

Why it's so hard for Toyota to find out what's wrong - senthil_rajasek
http://www.washingtonpost.com/wp-dyn/content/article/2010/03/06/AR2010030602448_pf.html

======
m104
I've had a Toyota suddenly accelerate while I was driving it:
[http://blog.m104.us/2010/03/07/my-toyota-suddenly-
accelerate...](http://blog.m104.us/2010/03/07/my-toyota-suddenly-accelerated)

Bottom line, this isn't an engineering issue or some big coverup in need of
Senate hearings. This is a whole group of interests wanting to put Toyota on
the stand for something that, while quite random and frightening, is very
mundane and embarrassing. What you're witnessing is a modern day witch hunt
where Toyota is the accused and has no way of clearing its name or even
addressing the possible problems with integrity. The way we (US media and
federal government) are treating Toyota is _shameful_.

Hacker News readers, especially, should be very worried that the mechanical
and computer engineers of Toyota are being told that they must only make
systems with 0% chance of failure, even if the driver could be at fault.
Entrepreneurs should be scared to death of the kind of liability that the US
Senate is laying at the feet of Toyota's management. Zero risk is acceptable,
that is the message.

~~~
greml1n
I had an automatic 2000 Chevy Cavalier that I drove lightly around my second
home when I visited it every few weeks. About 2 years in I came to red light
and, in applying the brake, it fought as though I was stomping on the gas
pedal. I regularly drive stick so I popped it in neutral as I brought it to
the side of the road and the engine kept revving despite neither of my feet
being on any pedal.

I turned off the car and re-started it without any problems so I took it to my
mechanic down the street and had a friend pick me up. The mechanic gave a full
run-through and basically didn't believe me.

I drove the car around for another few months without incident until I was
taking a longer drive at night on I-95. The car started unexpectedly
accelerating so I removed both feet from the pedals and it kept speeding up.

Long story short, this happened several more times (I have low risk-aversion)
despite having the electrical system replaced and having numerous mechanics
that I know and trust look at it. Before I just gave up on it (annoyed - I
like to know what is wrong) one of my mechanics took it out for a drive just
to try it out and had it got away from him as well. We never did figure out
what caused it.

~~~
m104
Right, I want to be clear: I'm not saying cars don't accelerate on their own.
In your case, you had an actual mechanical problem and did the right thing
which prevented a tragedy. I knew a Ford Taurus owner with that sort of
problem, as well. My point was that the big-story cases with Toyota (and Audi
of the past) focus on these harrowing "I was pressing the brake as so hard
that I hurt my ankle" kind of stories where we're not allowed to second guess
the driver's actions.

There was a case in Minneapolis some years back where a police van
accelerated, from a stop, and killed at least one person during some festival
of lights thing. What they found, eventually, was that the police department
wiring modifications from the stock van (to get the cherries and strobes
working correctly) could cause the police vans to accelerate on their own. It
wasn't a manufacturer issue, but it was still scary stuff.

~~~
greml1n
That's fair enough. I've driven long enough to see that we all do plenty of
stupid-enough things in a fully-functioning car.

------
laut
This looks like it could be a combination of on one hand some people that
aren't good at operating a car. Accidentally pressing the wrong pedal. Failing
to use the clutch or shift into neutral.

Like this 68 year old woman who said "And I can't remember if I had my foot on
the gas pedal … the brake or the gas, I can't remember"
<http://cbs3.com/local/Montgomery.County.Toyota.2.1454021.htm>

And on the other a government that wants to hurt a competitor to their
Government Motors.

------
Entlin
"It is well-known in our community that there is no scientific, firm way of
actually completely verifying and validating software".

Mr Rizzoni, "expert in failure analysis" must have never heard of Ada before.
Or, of its use in Airbag steering computers, where the code is mathematically
proven to be running correctly.

~~~
shin_lao
There is a difference between proving a small amount of code that controls
airbag (and you just prove the written code, not the compiler, not the os, not
the hardware) and millions of lines of code running in a complex machine that
run in arbitrary conditions (the car).

~~~
nitrogen
In a computer that critical and that simple, there is no OS, and the compiler
(or assembler) is tested for the program in question. The hardware design can
be demonstrated to correctly execute every permutation of every instruction.

~~~
m0th87
_The hardware design can be demonstrated to correctly execute every
permutation of every instruction._

Isn't that impossible vis-a-vis the halting problem?

~~~
nitrogen
I should rephrase that "every permutation of every instruction executed by the
program". I'm not trying to prove that every program is correct, only that my
program is correct. That is possible by using a well-defined and fully-proven
subset of the available features of the language and processor.

For example, designing your program and CPU as a set of state machines allows
you to define all possible states of the system (which are deliberately
limited), define all the state transitions, then verify that every input
condition for each state results in the correct state transition. Even if you
simply brute force your way through every state and every transition instead
of using mathematical generalizations, you've still proven that the program is
correct.

~~~
elblanco
As it turns out, this doesn't actually work. State derived program analysis
has been shown to not be provable for all cases. Particularly when the state-
space is very large, and when state transitions are non-atomic in the code,
e.g. two or more state transitions in a code block.

