Toyota Prius and Camry, drive-by-wire, and our failure to learn from experience

diesel industry has also been using throttle by wire for years... difference is they all had the good sense to have a robust, SEPARATE mechanical switch directly attached to the throttle pedal arm. its called a positive idle switch. no matter what the computer wants to do as far as fuel etc, if that circuit is closed, the truck cuts fuel to idle level. if the switch breaks, the truck wont go anywhere. nice and safe. so both parties are to blame... toyota sold a flawed product AND the owners/drivers did not have the ability to stop the vehicle in an emergency situation. drivers should lose their licenses and toyota should buy back their cars to help offset the bus fair.

I agree 100% the author. Since this problem has been around for years, Toyota must have thoroughly checked out all mechanical and electrical potential issues. This leaves only an embedded firmware bug. The whole industry has the problem of rushing new products to the market before firmware is verified. I heard automotive managers tell their engineers to freeze the code for job 1 since it can always be re-flashed as a service fix later. Yes, NHTSA must make public to all other companies the final problem so that the error is not repeats. I agree that the lawyers will try to stand in the way. It seems like one central theme around everything today is tort reform.

I am a big fan of mechanical stuff. I had a 2 wheel drive pick up truck that went up steep icy hills much better than a four wheel drive, for yeaars I thought I was magicaL.I realized now the new four wheel drive had a vaccum secondary, when the wheel spun .25 turns the vacum surged and yanked open the throttle, and the driver spun out. I would feel the slip and feather out a slice on the throttle and keep on rolling. They build cars to sell not to drive. If you have millions of copies of soemthing out there in the software world you are going to kill a few folks.The problem is the market, you can't sell a car with a big old kill button in the middle of the steering wheel. Better yet have a car with a horn button that kills the motor with a relay. Most people are hitting the horn when they should be on the brakes anyway.

The lessons that need to be learned here have happened across industries. The government DOES have leverage to force disclosure - for airplanes, it's called an "Airworthiness certificate" For cars, I believe there is a similar approval process, but don't know the names. NHTSA needs to sue to force public disclosure of the car's embdedded controller code as a matter of public policy, to promote automobile safety. That's a fair tradeoff if Toyota, Audi, GM, or Ford want to sell cars that can be driven on the highway.

I will never buy a by-the wire car. However,if you already have one,i would say this: If your car has the by-wire accelerator,you may want to run a kill switch to your dash just in case. Find the hot wire to your cars accelerator wire,disconnect the battery,snip the wire,connect the wires to a toggle switch positioned within easy reach,reconnect the battery. Test it in park,(by flipping the switch and trying to rev the car)to see if you've done it right.(if you have it won't rev). Then at a slow lo-gear speed. You can find the diagrams,for where the wires are, online, most of the time. Might save your life.

I seem to remember the extensive analyis of the DH Comet I crashes in the early fifties. The results of the failures due to metal fatigue around a square window frame were made public and I believe that the UK Aeronautical engineers shared their findings with he US Aeronautical Engineers. It's a pity we cannot do the same in the car industry now we have arrived at a complex level of "drive by wire" systems all should pool their experience. Unfortunately having being threatened and having seen other engineers being silenced by Laywers I have little hope we will get anywhere. I would just suggest we engineers get together , have a meal and maybe a drink once in a while and discuss things off the cuff and off the record. The lawyers just get in the way in these cases. Sad but true. Peter

I believe that the issue is hardware and software integration. In space business, that I have experience in, it is very well known that software faults hare very hard to find. I am not sure how much or what methods these auto makers use to perform fault isolation and fault tolerance analysis. Traditional techniques of fault trees may be insufficient to address these type of issues. Tools for improved analysis were developed but I am unsure if engineers outside the space business adopted these. In general where humans are at risk we provide redundant paths - not sure if auto makers do that. I would be interested what approach Toyota uses for fault isolation and fault tolerance assessments.

This isn't a legal problem. It's a we-don't-want-to-admit-it-problem. Be it Audi or Ford, no one wants to admit to a failure. Juries are actually quite good at sorting out what is fact from obfuscation: juries are much better at it than judges are. The problem is more about judges not understanding science & technology and not allowing testimony that is designed to hide the facts. It is tough, but we need to get cases to a jury more often. We as a people are really quite bright!

i have very new desgin for you .me yong and amator but i have very abiltly in this mind(car desgin)and at now busy a hibrid car for my university group plz help me. this is my mail ( rolan.yari@yahoo.com) and if you want me work whit you.?

saying the Audi 5000 had "drive by wire" just ruined the article for me. 1986, Audi, drive by wire....no when all reviews, studies, official reports etc have blamed it on driver error, i think blaming it on electronics is just lying. Now the fact they broke every few miles and cost a fortune to maintain due to a poor dealer network(ask me how i know) made it easy to believe. I didnt believe the chevy trucks were blowing up either...audi should have sued the broadcast media for losses. Toyota is a whole different story. PJE

With less fanfare, the Ford Fusion has experienced the same problem, which Ford says stems from trying to get the regenerative, ABS and mechanical braking systems to work smoothly together--which is clearly a software problem. If there were ever an argument for system-level design, this is it.

Like it or not folks, we're all P.E.s in terms of our responsibility now. And like it or not folks, the Management that sets ridiculous schedules will not be held to account for the disasters they create. Does anyone besides me remember that our "safe" nuclear power is 'fly by wire' throughout? And do you sleep better knowing that the computer makes most of the life and death control systems decisions for hundreds of thousands of lives for hundreds of thousands of radiation half-life years.

