Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Government Software Transportation Your Rights Online

NHTSA Has No Software Engineers To Analyze Toyota 459

thecarchik writes "An official from the National Highway Traffic Safety Administration told investigators that the agency doesn't employ any electrical engineers or software engineers, leaving them woefully unable to investigate correctly what caused the most recent Toyota recall. A modern luxury car has something close to 100 million lines of software code in it, running on 70 to 100 microprocessors. And according to consultant Frost & Sullivan, that number will rise to 200 to 300 million lines within a few years. And the software that controls the 'drive-by-wire' accelerators of Toyota and Lexus vehicles is one potential culprit in the tangled collection of issues, allegations, and recalls of many of those vehicles for so-called 'sudden acceleration' problems."
This discussion has been archived. No new comments can be posted.

NHTSA Has No Software Engineers To Analyze Toyota

Comments Filter:
  • by WrongSizeGlass ( 838941 ) on Tuesday February 23, 2010 @04:18PM (#31250506)
    ... there is plenty of talent out there for them to hire - even if only on a project by project basis.
  • I think I met couple EEs at NHTSA back in the 90s...
  • by HungWeiLo ( 250320 ) on Tuesday February 23, 2010 @04:19PM (#31250518)

    Here comes DO-178B for cars.

    I wonder what the cost is per line of code?

    • by Beardo the Bearded ( 321478 ) on Tuesday February 23, 2010 @05:02PM (#31251320)

      Dunno.

      My kids were runover by an out-of-control Mustang about four years ago. There was nothing mechanically wrong with the car. Maybe it was driver error. I don't know, but apparently the accelerator was still stuck to the floor when the police got there. I remember how the cruise control on the cars I've owned will lower the accelerator when the CC is accelerating.

      I've always blamed the firmware. Maybe that's because I'm an EE who used to write firmware for a living. (Firmware that's been in use in life-critical applications for five years with a 0% failure rate.) Odds are the code is shit and there's an edge case that nobody thought about. Maybe there's an uninitialized variable in there. I've seen it happen before. Of course, I'm not Woz-brand, so my opinion doesn't mean a thing.

      For some reason, the various regulatory agencies (i.e. Engineering Associations) have been rolling over and letting the manufacturers put any code they want into public use without any thought that hey, maybe we should get someone with some credentials to look into it. I've tried to mention it to mine, no results. Maybe they're dinosaurs who think that engineering is about roads and sometimes other things, like buildings and handrails. Software can't hurt people, can it?

      This problem is not limited to Toyota, and we've only just seen the beginning. I guarantee that other manufacturers are clenchinging their butts hoping that nobody in the media wonders about all the intermittent "floor mat" problems.

      • Re: (Score:3, Interesting)

        by gr8_phk ( 621180 )
        It could be software, it could even be hardware. Whatever drives the pedal to the floor is probably driven by a MOSFET. If proper FMEA isn't done people will overlook that a failed-short condition might pull the pedal down. I once worked at a company where I pointed out something similar but much less likely to cause problems and was greeted with anger. Another concern I had, they just didn't see how it related to safety - it was like talking to a rock. I've also worked at places that poured rather large am
      • Re: (Score:3, Informative)

        by b4dc0d3r ( 1268512 )

        I've seen that feature, basically it helps when switching from cruise control to manual. You put your foot on the gas and release CC, and you can maintain speed. I'm not sure if the CC presses the accelerator in place of a human, or if the CC controls fuel flow and then adjusts the accelerator to match.

        What I do want to know is how many crashed cars had the cruise control "on" but not set. My CC light can be on but not controlling speed until I hit "set". And if I hit the brake or clutch (it's a manual)

      • Re: (Score:3, Interesting)

        by Bodero ( 136806 )

        My kids were runover by an out-of-control Mustang about four years ago. There was nothing mechanically wrong with the car. Maybe it was driver error. I don't know, but apparently the accelerator was still stuck to the floor when the police got there. I remember how the cruise control on the cars I've owned will lower the accelerator when the CC is accelerating.

        I had a Mustang with an out of control acceleration problem. I was driving down a country road when all of a sudden it kept accelerating. I stomped

    • by SuperBanana ( 662181 ) on Tuesday February 23, 2010 @05:10PM (#31251456)

      Here comes DO-178B for cars.