The best research I've seen on this was done with Access Control Matrices in
the Computer Security field. e.g. can you prove in a general sense that a
sequence of atomic state changes to an ACM result in no violations of access
control? The answer is, for atomic state changes you can prove that they are
internally consistent, but not that they do not introduce a flaw in the ACM.

In other words, because proving software reduces to proving correctness, it
only proves that the software is internally consistent. Basically it's a
circular proof. It doesn't prove that the software is without flaw.

------
marze
I realize some cars have a type of 'black box' already, but it seems that with
the potential for software problems, a expanded black box that stores vastly
greater amounts of data would make sense.

In this case, the computer controls the throttle (no direct mechancial
linkage) so it is crazy that the software does not give the brake priority if
it believes both are being engaged. A simple 'high braking pressure' sensor
that overrides the throttle would be simple enough to be almost immune to any
software glitch.

~~~
nitrogen
I hope that it is a "high braking pressure" rather than "foot glances the
brake pedal" sensor, as I was looking forward to one day learning to heel-toe.

~~~
TeHCrAzY
It's not that hard. Give it a go somewhere quiet and out of the way, and then
just take it easy and practice, I was a few weeks before it was second nature.
Just make sure you can actually pull it off in your car before trying it near
traffic/children/animals/police.

~~~
sliverstorm
His point is that you can't heel-toe if brakes kills or misfires the engine
(as it often does in karts)

------
Groxx
Super-summary, which is also completely self-evident (IMO), which means the
article is superfluous:

Multiple possibilities mean multiple sources, all of which have to be traced
for multiple things. Things are also layered pretty deeply.

I still say "sudden acceleration" is different than "pedal was stuck". When
the pedal sticks, people _say_ the pedal is sticking, because it's an
extremely easy thing to identify (you feel it immediately). Also, intermittent
problems are inherently pretty hard to solve.

~~~
bmj
The article might be superfluous for engineers and programmers, but there are
plenty of people who read the Washington Post that don't understand
engineering processes. I suspect most people figure that Toyota is just hiding
something, and that's why they don't have answers.

~~~
Groxx
And most of those wouldn't be reading articles on it anyway, they're often
happy simply thinking the world / governments / corporations / "they" are out
to get them. It gives them reason to stay where they are, because they now
have proof that it's out of their hands.

It's why smear campaigns _work_. It's not because the content is accurate,
it's because so few people actually _look_ at the content, and instead take
what they're told and don't look into it further. Articles like this are
mostly meant for the few edge-cases who are actually looking for more
information, and they'd find it anyway, and to make the people who know better
feel good for educating those poor people who don't.

~~~
bmj
But this isn't the point you made your initial comment. Sure, most of us here
understand the engineering processes of figuring out how and why things break,
but that doesn't mean an article in a nationally-read newspaper is
superfluous.

------
ErrantX
WP is behind a paywall? That sucks.

What's Frank Ahrens like as a reporter generally? If this is the quality of
his usual stuff I'd be tempted to pay up.

------
sliverstorm
An idea:

Motorcycles and racing cars have had kill switches to fight the problem of
stuck pedals etc for ages now. Why not do the same in cars?

It's true, you have the ignition switch, but what about a simple ON/OFF switch
right under the driver's thumb? This solves the potential complexity of the
key in strange places, the many positions for the key, and the start button.
Educate drivers, same as you do bikers and racing drivers.

What about power steering and power brakes? Well, since modern cars are drive
by wire, build in an override that forces the engine into idle mode, perhaps
with a second override that actually kills the engine (or disengages the
transmission) if the engine is still revving high (this could only happen due
to a stuck throttle plate, which software can't fix)

------
jasongullickson
If you don't know what to do when your car accelerates outside of your control
(i.e., turn the ignition OFF) then you shouldn't be behind the wheel.

There are dozens if not hundreds of reasons a throttle might stick or an
engine might suddenly surge and if you can't handle this situation you're a
threat to everyone within striking distance of your vehicle.

Whether Toyota is to blame for these cases or not, I think anyone who
testifies to losing control of their vehicle for these reasons should have
their license revoked on the spot.

~~~
wtallis
Turning off the ignition will kill your power brakes and power steering, and
may lock the steering column. Not good if you're in traffic or generally not
on a straight, flat road.

Shifting into neutral while standing on the brake pedal (and clutch if you
have one) seems to be the consensus on what's safest.

~~~
jasongullickson
I've never driven a car that locks the steering wheel when the ignition is
turned off (you have to turn it to "lock").

Shifting into neutral is good, except that a racing engine presents dangers of
it's own. Killing the ignition removes this risk as well.

I'll go on to say that if you can't steer or stop your car without power
assist you have yet another strike against you as a operator of an automobile.

~~~
wtallis
When you're in an unintended acceleration situation, you don't want the only
solution to be one that introduces several other sudden, unintended changes in
the behavior of the car.

And in a panic situation, you're not going to be able to reliably turn the key
only one click counterclockwise to the off position instead of two clicks to
the lock position.

~~~
jasongullickson
_And in a panic situation, you're not going to be able to reliably turn the
key only one click counterclockwise to the off position instead of two clicks
to the lock position._

As I stated originally, if you are incapable of handling a vehicle in an
emergency situation then you should be relieved of the responsibility.

For the record I have performed this "complex" operation under these
conditions (and on a motorcycle as well) and I've met more than one other
person who has done the same.