Just wait, you ain't seen nothing, yet!!! Computer controlled collision avoidance is another lawsuit waiting to happen. Do you want to bet?

and GM had a throttle stick problem back in the late 60s. I personally drive a 1969 camaro and the throttle stuck wide open (because I had jammed the pedal to the floor). The engine had lifted on the mounts (they tend to do that when exerting lots of torque) and the mechanical linkage got bound up. This was brought on by worn engine mounts (they're rubber blocks). The fix was to add limit cables around the engine mounts. Soon afterwards they went to using cables. So now you know.

Am I the only person on the planet that knows that by moving the "gear" shifter into the neutral position, the engine will be decoupled from the rest of the drive train? This is true on manual shift and automatic transmissions. What does everyone think that the "N" means on the gear shift? I have a 2007 Toyota Avalon (I bought it used with 4,000 miles on it, I do not buy non-US-based cars new). It has both recalls: pedal stuck on dealer installed floor mats, and whatever else the new recall is supposed to fix. And it has the push-button START/STOP. So until we get it "fixed", she has been schooled on what to do: pop it into neutral, then push the button (momentarily or 3 seconds, whatever works). And if the rev. limiter makes the engive sound like it's coming out of the hood, so be it.

You can keep the drive by wire, brake by wire etc. Adding all of this "technology" simply adds more complexity, hence more failure modes. I prefer really being in control with a mechanical hydraulic brake system and a throttle cable, thank you.

When I worked for Siemens Automotive about ten years ago as a systems engineer for engine management systems, we were developing Chrysler's first drive by wire system. It's a complicated control loop, as the ECU controls both a motor-driven throttle body (slow), cylinder by cylinder fuel injection, and cylinder by cylinder spark advance (fast). The ECU had two microcontrollers - one to perform all the usual engine management functions, OBD-II, etc., and the second which was a watchdog on the first. The second microcontroller monitored basic engine functions and had an independent throttle position sensor and throttle pedal pot, completely isolated from the main system. It was built by a completely different company to a different fab process and programmed by a clean room team that did not touch the production main code to avoid systematic or "groupthink" errors. If it detected anomalous behavior on the part of the main microcontroller, it would shut it down and put the car in "limp home" mode, limiting speed and acceleration. We spent a lot of effort on Failure Modes and Effects Analysis (FMEA) trying to brainstorm all of the possible failure modes and evaluating them for probabililty of occurance, severity of consequence, and detectability (warning prior to failure). The Siemens software development team came the closest to the Carnegie-Mellon capability maturity model as any outfit I've seen in over thirty years of engineering, I suspect because they were European-trained under a much more formal educational system. It's my understanding that Bosch has a similar drive-by-wire system, but I don't know the details.

at 2/4/2010 6:19:53 PM, Ursus said: "Were the problems with Toyota crated by hobby programmers or by professional engineers? " Sometimes it is hard to tell the difference, there is no legal requirement for engineers to be licensed to do hardware or software design.

How about requiring engineering works to be public if operated in public spaces??? I know it sounds next to impossible in the current situation. But just contemplate the idea for a moment: if all documents on the engineering involved in these cars were publicly available, any interested party might check and re-check the design for flaws, omissions, safety issues, etc.

@Shogun (posted at 2/4/2010 4:11:20 PM) quote: "I wonder how a whole company like Toyota is going to commit hari-kiri. Maybe they'll all do it at once in the courtyard." No, definitely not. As a matter of fact Toyota Corp abandoned largely Japanese culture and copied US management style. Katsuaki Watanabe set the goal: Toyota as the world's biggest car manufacturer (leave GM behind). IMHO a goal incompatible with being the world?s best. Naturally, you will not be able to choose the best employee, best supplier, stop the line when quality issues loom, when the quota dictates behavior. Wrong (financial) incentives may corrupt any organization (cp. banksters). In the meantime Watanabe-san was replaced by a Toyoda heir, Akio, having to restore the (lost) Toyota culture (might proof a too big task for a member of the 3rd generation). BTW Detroit will not profit from the situation, Hyundai will... Drive-by-Wire can and will be done safely!

I worked for Intel at fab8 where the 88ec196 was the main chip in the EC see my link that shows redundancy as it is a life crital part I had a seperate complaint with the term "Obsevation in the spec update for non automotive chip"( a public document ) www.arie-lashansky.info/88C196E_1.pdf The solution may well be more independant redundancy we are not talking about a pc with a intermittent reset problem The circuit was taken from Automotive electronics handbook By Ronald K. Jurgen a on google books.It is a esential text for anybody talking automotive electronics I am far from a Intel Job they do not support mature products it is called sustain = neglect Arie

I agree with what Dave SoCal said completely.....there was no mechanical or electrical problem with the Audi, in fact it was driver error that was remedied with the transmission shift lock which Audi shared with the automotive industry and found on all cars today. Thank you Audi for truth in engineering. 60-Minutes made a story to sell their sponsors products with sensationalism. I don't know the cause of the Toyota problem but no comparison to the Audi situation.

Audi did not have drive by wire in the mid-eightys

This is bad news for Toyota. Recalling the 2010 Prius for brake glitches will tarnish the reputation of the maker and the model. Hybrids and electric cars are the greenest technology in the mainstream and it would be a shame to see their production and popularity stalled over safety issues. Researching how to make your company, product, or next project more Green? Go to www.greencollareconomy.com for sustainability white papers and the largest b2b green directory on the web.

