OPEN LETTER TO TOYOTA POST THROTTLE CONTROL SOFTWARE ON THE INTERNET FOR WORLD WIDE REVIEW
Toyota has announced a fix for the accelerator problem. The fix consists of a shim. This is purely a mechanical change implying the problem is purely mechanical. A large part of the system consist of electronics hardware and software.
Many doubts remain that the problem is purely mechanical. It is very easy for a subtle flaw to exist in software and electronics systems that can take many years to uncover. I site the classic case of the Therac 25 that is often used as an example of the difficulty in proving software reliability.
See:
formatting link
I have proposal to Toyota to remove these doubts.
Post the software source code and circuit schematic diagrams for the throttle control electronics publically on the Internet.
The design will then be reviewed by the collective abilities of
1000's of software and hardware engineers. Provide an e-mail address for those with comments to send back to Toyota privately if they so choose.
After a few weeks, if no one in the world uncovers any design flaw, then one can be very confident that no flaw exists. This may be the only way for the public to re-gain confidence in a complex system.
Mark wrote in news:7e7aec70-aaca-452d-af0d- snipped-for-privacy@o16g2000vbf.googlegroups.com:
The fix is not only mechanical. Toyota is also revising its PCMs so that simultaneous brake/gas application results in the engine's power being cut back, the opposite of what happens now.
So far there is no evidence that any of the unintended acceleration incidents are due to anything more than mechanically-stuck pedals, or to pedal misapplication.
If you're that concerned about unintended acceleration, you may want to go after Ford as well. They account for 28% of all unintended acceleration incidents.
And all the left foot brakers are going to sh*t bricks!
Better solution (for future reference): Build an accelerator pedal with a microswitch attached to the pedal surface. If the driver lifts their foot, the microswitch circuit (independent of the pedal position sensor) disables the throttle plate drive system (torque motor, solenoid, or whatever they use) so that the return spring closes the throttle. You'd have to lock this out with a cruise control engage signal, but other than that, it would be redundant to the electronic controls.
Until you have seen the specification for what the thing is supposed to do there is no way to tell if the hardware and code actually implement it correctly. There is every chance that at least for automatic cars in the USA the design specifications are inconsistent with sensible fail safe design. On a manual transmission you can always dip the clutch.
A reasonable introduction to how hard the problem of making reliable software and comparisons with hardware is online at CMU.
formatting link
>
Your proposal will not work. You cannot inspect quality into software. You must first specify exactly what it is supposed to do. Most software failures are traced to incorrect, inconsistent or ambiguous requirements specification. The failure may only happen when a particular very rare set of circumstances occur - the Intel divide bug for example. Only formal mathematical proof can ensure absolute reliablity and even that is subject to interpretation - who checks the theorem provers work?
The original Intel 8087 had about a dozen bugs but until Cyrix did the formal specification to make a functional equivalent nobody had found any of them (ISTR mostly lsb errors in sin/cos).
Unlike mechanical objects and electronics which wear out with use software actually becomes more reliable with increasing age as the residual faults are uncovered. It would be interesting from an academic point of view to know whether or not Toyota use formal methods for the specification of accelerator, brake and engine management subsystems.
My instinct is that they probably do not - I had a Nissan once that decided to spontaneously immobilise itself on a busy junction at rush hour. After an engineer had reset it at the roadside it was no fault found on diagnostic test (at least that is what they told me).
You also need to know exactly what it is supposed to do in all circumstances including sensor failures and idiot user error. And there are plenty of idiot users of motor cars.
The public might regain confidence but the chances of other engineers looking over the code understanding it correctly are negligible. Even when you do understand the details of safety critical code you have to work out very carefully whether a change intended to fix one problem could possibly cause another more serious failure by slowing the response time to some other stimulus. Even the Shuttle which is truly six-sigma grade software has a known potential synchronisation fault that is not worth trying to fix and has caused launch aborts.
I presume that is how they got to the conclusion that a piece of worn hygroscopic plastic swelling is responsible for the sticky gas pedal.
formatting link
I have to say reading some of the end user reports I am still more inclined to blame the nut behind the wheel rather than the engineering. OTOH I doubt they would launch such a global scale recall if there wasn't at least some truth in it.
Ignition off. You lose power steering and if you turn too far you get steering lock on which could be very embarrassing. Unclear how you do it on keyless vehicles.
Are you kidding? They will not post bills publically on the Internet before the are voted on, the REAL number of jobs lost, the total amount of US Bonds the FED is buying, REAL facts about so called global warming as well as a half dozen other "secrets," to public scrutiny or review. Why would they make Toyota do what they will not do? LOL
Another Toyota approach might be to get on board with its event data recorders. Here's a press release from Toyota from Sept. 2008 on its EDRs:
formatting link
Here's what they say about their EDR program:
"A specialized tool set is required to read out data that may be contained within an EDR equipped ECU. At this time, there is only one prototype Toyota readout tool in the United States and only specially designated Toyota personnel use it. The tool set has not yet been scientifically validated, and at this time, Toyota does not have confidence that the readout reports it generates are accurate.
"Nevertheless, Toyota will access the data when it receives a written request from the National Highway Traffic Safety Administration (NHTSA) for its Special Crash Investigations program, but only with NHTSA's assurance that the vehicle owner has given written permission and no personal identifying information about the owner will be published. Toyota also will access the data to assist law enforcement in criminal investigations, when presented with a valid court order or a search warrant.
"In accordance with a 2006 NHTSA rule stating that if a manufacturer equips a vehicle with an EDR, then a tool must be made commercially available to download the data from that EDR. The compliance date is Sept. 1, 2012, the start of the 2013 model."
Sometimes it's difficult to get the automobile owner's permission to release the data to NHTSA.
The infamous Intel FDIV bug was actually traced back to a truncated file=20 download.
And similar problems for the original 8086/8088 as well (HMA bug) which=20 was been faithfully duplicated in the 286 and 386 generations for SW=20 compatibility reasons.
My bet is that they (or their suppliers) use semi-formal methods.
Indeed, an overabundance.
I would not be so confident that it would be so fast. 6 months to a year= =20 seems more likely.
Who says you turn the key all the way, oops, that's right we are dealing = with=20 "normal" people here. Power steering goes but is not that big a thing when moving more that a = few=20 mph, power brakes has a couple strokes left. Keyless ignition is a much = less=20 simple matter, and perhaps not such a bright idea.
Perhaps because Toyota IS NOT the US government. BTW have you tried = using=20 thomas.gov? The full text of HR3200 was there before it passed in the = House.
MotorsForum website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.