      The vehicle drivetrain network is very often, if not always, separate from the "entertainment" network; Audi, for example, runs two separate CAN busses for them. The original story hypes things a bit; there may be 70-100 microCONTROLLERS, but half or more of them are "body" (ie windows, sunroof, etc) or "entertainment"(audio, navigation) related and thus don't really need to be reviewed.

      The vast majority of them do very, very simple things, mostly sending CAN bus messages or responding to CAN bus commands. Ie, you move the wiper stalk. The microcontroller for the steering wheel controls says "the stalk moved" either to the wiper motor interface or a 'body control' computer, which then sends a command to the wipers.

      The code review for most of the modules, as a result, is extremely simple- they're just (mostly digital) I/O boxes. Some of them are things like fuel pump modules, which at most have some diagnostic capabilities (like current draw from the pump, pressure sensor, etc.)

      The code review will not be very problematic for engine computers, because (gasp!) they're not made by car manufacturers. Bosch, Magnetti Marelli, Hitachi, and a couple of other companies are the primary producers. And guess what? The code is largely the same car-to-car. Parameters are changed- code doesn't, so much. And car companies share "platforms", which further simplifies things.

      It's not nearly as scary as it sounds.

      • Re: (Score:3, Informative)

        by aaarrrgggh ( 9205 )

        While there is truth in what you are saying on complexity, as someone who has invested a lot of time understanding why Bosch has some fuel pumps failing in a non-passive fashion on stationary engines... there are a lot of assumptions built in, and many problems are only found by trial and error.

    • Re: (Score:3, Informative)

      by jhol13 ( 1087781 )

      No clue, but I very much doubt the figure.

      100 million lines is more than in a normal Linux installation (with OS, openoffice, gnome/kde, firefox, etc.)

  • consultants (Score:4, Insightful)

    by N7DR ( 536428 ) on Tuesday February 23, 2010 @04:20PM (#31250532) Homepage

    Surely it would be a serious inefficiency for NHTSA to maintain on staff a large number of specialists to handle this kind of problem? Isn't that exactly what (properly qualified) consultants are for?

    • Re:consultants (Score:5, Informative)

      by Hatta ( 162192 ) on Tuesday February 23, 2010 @04:34PM (#31250808) Journal

      Given how much of our vehicles are run by computer, I don't think there should ever be a lack of demand for software engineers at the NHTSA.

    • Re: (Score:3, Insightful)

      by TubeSteak ( 669689 )

      Surely it would be a serious inefficiency for NHTSA to maintain on staff a large number of specialists to handle this kind of problem? Isn't that exactly what (properly qualified) consultants are for?

      I agree that it'd be inefficienct to have a large number of EEs & SEs on staff, but they have no one to do even a simple sanity check on the hardware and software that is being certified for public roads. And that strikes me as a failure of their organizational mission.

      • Re:consultants (Score:4, Insightful)

        by fuzzyfuzzyfungus ( 1223518 ) on Tuesday February 23, 2010 @04:56PM (#31251200) Journal
        If 100,000,000 LoC is common(albeit probably concentrated in more or less irrelevant things like the fancy display console, rather than the ECU) there is no such thing as a simple sanity check... And new cars and models are coming out all the time, from a variety of manufacturers, who are presumably constantly tweaking.

        Under the circumstances, you pretty much have two options. The radical, future-looking one is to say "Ok, clearly complex software is the future. We are going to do whatever it takes, build up a serious software engineering team, impose standards that would make medical device makers cry, sponsor research in automated verification, whatever. Yeah, it sucks that we have do deal with that complexity; but so it goes." The traditional conservative(and, much more likely to fit within your budget and not ruffle feathers) option is to throw up your hands and treat the software as a black box. Have your existing test engineers use their existing techniques, or limited variants, to run the vehicles through test conditions, hoping that, if the test conditions effectively model the real world, any real world critical bugs will appear in testing, at which point you can kick it back to the people who wrote the code and tell them to fix it.