A runaway can happen even in a "conventional" throttle system equipped with a cruise control. I know. I went through Hell beating the 80 mph speeding ticket I got last May in my 2000 Dodge Caravan with 130K miles. It had happened once before about two years ago, and in both cases I hit the brake. In the first, I couldn't repeat it and I virtually forgot it. In the second, I had just re-engaged the cc and turned my attention to the radio for the trip home. This second time, I didn't even notice the acceleration (as the cruise control algorythem allows gentle accelleration from multiple "accel" presses) until it down shifted with a roar. I delayed hitting the brake trying to slow it back down using the steering wheel-mounted decellerate button to no response. I tried pressing the cancil button, still no response as I approached redline. I finally hit the brake just in time to see the State trooper sitting in his trap. Months later, and a lot of analysis and court prep, I beat the ticket by presenting exculpatory evidence by way of a "clockspring" recall, mainly aimed at airbag failures, or intermittants as indicated by a flashing airbag warning light. It never even mentioned the possibility of a runaway. An examination of the steering wheel wiring diagram revealed that all the steering wheel electronic control functions, including five cruise buttons, the horn, and airbag were serviced by four wires and a common in a multiplex fashion. Obviously a broken wire in the clockspring mechanism became intermittant just enough to pump about four or five "accel" commands into the cruise control. Purely a mechanical problem, although the cop didn't believe me and fought me all the way to court - another dumb-ass in the loop. So far Dodge hasn't updated their recall to include the possibility of a runaway or I would know about it, and it certainly isn't as bad as throttle-by-wire systems can be and are.

It is not a case of "electronics are bad and mechanics are good". That is of course a silly argument since any mechanical or electronic system can and will fail. The underlying problem is simplicity versus complexity. I've seen very complex mechanical systems that are just as prone to malfunction and electronic systems that work for decades without a glitch. The question is what has the added complexity really bought us recently? It seems that we're at a point of diminishing returns in efficiency/comfort/safety/etc as we keep adding complexity to our cars.

I used this simple relation " Throttle Position = difference of (accelerator pedal , brake pedal) " when i am doing my academic project (and did it successfully). This equation clearly represents the driver's intention rather than override systems of any sort.

Addressing *fail-safe* schemes such as brake+accelerator == shut throttle... Is this to be trusted if the problem is a haywire/latched ecm to start with? Other than that, it would be very unacceptable (even dangerous)to those in hilly country or those who expect to be able to drive somewhat aggressively from time to time using brake and throttle (drifting). If they forget that the vehicle is 'nannied' and the drift fails then that is a danger as well. The whole issue is "unintended acceleration". I don't trust ANY scheme involving the car computer to deal with it. Especially if it thinks that the gas is NOT pressed at the time of the event (negating the gas+brake failsafe). I don't know enough about it but I *suspect* that it would be plausible that under certain conditions of ecm or sensor failure that it could go into some kind of fall-back (open loop) mode in which the throttle servo is no longer activated either way from whatever position it is in at the time of the failure. Computer 'brain death', if you will -- it's still doing the autonomic functions of breathing, mixing (via the O2 sensor) and beating heart (ignition timing) but it can't respond to requests to move anything such as the throttle valve. The whole issue is that the throttle can (and often is -- apparently thats the point of it) be in a position other than where the driver puts it with his foot.

That is a confusing issue, djtejas. I first assumed that the throttle (foot pedal) was either on a servo or a cable like the old systems which DID move it on it's own when under cruise control. That is clearly not the case but I suspect that most reports meant to say that it kept *accelerating* on it's own which would be synonymous to most people with "the pedal". Consider the priest who ran over members of his congregation after mass -- there were burnout marks -- it was *floored* to start with.

i would still like to know why the drivers in all the incidents have said the pedal moved on it's own...this is not possible...there is no device in "drive by wire" that moves the accelerator pedal.

Could it be possible to wire a relay from the barke pedal to the throttle motor to force it to nei=utral whenever the brake pedal was pushed. When I desihn uC systems, I always put hardware "watchdogs" areounf the micro controller.

"Why pressing the brake does not make the computer force zero acceleration is beyond me. Seems like it would be easy to implement." I agree with this. The same principle has worked on cruise control systems for decades, the instant you hit the brake, all acceleration stops (and reset to 0). It should be a first line of defense as an override on any acceleration. More rigerous Quality Control and testing is needed as well, and all these critical control mechanisms have to be fail safe and redundant and have no single point of failure, and that includes a manual override (any brake overrides accelerator, emergency brake overrides brake by wire and accelerator, etc.). The vendor that does this all correctly will win in the new marketplace of hybrds and electric cars. Toyota is on very thin ice now, but still has a chance to return to reliability, but needs to act fast, whatever the price is.

Most current high performance aircraft would be not be flyable without man-in-the-loop electronics. The problems being discussed have long ago been solved technically. Doubtful any current automotive engineers designed aircraft autopilots--except possibly BMW's. The M5 has had a servo controlled throttle for years. Maybe current problems resulted from partially pirated code...without complete understanding.

