow, that sounds a lot better put together than I would have expected." In Barr's findings it flips to worse than I would have expected ... though I have to say not a whole lot worse. (I say that as a measure of my pessimism, not praise for Toyota.) I have very little optimism about the quality of the embedded software I can't see in most of the stuff around me.

Seems like Toyota's had a lot of years to develop top-notch mechanical design and engineering capacities, but didn't really appreciate what it would take to get their new ventures into embedded software up to anything like the same level.

Software development can be mightly deceptive that way, because if you put too much emphasis on how well it seems to be working when nothing is going wrong, you can get to thinking you're much closer to finished than you are....

-Chap

 

Stepping on the gas instead of the brake seems to be a real stretch for the long distance this event covered.

Some of the lowest quality embedded software resides in the skulls of some of the drivers I encounter.

 

fuzzy logic anyone?

 

Sure, if you're buying. What?

-Chap

 

i don't understand, if there was a problem with the software, why is there no recall?

 

You've posed the $64 question.

If you have a code review and find a bug, you can send your customers a recall letter, and when they come in, you flash a new version of the firmware that fixes the bug.

If you have a code review that needs hundreds of pages to describe all the entire families of bug that your development process hasn't protected against, some of which can't even be protected against without necessary hardware features you left out of the ECUs, and all that stuff took you n years to develop the first (wrong) way ...

... what do you do for your customers who come in for that recall, and what year will it be when you can do that?

It's a miserable situation. The jury heard evidence that Toyota had claimed to be following embedded software safety "industry standards" that the software greatly failed to live up to on closer examination, which will probably provide fodder for competitors also claiming they follow the same standards. In the best of all possible worlds, those competitors are also looking at their own undisclosed, unreviewed, trade-secreted-to-the-nth-degree code and thinking to themselves "holy cr@p, how fast can we rewrite this stuff before there's a reason for ours to get closer examination too?!" That's in the best of all possible worlds, which I'm not convinced we live in.

-Chap

 

thanks, then how come there aren't any more u/a incidence's?

 

Interestingly, for Honda it was unintended braking. If it ain't one thing, it's another.

Nice if unsurprising that Barr covers the Therac-25 accidents early on in his EELive talk. One of the first serious examples of having to track down an embedded-system bug that I was able to obtain the report of and study (and the accidents were happening just as I was finishing college).

What's so tough to explain to people is how completely that kind of bug can depend on tiny factors of the exact operating context that you would never expect to be important. The thing was installed in a dozen different clinics across North America, treating thousands of patients successfully, with only six things happening, different places over the course of a couple years, that seemed weird enough to wonder if something was wrong (three of them also weird enough to kill the patient). Nobody made any progress on pinning down the problem—or even recognizing there was a problem—until it finally happened that two consecutive incidents happened only a month apart, at the same clinic in Texas, where the same operator had been on duty running the machine, and she remembered, out of all the treatments they'd given that month, that both times she had used the up arrow on the keyboard while editing the dose information.

How many people would even remember that? How many of those, even if they remembered it, would think it could even have anything possibly to do with the machine's radiation safeguards failing? That turned out to be key to finding one of the bugs.

That's the thing about software, it can be so convoluted and its behavior so unintuitive that a lot of the natural intuitive questions like "hmm, well, if there was any problem, why didn't X happen?" turn out to be of very little help in reasoning about it ... unless, maybe, they are asked by someone with very intimate knowledge of the code, which we don't get.

-Chap

 

agreed. but that still leaves open the 'foot on the gas instead of the brake' theory.

 

The Whitfield slide on page 24 of Barr's EELive talk addresses that theory in an eye-openingly succinct way....

-Chap

 

No "off" switch?

Where's Sandra Bullock when you need her?

 

Hmmmm...... Unintended acceleration. I assume that's what happens every time someone runs for a bus and the driver sees them and drives off anyway.

 

they do that down under too? we call it intended.

 

London bus drivers in particular are notorious for this.

 

there was a local story this winter, the snow was so bad that people had to climb over the snowbanks to get from the sidewalk to the bus out in the street. the bus would pull up, and just as everyone was up on the snowbank, the driver would pull away. minister of transport was given her leave.