        It seems pretty clear that the NHTSA has pretty much gone with option two. And, frankly, it is hard to blame them under the circumstances. Even at the best of times, technical regulation is a pretty unsexy legislative priority, and tends to be funded accordingly. It wouldn't take an actively antiregulatory corporatist to raise an eyebrow at a request for the sort of resources that you'd need to seriously audit the code in each new car coming off the line. And, if you don't have the resources to properly evaluate code from a CS or formal verification perspective, empirical black-box testing under real world-ish conditions is about the best you can do.
    • Re:consultants (Score:5, Insightful)

      by sjames ( 1099 ) on Tuesday February 23, 2010 @04:43PM (#31250966) Homepage Journal

      Given that there isn't a car made today whose safety can be properly evaluated without the skills of EE and software engineers, why would it be inefficient for the agency responsible for that evaluation to have people with those skills on staff? It's not like next years cars won't have even more of the same complete with modified firmware to examine.

      Given that the safety evaluation will involve interactions between mechanical, electrical and software systems, you'd want a cohesive multi-disciplinary team, not a revolving door.

      • Re:consultants (Score:5, Interesting)

        by rainmayun ( 842754 ) on Tuesday February 23, 2010 @04:52PM (#31251128)
        I can promise you have independent verification and validation contracts are bread & butter in the federal contracting world. The federal government has made huge strides in the direction of outsourcing almost all technical expertise, and quite a bit of management expertise (google "federal PMO contracts" for lots of random examples). The few civil servants left in many agencies are a kind of sheepherders, managing vast groups of contractors.
  • Al Bundy: what do you mean I can't get out?
    Clerk: I'm sorry, sir, the computer controls the doors too.
  • Welp (Score:4, Interesting)

    by Pojut ( 1027544 ) on Tuesday February 23, 2010 @04:22PM (#31250558) Homepage

    Such is the cost of more complicated technology. Although, I will admit, this problem seems awfully widespread for Toyota to have not caught this at some point in their QC/QA process.

    I'm reminded of the "recall" speech in Fight Club...

  • by dave562 ( 969951 ) on Tuesday February 23, 2010 @04:22PM (#31250576) Journal

    If the statement in the article is true then this country is in even worse shape than I thought. It seems like rarely a handful of months can go by without the realization that yet another Federal department is completely incompetent. How in the hell does the NHTSA even do their job?! They are supposed to ensure that vehicles are safe but they don't even have the staff to do that.

    What the hell is wrong with our country?

    • I never even know NHTSA existed.

    • Re: (Score:3, Insightful)

      by happy_place ( 632005 )
      Q. What's wrong with our country? A. The price to make you perfectly safe, six times over, is prohibitively expensive. This seems like a stupid approach to the issue. I mean, just how many engineers need to be hired to make you feel safe? And exactly how do they test all 200 million lines of code? If Toyota's engineers missed something like this, do you honestly think that the government is going to magically find it? It's not like Toyota engineers did this sort of thing on purpose. They made a mistake. I
    • by tonywong ( 96839 ) on Tuesday February 23, 2010 @04:32PM (#31250754) Homepage
      What is wrong is that everyone started believing the mantra that smaller government is better government. This isn't just limited to the United States.

      In Canada, the province where I live (Alberta), derives a major part of its revenues from oil and gas. In the same conservative government 35 years ago, we had 2 independent arms of the government who could determine how much royalties were owed to the government from the oil and gas producers.

      Today, we have no one in our government who is able to determine how much we should be collecting and therefore have to rely upon the oil and gas companies to tell use how much they are supposed to remit. Our own government auditor believes we have been bilked out of billions yet somehow we have a leaner and, ahem, more efficient government.

      Just remember that the only thing to stand up to a big business nowadays is big government, and the goal of any big business is to convince everyone that a small government can watch over big business just like a big government can.
      • by roman_mir ( 125474 ) on Tuesday February 23, 2010 @05:09PM (#31251432) Homepage Journal

        Just remember that the only thing to stand up to a big business nowadays is big government, and the goal of any big business is to convince everyone that a small government can watch over big business just like a big government can.

        - I mean, really? Wake up, is there anyone home? The government that you like so much consists of a system of people, who like to remain in power. To do so takes money. Lots and lots of money. Where do you get the money? It's the system - the bribes real and implied etc.

        Government today is in it with the large corporations. They are one government. In Canada it is a bit different from the US but the principles are the same. Big money wants more money, to do so it needs to corrupt the government and it works on that day and night. Big government wants to stay in power, to do so it needs contributions and various other things money can buy, they do this day and night.

        It's like that Alien vs Predator: no matter which one of them wins, who do you think is going to lose?