HACKERS??? "Drive-by-wire is the devil. You put the computer in charge of life and death, you deserve to live (or not) with its verdict." -- dick_freebird First, I must say that the DBW (die_by_wire) concept has always been detestible to me as I see it as more *big brother* intrusion; more *nanny-in-the-tranny*, forcing people to drive cars that let *they* turn them off from space(On-star), whatever. My paranoid little view of the world dictates that we WILL be mandated a 'black box' from these incidents and that it WILL be scanned remotely to tax and mail drivers tickets to fund building prisons for pot smokers -- And We The Sheeple will beg for it to be so. I feel that the NHTSA has been dragging their feet on this and even 'covering up' (by deleting reports which also claim that the brakes didn't slow the car) because it is a federal agency and want no one to have physical control of their vehicles (manual throttle linkage? You might be a terrorist). I consider the death of cop and family back in August: That 911 call was horrific to listen to, to be sure. (1) It has been alleged that it was a murder-suicide as a 20 year veteran of the CHP would know how to handle a run-away car BUT consider he was unfamiliar with the push-button stop 3-second hold) or that it would even operate with a blown/latched ECM. Bad design. (2) The caller (I assume the brother-in-law) attested to "there's no brakes" -- To me, this is completely plausible because IF the brakes were firstly applied *meekly* under full throttle this would lead to rapid boiling of the fluid. A functioning ABS could also have contributed to nonlockup and brakefade. Also, vacuume assist would be lost under WOT. (3) Why not neutral? Is this even possible in a DBW car such as the ES350? Is there some lockout that keeps it from happening while the car is in motion (I know that in my state, it is ILLEGAL to coast or roll with the clutch disengaged)? (4){PERCIEVED INSENSITIVITY WARNING PEOPLE!!} Cops ARE kind of stupid and are hired as such to just follow orders (they were calling 911 for instuctions instead of stopping the car, after all) but they are only slightly more stupid than the avarage 'Joe Shmoe' who has no idea how cars work and PANIC can make anyone 'stupid'. The rest of us have to 'share the road' with these cars with a mind of its' own that people aren't going to know how to handle when they go squirrelly. It used to be simple. My first car was a 1968 Chevrolette Impalla with a 327. I was 16 on my FIRST solo drive of it when I gunned it up a hill to 'feel the power'. Well, the motor mount broke and as the motor torqued, it pulled the throttle wide open (solid bar linkage). It took me about 2 seconds to kill the ignition -- and that ignition was on the dash!! -- I also don't get why they advise not to kill the ignition first as even with an automatic, it is still coupled to the engine to run the power steering and breaks above 25 mph (in my vehicle, at least). Is it that doing so will totally kill the brakes??? are they that DBW already? All my ranting aside, I wanted to point out what I have not seen addressed yet: HACKERS! Is it not to be expected that cars with all these BB controls would be subject to them? Especially after the ads depicting how great it is that *they* can unlock your doors, flash your lights, use your brakes, control your steering (if equipped with the 'parallel parking feature'), and stop your engine in the case of *theft*??? I saw a post from 2007 on a mustang forum where a guy was able to control his dbw car with a self-written I-phone 'app'. He was able to brake, accellerate, even steer by tilting his phone. ^Something to think about. If it is true that there is (1) no brakes that isn't just 'fade' (2) can't shift (implied, unless the cop meant to kill them all) (3) can't turn it off -- if it can be turned off remotely then does that mean it can be kept on remotely?????? == SkyNet

Ha ha, maybe this is the punishment people get for buying new cars. I drive old beaters by choice even though I can afford a new car ... of course, eventually even my "old beaters" will have this drive by wire crap .... I'm mostly kidding by the way. The cars should work reguardless of design.

Regarding "How much better for everyone if it were a principle of civil law that when it is found that damage has been inflicted by a failure, all of the diagnostic information determined by the vendor and by independent parties must be placed in the public domain, and may not be used to assess or assign damages." It already is a principle of civil law that all trial information is supposed to be public record -- for the very reason that others should be able to learn from past mistakes. At trial, however, corporate defendants frequently ask the judge to seal the record to protect what is claimed to be corporate trade-secret design information. The problem is that this procedure is over-used, abused, and the judges go along with the corporate requests. Everybody gets mad at "the lawyers" but they are only doing what their corporate clients ask them to do.

is shifting the tranny into neutral controlled by wire also? that's your silver bullet for unintended acceleration. not blaming the victims here but this seems like driver's ed 101.

everyone is mentioning that drive by wire is the problem. what everyone is forgetting is that in all the incidents, the driver is saying the pedal stuck or moved. there is no mechanical/electrical component in drive by wire that makes the pedal move...it is only moved by the operators foot...

Every time I rotate my TV antenna to another city, I have to rescan all the channels. Who designs this stuff these days? When I heard about the runaway cars, I thought, turn off the key. Now they tell me the key can be in your pocket while you're driving. Heaven help us. What happens when a CBer goes by with his 1,000 Watt linear transmitting? Can you say RFI? Scotty said, "The more they overtake the plumbing, the easier it is to stop up the drain".

There are software design tools available now that allow the design, modeling, and simulation of complex systems software, allowing much more rigorous testing of the software before it ever becomes part of an embedded product. The sad thing is that most non-defense manufacturers and product designers do not avail themselves of these sophisticated tools to help reduce the likelihood of such fiascos as this Toyota one. This state of affairs isn't because of the cost of the tools (some are under $500 USD per seat), but more the cost of training the engineering staff and changing the mind-set of these people. Another factor that contributes greatly to these problems is that software designers and engineers have to be taught to design for failure. That is, to incorporate into their designs, rigorous tests for failure and out-of-band conditions, and force the system into a safe-failure mode. Many designers of safety-critical systems are somewhat less than rigorous in this - witness the Therac-25 disaster of the mid-1980's, and I would certainly group acceleration and braking control of an automotive vehicle "safety-critical" applications. So, the IEEE has instituted a formal certification process for software engineers, the CSDP (Certified Software Development Professional). I would like to see, and will encourage the IEEE to do so, the further incorporation of a formal certification process for Safety-Systems Analysis and Design (SSAD) engineering as well. Fortunately, I am a director of an IEEE consultant's network, and one of my fellow directors is on the IEEE-USA board of directors, so maybe we can get some forward progress going in this direction.

