Rebooting Our Cars Isn’t Always Practical March 28, 2010Posted by Peter Varhol in Software development, Software platforms.
Fail safe. Most of us have heard the term, but if you’re under about mid-forties, give or take, you probably don’t remember the tragic nuclear disaster movie from 1964 (the movie was actually called Fail-Safe). The term refers to the ability of a complex system to revert to a safe mode in case of a failure. In the case of the movie, it didn’t happen as planned, and nuclear warheads were accidently employed as a result.
Let’s apply that concept to our everyday lives. I drive a twelve-year old car (a Subaru), and have no intention of trading it in any time soon. While it has at least one computer processor and thousands of lines of code, it pales in comparison to the multiple processors (up to 30 in a Mercedes model) and hundreds of thousands of lines of code of today’s vehicles. Further, these processors are used for far more important things than in my car.
It’s absurd to think that the number of processors and lines of code don’t include bugs. While auto makers test this code rigorously, it’s almost impossible to test it under all of the conditions it may encounter on the road. So let’s all acknowledge that the software in our cars has bugs and defects that prevent it from behaving predictably at all times.
I don’t have any inside knowledge, but it’s a reasonable bet that this is what Toyota is currently experiencing. We already know it has a software update for the Prius brake problem; the presumed problem with the accelerators on some models has a high potential to be a bug that is all but impossible to find.
This doesn’t mean that cars have to return to a direct mechanical linkage between the accelerator pedal and the throttle. There are too many advantages to monitoring and if necessary attenuating accelerator movements, to say nothing of monitoring and continuously tuning engine performance, braking response, and so on.
But when these systems fail, or behave in unusual ways, they should, well, fail safe, and that’s where Toyota (and potentially other auto manufacturers) have let us down. For example, the embedded code can detect when the engine is at full throttle, and allow that for only a set period of time, measured in seconds (these aren’t race cars, after all).
Almost fifteen years ago, Ivars Peterson, then of Science News, wrote a book called Fatal Defect. It detailed several examples of software and software-hardware bugs in embedded systems that proved dangerous to people who used those systems.
That problem will never go away, and in fact will get worse as we increasingly rely on embedded software systems for our day to day activities. Many of these software systems are of very high quality, but they can’t take into account all circumstances, including the abilities of humans. Remember, according to Murphy, nothing can be made foolproof because fools are so ingenious.