    • Are you kidding? NHTSA sanctions the testing, develops *some* of the test protocols and performs *some* investigative work to identify problems. Their best strategy to create/keep cars safe in the US is to make sure the manufacturers go through the right processes in creating them. Does that mean having code auditors at the NHTSA looking over the shoulders of programmers at all the car manufacturers? I don't think it does. Does it mean the NHTSA should mandate auto makers to do rigorous code audits of

      • by dave562 ( 969951 )

        How are they developing effective tests without engineering talent to guide the creation of those tests? How are they validating simulated tests if they don't even have the theoretical and practical knowledge that engineers would give them? It isn't like the NHTSA should be doing all of the testing or code audits for the auto makers. However they should have some talent on hand so that when Toyota says, "It isn't the electronics.", someone at the NHTSA can begin to verify it.

    • Re:Heads better roll (Score:5, Interesting)

      by je ne sais quoi ( 987177 ) on Tuesday February 23, 2010 @04:45PM (#31251002)
      I don't why I even respond because I'm sure to get a troll mod but I'd just like to point out that one of the major political parties solution to bad government is no government at all. This poorly functioning government is a direct result of the dual conservative mantras: 1) deregulation of markets is necessary for them to perform well and 2) less government is better. We saw how well #1 worked in the banking industry, this is more of the same. #2 results in chronically understaffed government agencies, or government agencies not able to do what they're supposed to do (e.g. the Republican senators holding up Obama's appointees right now).

      My parents both worked for the FDA and if the NHTSA operates in any similar way to the FDA, it's a shadow of itself in the 1970s. For the FDA that means that there are less food inspectors and no surprise, there is a rise in food poisoning incidents. I wouldn't be surprised if NHTSA is also chronically understaffed. Additionally, even if individual government workers wanted to do their jobs, they are often prevented by doing so because that is not perceived as "business friendly". The political appointees who run the show are in the thrall of private industry, in fact, they are often people taken directly from private industry (e.g. big pharma lobbyists often run the FDA). This "government capture" is the fault of the democrats just as much as the republicans, e.g. Obama lied about hiring lobbyists in his campaign. Basically, we have a non-functioning government and one party's answer to this is the get rid of the thing all together. That is one solution but that wouldn't prevent things like this incident with Toyota.

      I'm sure Toyota will do the right thing though, because that would be in its interests as a good corporate citizen. *snicker*
    • by wisnoskij ( 1206448 ) on Tuesday February 23, 2010 @04:50PM (#31251106) Homepage
      "How in the hell does the NHTSA even do their job?"
      Like every other safety certification organization. The car companies pay for a certificate, NHTSA takes some of the blame when something happens, and the general population feels safe knowing their is an entire organization dedicated to protecting them.
    • Re:Heads better roll (Score:5, Informative)

      by eh2o ( 471262 ) on Tuesday February 23, 2010 @04:59PM (#31251266)

      Years of deregulation and resource starvation have strangulated our regulatory agencies to the point where they are unable to act.

      Much of this based on Greenspan-style Libertarian philosophies that market forces can correct any problem including fraud and crime, a position which he himself has now renounced and we as a people have yet to heed.

      Since the late 80s we have been riding on a giant ponzi scheme and its all coming crashing down right now. And yet, nothing. I expect things to get much worse.

  • by HalWasRight ( 857007 ) on Tuesday February 23, 2010 @04:23PM (#31250588) Journal
    They don't need Electrial Engineers or Software Engineers. They need Computer Engineers [wikipedia.org], people who are trained to understand both sides of the hardware/software boundary.
    • Re: (Score:3, Funny)

      Even better, this one [mattel.com] only costs $12.99!

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Speaking as someone with a CMPE degree, employers see me as under-qualified to do EE work and over qualified to do programming work. What they need is either EEs with heavy embedded programming experience or software engineers with (guess what) embedded programming experience. The title isn't that important.

    • Based on a recent news article I believe Woz would be able to help them out with at least one of the Toyota problems.
  • by Anonymous Coward

    I find that extremely hard to believe. Jurassic Park ran on just two million lines of code. I doubt all the lifetime output of all the readers of this thread, combined, equals 100 million. I further doubt that such complexity is remotely necessary to run a car, and that it is remotely possible to debug that much complexity to the standards of, say, the airline industry. And that NHTSA could audit that code in any respectable amount of time. I hope beyond hope the number is wrong.