The quality control in every step is degradating at such a fast pace that we are going to see collapses in things that we take for granted. Let rethink the way we program every system: 20% useful thing to do with the system 30% environment sensing and catalogging 50% what if condition analysis That will produce a knowledge database about the particular subject. Next step: keep the knowledge database consistent!

Who says mechanical systems are better?

The engineering profession erodes. No competitive salary, no quality job. It is not like lawyers. One day say one thing next day say other. You clash here with reality quick. Software engineers have nothing to do with reality. They just spit-out code. Real time performance no matter. Just buy a bigger faster controller. Waste as much as you want.

Smaller software modules where all the branches can be tested. This was known 30 years ago. So why are we still using "C" where a stack thrash gives you a serious penalty for coding the right way? FORTH. Much maligned. But no stack thrash. And might I add that we think in words. The naming of parts is important for thinking about how software works. FORTH is all about words.

I've been designing embedded software and systems since 1976 most of that in the aerospace sector. It has already been pointed out that aircraft of all sorts have had fly by wire for decades and much has been learned from all that experience over the years. To say you can not design safe to operate drive by wire systems for cars is to deny the experience with aircraft - vehicles which perform much more complex tasks via this method than cars ever will. I agree with the comments made about the trends in software development in current times. There seems to be a greater air of arrogance and less one of doing things better now in the up and coming SW engineers. They are not forced to think things through as much as times past due to scarce resources such as processor speed and memory. Now, that we are getting into very complex systems using cooperating subsystems, each of which can be run by multiple processors, the embedded engineers need more than ever before to take a systems design approach that is well based in critical thinking process and not based on a "let's see if this approach will work"!

I've watched computer hardware increase in speed and memory capacity, following Moore's law, for 30 years. Now programmers don't make code smaller unless it's too big, and they don't make it faster unless it's too slow, so each generation, you just get more power consumption, and slower, more bloated code. I'm sick of thinking of nice architectures for my company's products, getting excited, then realizing that software will be required. Worse, I'm one of the guys who helped cause the problem. When I started, a new computer would require a new compiler, OS, apps, etc.. I wondered what marvelous software would result if we didn't pull the rug out on the programmers every few years. Some guys from Intel came to see me, and said "right now we have this '8086, but soon we'll have an '8088 that runs the same code, and we have plans for a '186, and a whole family of code compatible processors... They kept their promise for 30 years, and reaped the benefits. And we got Windoze.

Don't assume electronics has it right I think. Concerning the Audi 5000 situation, keep in mind this was blown up by Mr. Dan Rather and 60Minutes. Although the NTSB eventually concluded that the problem actually was caused by driver error, this wasn't dramatic enough. CBS had a mechanic show-prep the Audi for the cameras, so it would move when the brake pedal was depressed slightly. The major car magazines at the time didn't fall for this, but news moved slower then. There was also a segment on exploding Chevy truck fuel tanks, which required pyrotechnics to be impressive. Some of these Toyotas may be accelerating because of driver pedal error. In the case of the 5000, short women, new to the car, were usually involved. The 5000 also had a low parcel shelf, hiding your feet from view, and that was disconcerting to some new drivers. Finally, the 2100cc motor just didn't have enough torque to overpower the brakes.

Nissan want to intruduce an all electric vehicle by the end of this year. Looking into it, I discovered that it's steer by wire. Somehow, my steering wheel hooked up to just a potentiometer just doesnt sit well with me! Particularly in light of the recent problems. I remember thinking I hope they put that code in the FPGA, rather than it running alongside the routine decoding MP3 files for the entertainment system. For my money, this is taking an idea too far. Granted, planes "steer" by wire, but passenger jets are not public consumer products made by the 100Ks. Somehow I'd like a solid mechanical connection to the front wheels, if you please. While an accessable kill switch could have saved these run-away vehicles, (I understand pressing the "on/off" button did nothing...) what could a successful fallback possibly be if your steering goes looney? That cant happen.

"But along came C, UNIX, and the cult of the bemused hobby programmer, and the entire notion of formal correctness vanished under a smokescreen of hacking." Yay another professional engineer who is snooty to everyone else. Were the problems with Toyota crated by hobby programmers or by professional engineers? Hrrm?

Want laws that restrict the use of thorough analysis in litigation? Try the NTSB system. Those accident reports cannot be used in a Civil Court of Law. If you want to enter the information into evidence, the information has to be "independently" re created.