    • by quantumplacet ( 1195335 ) on Tuesday February 23, 2010 @04:30PM (#31250712)
      • What a revealing article:

        The F-22 Raptor has 1.7 million lines, the F-35 about 5.7 million, and a 787 has 6.5 million lines, but somehow a consumer automobile needs 100 million?

        I'm honestly surprised this is the first major incident.

      • by saccade.com ( 771661 ) on Tuesday February 23, 2010 @05:06PM (#31251378) Homepage Journal
        I strongly suspect the "100 million lines of code" is BS. Most of the "ECUs" are small microcontrollers that would be lucky to hold 5,000 lines of code, let alone millions. Either the professor is inflating the code size estimate to make himself seem important, or the systems are designed by complete idiots.
      • Why? (Score:3, Insightful)

        Why the need to over complicate a relatively simple mechanical construct that is the car? The old adage still hold true: if it ain't broke, don't fix it. Modern fighter jets are purposely designed to be unstable for manoeuvrability or due to the effects of stealthy design and thus requires fly-by-wire capability. Cars don't need such complexity. Why would I need my steering wheel to be mechanically decoupled from the wheels or my brake pedals to the actual brake discs? This introduces more intermediate step
    • I doubt all the lifetime output of all the readers of this thread, combined, equals 100 million.

      Surely you jest ... or you've been favorably sheltered from our endless verbosity, pedantic ramblings and self-serving diatribes.

      Dr Zoidberg: Loot at me, I'm helping!

  • by jeffmeden ( 135043 ) on Tuesday February 23, 2010 @04:28PM (#31250674) Homepage Journal

    What exactly would the NHTSA do with a set of engineers? Audit all 100 million lines of code for each and every car they suspect has a safety issue with the computer system? Yeah, that sounds like a worthwhile endeavor. How about they do it the old fashioned way; collect the reports, identify the risk, and sanction the manufacturer to find/fix the problem. Thinking that an NHTSA coder (or a hundred) would have gotten to the bottom of this Toyota issue in any reasonable amount of time is a joke!

    • Just look at any large software company they have people looking through the code and bugs are still found, if the bug was easy to find TOYOTA would have found it. The last thing we need in NHTSA injecting itself into the coding process.
    • by rotide ( 1015173 )

      Well, if you don't know what you're asking for, how would you ever know if the answer they give you is even close to reality?

      "Hey, I need you to investigate x, I have no idea how to even analyze x, but I trust you will investigate it exhaustively!"

      "Sure, we fully investigated x and it's fine."

      "Oh, ok, we'll take your word for it, thanks!"

      You have to at least be able to understand what's going on to a certain degree before you can tell someone to fully investigate it _and_ then trust their results.

      So yes, th

      • And they said in a modern luxury car.

        So that's all the code in the following computers:

        Engine (controls throttle and such)
        Transmission
        Collision avoidance (ABS, traction control, etc. TPMS is usually here, too, because it's sometimes part of the ABS system to save costs)
        Safety (airbags, seatbelt pretensioners, etc.)
        Central convenience (security system, power locks, power windows, cabin illumination, in some cars even the exterior lighting goes through central convenience)
        HVAC
        Instrumentation (yep, there's a computer dedicated to that - and some security functions are sometimes in there)
        Entertainment (navigation, stereo, DVD, etc., etc.)

        And all these systems are interconnected.

        You get in your car (central convenience deactivates security upon receiving the signal, and when you open the door, it illuminates the cabin, alerts the engine computer that a start is imminent, possibly starting fuel pumps, on diesel cars turning on the glow plugs, etc., etc., and notifies the instrument cluster that the door is ajar.)

        You insert your key into the ignition (yes, I know about push-button start,) and start the engine (engine computer starts up, after which the instrument cluster polls the RFID chip on the key. If it can't get a read, it immediately requests that the engine computer shut down.)

        You decide that you want a little heat before you set off, so you use your steering wheel controls (which go through instrumentation) to set HVAC settings, and then you figure some music won't hurt (entertainment.) Then, you remember that you don't know where you're going, so you punch the address into the navigation system, and it feeds directions back to the instrument cluster.

        Now, you put the car into gear. The transmission computer notifies the other computers about this, and the engine computer adjusts the idle fueling to compensate. The instrument computer reflects the gear change. The central convenience module turns on the daytime running lights. The entertainment system might prevent you from using the touchscreen interface. The safety computer may become more persistent about reminding you that you didn't put on your seat belt, and will notify the instrument cluster of this, to annoy you more.