To me, what is most interesting in Toyota's debacle is not so much the technical aspects of what has gone wrong. Instead, I find that the management principles and practices which cause small technical problems to have such far reaching impacts are to be questioned. Engineers are often encouraged to copy what works. Software engineers are encouraged to reuse code that has been tested. Mechanical engineers will re-use and re-use tested mechanism with minor or no modification in new designs. Even management practices are "cloned" from plant to plant and from office to office in large organizations. Success of large organizations has often been traced to creating successful designs and practices, and then proliferating them across an organizations. Toyota has served a good and an interesting example in that so many models of its model cars that have been impacted by the same design flaws. This is the opposite side of the same coin which encourages copy catting what is working well and proliferating it across the organization. But when one of those elements which were deemed to have been perfected begin to show problems, then the impact is huge. In a way nature punishes severely those who perfect the methodologies involved in adopting "perfect solutions", and then copying these solutions across a very wide organization to fuel further growth and dominance. At some point in time, a wave of unforeseen factors come together and deliver an organization wide blow which is difficult to contain in any dimensions. From marketing impact to the cost of coming up with a fix, the episode becomes devastating and takes a very large toll on the organization. Perhaps organizations who practice the philosophy of "copy what works and implement it exactly else where", should reconsider this philosophy when it comes to design practices. Perhaps there is a benefit in having competing designs and design teams where each design will have a more limited scope in how widely it will be adopted. Probably there is a limit to productivity gains and price reduction gains that can be made through the proliferate-your-good-design approach and perhaps there is a good reason why our good old nature comes in such an abundant variety. Perhaps our designs should be abundantly varied too, even within the same organisation to ensure that evolution will play a continuous role in our designs. Perhaps in our modern world, the notions of old management should be re examined with a grain of salt. And perhaps we should be willing to and include the cost of upholding diversity in our designs. The advantage is that if something goes wrong, it will have a limited impact. The same applies for genetically engineered products. If a virus hits say our wheat, which is genetically engineered, and if this gene pool becomes so widely accepted that most farmers in the world begin to plant this particular genome of wheat, then the virus will have far reaching impact on all our lives. Many may die of hunger if we our global supply of wheat is cut to say 50%. If you have read this note and gotten this far, you probably think I have a half baked theory! I would agree with you in that it is a half baked theory! But I think there is some important lessons to be learned from these experiences and my half baked theory can be developed and quantified to serve some good. If you like this idea, then please write to me at farouk.eshragi@gmail.com. Perhaps we can develop the theory together. The upside of my theory is that at least it is a good theory for engineers because if large corporations increase their design power and support multiple design solutions for the same problem at the same time, many more engineers will be required and will have work!

IMO there is just too much focus on software validation. Sure - the software has to reliably do the right thing at the right time. But, validating the software to death will not guarantee that a system will perform safely. I'm at a loss to think of an example where a software failure could not also be caused by hardware failure. The root cause may be the software but, it is the system design that failed. Was system level fault and hazard analysis sufficient or, was everyone worried about that nasty software stuff? I don't care how deterministic the microprocessor is or if someone could mathematically prove all the trajectories of a code set; the system it is embedded in can and will break.

I wonder how a whole company like Toyota is going to commit hari-kiri. Maybe they'll all do it at once in the courtyard.

Why so much complicated software?

fly by wire....no way will I get on the new generation Boeing or Airbus for my monthly trip to Europe. Give me a real wire & cable system. I want back up in the cockpit. Do you want to be at 34,000 feet over the Atlantic, Pacific or dry land when the system finds the glitch. It might be time to bring back the high speed ocean liners. The booze liners that travel to the islands can only make about 8 knots in order to make the tourists think they are on a long voyage.

The Audi had its accellerator directly underneath the steering column. Most american RWD cars had the brake aligned with the steering column. This same problem of accellerating with foot on the brakes and absolutely no brake working occured on several SUV models that had the accellerator aligned with the steering column. Some engineering standard on pedal layout would correct a lot of this.

As a former auto engineer that worked on speed control, it seems Toyota's primary incompetence was not programming a brake signal to override the throttle command, the way my speed controls for Ford did in 1977. I also don't know if a deterministic process can help even if you do assembly-language programming like I used to do. If you take 20 things and arrange them every way possible, that is 19! (19-factorial) and that is more seconds than the universe has existed since the big bang. It is easy for even the simplest software to have enough branches to be untestable, you just hope to cover the main paths. And once you have interrupts, well then things get really nasty. I do wonder about statements like "As someone whose Lexus ES330 was totalled after it careened away with uncontrolled acceleration...." Careening is a steering input, not a throttle input. I can't say I blame someone for freaking out though, I had that 1969 Chevy that had the motor mounts that would break and put the car in full acceleration when you were making a left hand turn. That was exciting for a 19-year-old kid. I also saw work at Ford that said there was no motor so powerful that disk brakes could not pull the car down to a stop even under full throttle. But that was 30 years ago and a ES330 has a lot of motor. Heck I had a Harley with the evil Mikuni flat-slide carb, the early one before they put roller bearings on the slide. Just having the bike hang at fast idle sure freaked me out, so I guess crashing the car is no surprise. OK, if you have an unintended acceleration-- Don't switch off the ignition, it locks the steering. The right thing to do is put the transmission in neutral. The engine will run up to its rev limit, I think every single modern car cannot over-rev the motor on throttle (you can still downshift into one though). Then coast the car to a stop. Then turn off the screaming motor. And if your a good American, then call a lawyer and a -press agent. Step 3-- profit.

Fly this blog (well written) high over the heads of government, the press and our legal system and say...There you fools, do something! Please send it to every net work around the world.

Lawyers...gag orders....feels pretty scary....I guess driving the old 74 bug is looking better everyday. ..Do they have computer electronics in them?

Unfortunately, this author doesn't know anything behind the regen braking issue with the Prius. Since journalists are NOT engineers, I'll explain it the right way: This is a characteristic of the regenerative braking in the Prius, that has been of concern to some drivers, since introduced in 2004, with the Gen II Prius. It has zero to do with "drive by wire". It has everything to do with how the computer, along with the ABS calculates and applies the amount of regenerative and frictional braking force. The issue comes about after hitting a large bump, and the ABS endeavors to reduce wheel spin, and thus decreases the amount of regenerative braking force. The frictional braking force is not reduced. But with light pressure on the brake peddle, the design of the braking system FIRST applies more regenerative braking, than frictional (conventional) braking force. I've felt the phenomena twice in 8K miles on my G3, and the solution is simple - apply slightly more pressure on the brake peddle. At no time is there a complete loss of braking. Clearly, to those unfamiliar with this characteristic and feel to the Prius brakes, it can be unsettling. Is there a defect or flaw with the brakes? I don't believe there is. Could Toyota make some changes in their software to delay the momemtary reduction in the amount of regenerative braking force - yes, I believe they can. But for the vast majority of Prius owners, and as much as the press wants to spin this into a big story...it's not.