        After you put your seatbelt on, you let off the brake and pull out of your parking space. Obviously, the engine computer and transmission computer are working together here, the instrument cluster is constantly updating the status of those (and the entertainment computer, which is noting the changes in vehicle position.) After you hit 10 MPH, the engine or transmission computer sends a request to the central convenience module to lock the doors.

        Now, you're going down the freeway, and right in front of you, a semi truck loses control, and flips onto its side. You jam on the brakes, which kills engine power immediately (engine computer, and the transmission computer is affected as well, and this all gets fed back to the instrument computer.) Collision avoidance computer activates ABS and (as you're attempting to swerve out of the way) stability control, and notifies the central convenience computer that you're undergoing a panic stop, and to activate the hazards.

        Unfortunately, you don't have enough time and room to stop, and you hit the semi. The safety computer notices this, and fires the seatbelt pretensioners and the appropriate airbags. Once that's done, there's some less immediate concerns. It would be a bad idea to leave the engine running, so the safety computer requests an engine shutdown. The transmission computer may be requested to shift to neutral, to make moving the wreck easier. The entertainment system will be told to stop playing music, and if it's got a system like OnStar (which used to be yet another TWO separate computers off of the entertainment system,) an emergency call initiated. Instrumentation is of course updating the status of all of this. HVAC may be set to off. The collision avoidance computer will still be trying to keep t

    • Who's going to identify the write said reports, and identify the risks? Are you trusting Toyota to do this in-house? Because the article shows the NHTSA has zero qualifications do any diligence on its own.

      A line-by-line audit is silly, and nobody is suggesting this. However, I can't see why the department that oversees embedded systems (automobiles) has no electrical engineering talent on hand.
  • 70 to 100 microprocessors? I imagine that this is true only if you employ a fairly broad definition of "microprocessor" and note that the vast majority are single-purpose devices in self-contained systems. I doubt that the "microprocessors" and "lines of code" that run the stereo or the climate-control system - or even the airbags - have any connection with the driveline.
  • Can't they just call Microsoft's toll-free number and ask someone over there to look at it?

  • Seriously. How did they not see this coming. They have been hearing cases about secret codes and OBD standards and the like for quite some time now. The fact that cars are running with the added use and assistance of digital computational systems is well known. If they are not equipped to do testing for safety purposes, they are simply not equipped to do their jobs. And I'm afraid to ask about air vehicle safety testing now...

  • They respond to problems, they don't reverse engineer things. Does the FDA or the Surgeon General's office have engineers to paw through the lines of code in MRI machines or CT scanners, or anesthesia machines, or respirators, or any other number of computerized medical machines? No... they get tested emperically, just like cars do. It's very difficult to prove that some of these flaws exist.... remember the Audi "sudden acceleration" problems in the late '80s that almost killed the brand? That was pre-c

  • Safety related functionality should have a redundant overriding mechanism that isn't subject to the vagaries of software failure. For example, if the engine computer suddenly wants to run an explode subroutine, the fuel valve should limit the outcome to chitty chitty bang bang.

    Then you don't have to check every line of code, you just have to check the overrides.

  • by rm999 ( 775449 ) on Tuesday February 23, 2010 @04:54PM (#31251170)

    I totally disagree: the NHTSA shouldn't hire engineers. NHTSA should not do the job of Toyota's engineers and testers; they were created to set policy and propose safety laws. The NHTSA should hire economists, policy makers, and maybe some scientists. But the job of ensuring the nuts and bolts of a car are safe should fall on the car-maker, with strict repercussions if they fail.

    My biggest problem with all this is what people on Slashdot should already know: looking through and understanding millions of lines of code would take an engineer a few lifetimes - how many engineers are we proposing NHTSA hires? They could learn Toyota's software system, but then what about Ford cars? Or BMW? All for a government organization with 600 employees...

    In cases like this, NHTSA should force Toyota to hire a third party (objective) consultant to create a technical report. Maybe a small team of engineers could remain on staff to read and understand those reports.

    • Re: (Score:3, Interesting)

      by kidgenius ( 704962 )
      Why not? The FAA hires engineers. With the way cars are going, I am scared to think of how much computer control is being done (drive by wire, brake by wire, etc), with little to no oversight from an regulatory agency ensuring the safety of the cars. I work in aerospace and my boss is an FAA DER. The amount of safety review done on an airplane is insane. I think that at least some of that analysis should be applied to cars, now that we are giving up so much of the control in the vehicles to them. someon
    • by rahvin112 ( 446269 ) on Tuesday February 23, 2010 @08:08PM (#31253766)

      Why not simply require that any software in an automobile be OSS (not FOSS). In fact that requirement should seem to be an extension of mechanic laws that required car makers to provide parts and knowledge to service vehicles outside dealerships. All software in such a critical item should be OSS so it can be reviewed for errors and be reprogrammed by mechanics who wish to offer such services.

  • by Kargan ( 250092 ) on Tuesday February 23, 2010 @05:15PM (#31251518) Homepage
    Shift into neutral. I haven't seen this anywhere as part of the many Toyota-related discussions around the world, so figured I'd mention it.
    • Re: (Score:3, Interesting)

      by Cassini2 ( 956052 )

      There are two major problems with the "shift to neutral" solution:
      1. It doesn't always work.
      2. Only a few auto-mechanic and maybe some race car drives have the reflex to shift the car into neutral.

      Most people will not think of shifting to neutral when a problem is encountered, simply because they never need to do it. I'm an engineer, and if my car takes off, it will take me a while to think of shifting to neutral. A car at full acceleration can cover much ground in less than 1 second.

      The other problem

  • Not news to me (Score:3, Interesting)

    by VGR ( 467274 ) on Tuesday February 23, 2010 @05:17PM (#31251552)

    I can't say I find this surprising. Anyone who has ever worked on software for a US government contractor, or US military contractor, knows the government/military has no one who can analyze the product they pay for. Nearly every software product I've seen delivered is of absurdly poor quality. It would be laughable if the implications of the software's use weren't so disturbing.

  • by FranTaylor ( 164577 ) on Tuesday February 23, 2010 @05:27PM (#31251718)

    If you think that the government should not get involved in engineering.

  • by Tisha_AH ( 600987 ) on Tuesday February 23, 2010 @05:30PM (#31251772) Journal

    The NHTSA does not need to evolve a new set of standards out there to address part of this problem. Just require that all automobiles meet the FCC Part 15, Class B standards for electromagnetic susceptibility. It is stupid that this is not done already.

    There are plenty of critical pieces of equipment that cannot turn up their noses and fail because of electromagnetic interference. Medical equipment is tested to at least this standard every day. There are hundreds of testing laboratories throughout the world who manufacture products that have to meet these specifications. There are thousands of engineers who already do this type of testing.

    Now lines of code and software is a different animal. In a hundred million lines of code there are certainly bugs and flaws.

  • It's time... (Score:3, Insightful)

    by GrahamCox ( 741991 ) on Tuesday February 23, 2010 @06:09PM (#31252268) Homepage
    It's time:

    a) for a global safety-critical standard for drive-by-wire software.
    b) for an open industry standard for interfacing for servicing, fault codes, etc, to end the scam of lock-in to specific manufacturers servicing tools and dealers.
    c) to open source it.
  • by istartedi ( 132515 ) on Tuesday February 23, 2010 @06:24PM (#31252446) Journal

    The car function is built in.

  • by goffster ( 1104287 ) on Tuesday February 23, 2010 @06:28PM (#31252502)

    I would be more interested in the process of how
    Toyota develops/maintains code. Do they rewrite code for every car?
    When they reuse code, how do they retest assertions?
    How do they do code verification?
    What is their culture when coding problems interfere w/deadlines ?
    Is there a whole crap load of unused code in there because
    they are scared shitless to remove it ?

    etc.

  • by MillenneumMan ( 932804 ) on Tuesday February 23, 2010 @08:53PM (#31254216)
    I used to write software for the US Dept of Defense, and our office had a fairly good sized team that all day every day manually compared expected results to actual results when compiling our programs. I was amazed at how frequently that team uncovered errors. Most of the time they found subtle errors in how the compiler program performed its translations, but it was not unusual for them to find logic errors embedded in the computer chips themselves. All of these things had to be corrected, even it if meant re-engineering a computer chip, before our software could be deployed, and for obvious reasons: you cannot allow a weapon to fire due to a computer error.