I don't deny that the mechanical portion of the accelerator is the root cause. However, I have wondered from day one why there wasn't an override. If the computer feels the accelerator is saying GO yet someone is pressing on the brake like mad I say there's an issue.

I think Toyota knows what the noble thing to do is.........

Gee, jeep, when the four carbs froze open on my 1966 Honda S-600, an otherwise superbly engineered car, I was much quicker to use the key. Of course it was a manual, so the engine could be removed from the equation with the clutch, but as it passed the 11,500 rpm red line for the first time, turning it off was instinctive. I also learned to continuously vary throttle settings in winter.

So you?re insinuating the Audi unintended acceleration issues could have been related to embedded electronics? If I recall correctly, many of the drivers that crashed their Audi?s stated emphatically that they mashed the brakes as hard as possible, yet their vehicles still accelerated out of control, through intersections, over curbs, through storefronts, etc. Some even claimed their vehicles accelerated with seeming supernatural power. Since the brakes on any modern car are quite capable of restraining the vehicle even at full throttle (smoky burnouts aside, you?re still not moving forward), how could the electronics controlling the throttle completely inhibit the brakes? Isn?t much more plausible that these drivers were mashing the gas the whole time, not the brake, rather than some electronics issue that the brakes would have easily mastered? The apparent supernatural power explained by the same phenomenon whereby it feels like you?re going faster when you brake on sheer ice. You?re so used to sudden negative G?s, that when you experience almost no change in G?s it feels like positive G?s. Imagine how much more amplified that sensation feels if you really are getting some positive G?s? (you mashed the gas, not the brake) You?d think these drivers would quickly realize whatever they were doing wasn?t working, so try something else, pump the brakes, something. And in doing so they?d quickly realize they were on the gas, not the brake. Well that isn?t what many people do when they panic. You hear about survivable plane crashes where passengers actually die because they were trying to retrieve their luggage from the overhead bin. In their panic, they can only think to do what they?d normally do to get off the plane, only faster. Their subconscious is actually in control. This is why you have fire drills, so your subconscious can get used to going out a different exit. Hear that bell, go out this other way. So its understandable that drivers that mistook the gas for the brake, that went into panic mode, would just keep trying to press that pedal harder and harder, do what they normally do to stop, only with more, panicked, effort. What this points to is not the need for better embedded electronics, or even better mechanical quality control, but rather better drivers. Sullenberger (Miracle on the Hudson water landing) only accomplished what he did because he was a well trained pilot. There are always going to be unexpected emergencies. The floor mats in other cars are not immune to working their way onto gas pedals. Should one be destined to die should an errant soda bottle from your groceries lodge itself under your brake pedal? If the majority of drivers were actually able to control their vehicles, unintended acceleration would not be of much concern (oh no, accelerating out of control, hmm, BRAKES, neutral, ignition, crisis averted). This of course, would require the driving equivalent of fire drills. Are we willing to do that?

Found in comments on a New Scientist Tech article: "Toyota car recall sparks 'drive by wire' concerns" It Happened To Me Thu Feb 04 20:38:30 GMT 2010 by Phil Bushell I have an 2008 Toyota Auris, bought last year with 13000 miles on the clock. Day 2 ofter purchase I was driving through town when I felt the accelerator pedal move away from my foot and the car started to accelerate. I depressed the clutch, it rev'd to 6.5k revs and then went back to normal, half an hour later it did it again. Phoned Toyota who replaced the whole accelerator unit under warrently. I've had no problems since.

Often problems in car designs is caused by cost reduction, not original engineer designs. Where I work we design things to work, then its reviewed and cost cut. Sometimes reliability is lost during this process and the big knobs make a call on that. I installed 2 sequential throttle bodies on my 350hp twin charged corolla. One of them vaccuum controlled, one throttle cable controlled. This way in the event of a failure there is a backup mechanism, and it was not difficult to implement at all.

I had a 67 willy's jeep when I was 16. The mechanical linkage to the accelerator came off the bottom of the pedal and stuck below the floorboard on the highway. It took about 6 seconds of fumbling before I turned the key off. The second time it happened, it took about 2.

Come on now. Testing costs good money. Money that hard-working senior executives need for their bonus packages. Good coders, likewise. As for Garry-O's wiring harness: There is a 50 meter piece of road in Calgary where pressing any button, including "Off", on a Ford cruise control (tested with 88, 90, and 2002 Fords) did the equivalent of "On" and "Set". It was my exit and as I cruised up the highway, touched the brake to disable cruise, then pressed "Off" because I was going onto suburban streets, the car would do a quick accelerate (about 2 mph) and turn cruise back on for me. Don't notice it in my '07 F-150, but it has its own set of "programmed-by-hackers-cause they-work-for-parts" quirks.

No mention that modern ICs are subject to random intermittent failure due to cosmic radiation. It may not be a software problem, but actually a system design problem because it lacks the necessary fault-tolerance and redundancy for such a critical function.

Even if with a spring the pedal is not physically stuck and lifts, the issue raised by this article is completely valid. Why pressing the brake does not make the computer force zero acceleration is beyond me. Seems like it would be easy to implement.