    This drive-by-wire stuff is very serious. I seriously doubt that any car manufacturer validates their computer software and hardware as rigorously as the Dept of Defense; in fact they probably don't do compiler or chip logic validation at all. I bet the aviation industry could give them guidance in this arena.

  • by rickb928 ( 945187 ) on Tuesday February 23, 2010 @11:08PM (#31255340) Homepage Journal

    And safety, not peformance.

    Instead of testng code, evaluating the design process, pretending the NHTSA can even begin to become expert in software design, how about applying the old standards to the new systems?

    For instance, braking safety. I was listening to and reading the testimony from Rhonda Smith [msn.com], where she even describes shifting her Lexus into neutral. Neutral?

    A simple test, and I'm not an engineer, but shouldn't a car come to a stop with 'maximum' brake effort, despite the acclerator position? This is solvable in software - if the brakes are going into lock, and ABS is engaged, engine power and/or transmission state have to be compelled to answer the driver's command to stop. Traction control is already being used in many cars; NHTSA should be able to make a test capable of verifying that even multiple malfunctions are overcome.

    Crap, my wife's 1995 Saab 900SE has a mode where the ECU shuts down the fuel pump if the engine stops running, on the assumption that something is terribly wrong, and spewing gas to a stopped engine is pointless if not dangerous. How do I know this? Her car developed a habit of stalling at stops. The real cause was a defective vapor recovery canister, causing loss of vacuum and low RPMs, and the ECU saw that as a stopped engine and made sure it stopped.

    Certainly there are other states that can be tested for performance and safety, not some quality of performance standard. Most cars have 'safe' or 'cripple' modes to protect the drivetrain if something seems wrong, like the transmission in a gear that should not permit the indicated speed. My '95 Explorer does that, and it's only an OBD-I system. Acclerator position, wheel speed, and transmission mode should all correlate, and if something is wrong the system needs to cripple - slow down, set a max speed, etc.

    Aircraft flight control systems are held out as an example of safety and reliability. Most of these, if not all, have to at least ensure the aircraft doesn't exceed the flight envelope and exceed safety limits. This is the sort standard and evaluation the NHTSA needs to focus on.

    Maybe NHTSA needs to borrow a few investigators from the FAA and the military? They should be looking to Boeing, McDonnell, Electric Boat, General Dynamics for expertise in verifying safety in vehicles. Maybe even some NASA people. At least NASA seems to have turned the Shuttle program around a little too late. They certainly have a cautionary tale to tell, and a jaundiced eye towards the assurances of the 'experts' and trusting management.

    Which would go a long way to reinstating a somewhat adversarial relationship between the regulators and the industry. There should be some tension there. Hiring your industry's former employees is not the way to go.

    We can do so much better. We just need to solve the real problems.

  • by cyberjock1980 ( 1131059 ) on Wednesday February 24, 2010 @12:28AM (#31255832)

    Bear with me for a second here...

    The three laws of robotics:

    1. A robot may not injure a human being or, through inaction, allow a human being to come to harm.
    2. A robot must obey any orders given to it by human beings, except where such orders would conflict with the First Law.
    3. A robot must protect its own existence as long as such protection does not conflict with the First or Second Law.

    I know that a car is not a robot. But the same rules should apply for ANY computer system that, in case of a serious bug, could result in any of those 3 laws being broken.

    This computer literally controls a rather large piece of metal that can travel at speeds sufficient to kill someone. So why is there no subroutine that ensure that brake pedal input will ALWAYS override the gas pedal input? It seems that even on the absolute most basic of level, adding this extremely basic concept could seriously mitigate these issues. Not to mention all of the legal responsibilities, public outcry, and other consequences of not having software or hardware with these "basic" concepts built in.

    Even when making a car and using this system on a test site somewhere. Wouldn't you want to have LOADS of extra code in there to make sure a bug in the software doesn't kill the driver at the test site? It seems to me Toyota's definition of "safety" is practically non-existent.

    Honestly, when seeing something like this, I have to question what kind of work ethic Toyota has and how much they value me as a customer.

  • by L4t3r4lu5 ( 1216702 ) on Wednesday February 24, 2010 @04:21AM (#31257054)
    It's not a race condition, is it?

    I can't believe I'm the first one on this thread to make that joke. I'm not even a programmer.

    You should all be ashamed of yourselves.

It is better to live rich than to die rich. -- Samuel Johnson

Working...