I have an '05 VW Jetta that is drive-by-wire throttle. I'm basically OK with it but it does have this one annoying characteristic: If you are accelerating at full throttle winding the piss out of the motor, when you go to clutch it, the motor driven throttle plate does not close as fast as the return spring on the pedal and the RMP's surge up before they start dropping down. In essence you have to let off the throttle a half-second earlier which is hard to re-learn after driving cable actuated throttles for the last 31 years. These throttle plates do not snap closed like the old spring returned, cable actuated throttle plates of yore. In my lifetime, I have had throttle cables and/or linkages stuck WOT due to cable fraying, ice build-up in extremely cold weather, or other mechanical malady. One learns to turn the ignition key to off in a hurry. The safety experts who tell you to put it into neutral don't have to replace the engine when you throw a rod.

I have an Idea. Can we sue the plaintiffs lawyers that sued Audi. Did they not cause the deaths of the Toyota owners? I think you make a good case for a class action suit for "Suppression of know defects" by settlement action against Audi...hmmm. Seriously, you raise a great point but its difficult not to make dead lawyer jokes here...

Good luck with that nolo. Odd that other cars use the same pedal and haven't had those problems.

With most cars using automatic transmissions (no clutch to use in a panic) and things like steering wheel locks on the ignition key and now drive by wire, all cars inherently have the potential for uncontrolled acceleration. We now need to add the solution that was given to the motorcycle years ago, a kill switch. A friend advised me that we cannot kill the engine due to the power steering and power brakes. Nonetheless we need a panic circuit outside the engine computer that can pop the throttle plate back to idle with a button on the steering wheel.

On the electronics side, finding good programmers and paying more attention to architecting the code up front won't eliminate but can significantly mitigate the risks associated with problems that Toyota, for example, has experienced. On the automotive front, the industry needs to go back to basics. More mechanical and analog components are not a bad thing. The problems tends to be in the complex electronics that are not always required and pose reliability concerns.

The fix is 100% mechanical for the pedal -- adding a spring preload shim in the pedal return assembly. Sorry.

As long as there are mechanical overrides, and multiple sensors and control paths for critical components, there is no reason why control-by wire cannot work safely, even in the presence of software bugs. It would require multiple simultaneous failures of independent systems for dangerous behaviour to be possible. In a modern car, there needs to be a mechanical override of the computer's accelerator output - if the brake is being pressed, accelerator actuation should be nullified. Ideally there would be 2 or more brake pedal outputs, from parallel pedal sensors, and at least one direct path from the brakes, to a carburretor override system, that bypasses the engine computer. As someone whose Lexus ES330 was totalled after it careened away with uncontrolled acceleration, I can personally testify that the inability of the brake system to override whatever the rest of the controls were commanding is the root cause of Toyota's design problems. The poor placement of the emergency brake and its limited capabilities is a contributory factor.

I think some serious thought should be given to the "antenna" effects of the wiring harness. I have a Lincoln Navigator that turns off the radio when the drivers window motor energizes, and the turn indicator lamp load changes settings like the blower motor speed setting etc. This is most likely noise coupled into the harness presented to the processors I/O. I design robotic welding systems, and see this behavior all too frquently.Toyota is the whipping boy now,but the whole issue is common to the technology.

Well ... the dealers are getting the "new" gas pedal assemblies even as we speak. I guess we'll all learn soon enough if this fixes the problem. If it doesn't, I wonder if Toyota will blame the dealers.

So true, I have been doing microprocessor software/hardware for 30 years (or has the micro been doing me?) The problem with software is indeed that no amount of testing can insure correctness. What is required is very careful coding and a lot of selfdiscipline. Using high-level languages helps because it just reduces the number of lines of code. I don't agree that interrupts are necessarily bad, even though there is no mathematical proof of it.

Ever been on a plane? They are all fly by wire. There are also complex controls and saftey checks to make sure there isn't a possiblity of this kind of issue happening. The real answer is regulation similar to the aviation industry. If you want to let software replace mechanical control you have to add in the ALL the checks and balances, period. The alternative is what Toyota is facing.

And the time at White Sands when the Shuttle was landing with about 1oo feet to go, when the wheels finally came down and locked into position - that time also a software error in decimal placement so wheels locked down at 100 feet not the 1,000 feet before landing. A lot of breaths were held that day! Gears down by Wire, I like that!

Airbus A330-200 too...

Finally. The unspeakable has been spoken. And it is high time. I had the suspicion from the very beginning that the problems were likely of this nature, despite Toyota's stubborn refusal to countenance such. As you say, the tragedy is that the actual facts will likely never come out, and the same sorts of errors will be repeated.

I expect this to cost Toyota $ 2 Billion (US) due to the actual costs of repair, lost sales and legal costs. I would not be surprised if Toyota tries to declare bankruptcy (at least in the US) to try and stall or mitigate the legal costs. I wonder if the insurance companies will try and make Toyota reimburse them for funds paid out for accident claims. Also it will be interesting to see if people who were fined or found guilty in court for accidents will go back to the courts and request/demand that the original judgements be set aside and Toyota pay for all the lawyer and court costs.

Drive-by-wire is the devil. You put the computer in charge of life and death, you deserve to live (or not) with its verdict. But your uninformed customers, and their survivors, don't. No real gearhead would put an electric throttle on a car. Decisions like this come from people who should be designing toaster ovens (where they can replace the good ol' dial with a 27 feature digital whiz-bang and the only consequence is burnt waffles).

"How much better for everyone if it were a principle of civil law that when it is found that damage has been inflicted by a failure, all of the diagnostic information determined by the vendor and by independent parties must be placed in the public domain,..." You mean like the Challenger report?